Search squid archive

Re: Handling client-side request floods

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2014-07-08 13:17, Dan Charlesworth wrote:
Hey folks

So I support a bunch of Squid deployments and every so often I’ll get
a call about a poor performance, or very large access logs files etc.

Oftentimes as soon as I crack open the access log I see there’s a
handful of machines (sometimes just one) practically DoSing the proxy
with failed requests (failing because the client app won’t comply with
proxy authentication).

Here’s a recent example of one of these bugs from Google Chrome:
https://code.google.com/p/chromium/issues/detail?id=373181

So I just wanted to see if anyone had any advice or suggestions for
dealing with this kind of thing. I’m guessing iptables would be the
logical place to try and prevent it, but I wouldn’t know where to
start with rate limiting in iptables…

Anyone care to share?

Andrew Beverleys QoS and traffic shaping documentation (<http://andybev.com/index.php/Main_Page>) is probably the best place to look for iptables based solutions, with the official netfilter documentation coming in second.

Squid-3.5 is coming with a new helper (ext_delayer_acl) which can be configured to help in this type of situation. For older Squid versions you can download the perl script from <http://bazaar.launchpad.net/~squid/squid/trunk/files/head:/helpers/external_acl/delayer/> - documentation for it is inside the script.


Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux