On 2014-07-08 13:17, Dan Charlesworth wrote:
Hey folks So I support a bunch of Squid deployments and every so often I’ll get a call about a poor performance, or very large access logs files etc. Oftentimes as soon as I crack open the access log I see there’s a handful of machines (sometimes just one) practically DoSing the proxy with failed requests (failing because the client app won’t comply with proxy authentication). Here’s a recent example of one of these bugs from Google Chrome: https://code.google.com/p/chromium/issues/detail?id=373181 So I just wanted to see if anyone had any advice or suggestions for dealing with this kind of thing. I’m guessing iptables would be the logical place to try and prevent it, but I wouldn’t know where to start with rate limiting in iptables… Anyone care to share?
Andrew Beverleys QoS and traffic shaping documentation (<http://andybev.com/index.php/Main_Page>) is probably the best place to look for iptables based solutions, with the official netfilter documentation coming in second.
Squid-3.5 is coming with a new helper (ext_delayer_acl) which can be configured to help in this type of situation. For older Squid versions you can download the perl script from <http://bazaar.launchpad.net/~squid/squid/trunk/files/head:/helpers/external_acl/delayer/> - documentation for it is inside the script.
Amos