On 08/24/2016 12:24 PM, Omid Kosari wrote: > Alex Rousskov wrote >> Thus, the existing implementation should cover non-HTTP >> requests on port 80 (or 3128). If it does not, it is a bug. We should >> polish the documentation to make this clear. > The problem is not squid itself . The problem is in some situations for > example DOS(with malformed requests) , infected clients sends lots of > requests to target server . The requests goes through squid tproxy so squid > will send back about 250 byte in reply to each request . > > So i am looking for a way to just send tcp reset and not that 250 bytes . What you said is orthogonal to what I said. There are two parts of the problem you are trying to solve: 1. Detect a non-HTTP request on port 80. 2. Reset the client connection when #1 happens. The existing on_unsupported_protocol directive already supports #1 -- bugs notwithstanding, it can be used to generate an error response when you want. It is also the default behavior. Once that error response is generated, you want to convert it into a TCP reset by denying that response _and_ using a matching "deny_info TCP_RESET". That is part #2. I do not know why deny_info does not work in your tests. N.B. Since resetting non-HTTP connections is a common need, it may be tempting to add a "terminate" action to the on_unsupported_protocol list of supported actions. However, I am not sure that is a good idea because resetting a connection is a common need in many contexts. Deny_info may be a better (more general) solution. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
