Hi Eliezer, Eliezer Croitoru-2 wrote > If you know what domain or ip address causes and issue the first thing I > can think about is bypassing the malicious traffic to allow other > clients\users to reach the Internet. Source ip may be 70% of our customers because it is a popular device so it is not an option . Destination ip or domains are too much . Unfortunately because the requests are not normal http , so squid log does not have the dst url/domain/ip so it is hard job to find them . 1- First i should keep looking the squid access.log to find client which has such request . 2-Then try to sniff that client from router. 3-Separate normal requests from malformed . 4-Find the destination from malformed requests. 5-Put that ip in router acl to exclude from tproxy routing to squid . Nobody knows how many times this loop should be repeated because nobody knows count of destinations . Eliezer Croitoru-2 wrote > And since squid is also being used as a http ACL enforcement tool > malformed requests basically should be dropped and not bypassed > automatically. So then squid should be able to simply drop them. Even it would be fine to have some patterns in iptables or something like mod_security for apache etc which introduce by squid gurus to prevent these kinds of problems . -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Malformed-HTTP-on-tproxy-squid-tp4678951p4678966.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users