Alex,
> However, there is a difference between my August tests and this thread.
> My tests were for a request parsing error response. Access denials do not
> reach the same http_reply_access checks! See "early return"
> statements in clientReplyContext::processReplyAccess(), including:
>
> > /** Don't block our own responses or HTTP status messages */
> > if (http->logType.oldType == LOG_TCP_DENIED ||
> > http->logType.oldType == LOG_TCP_DENIED_REPLY ||
> > alwaysAllowResponse(reply->sline.status())) {
> > headers_sz = reply->hdr_sz;
> > processReplyAccessResult(ACCESS_ALLOWED);
> > return;
> > }
>
> I am not sure whether avoiding http_reply_access in such cases is a
> bug/misfeature or the right behavior. As any exception, it certainly
> creates problems for those who want to [ab]use http_reply_access as a
> delay hook. FWIW, Squid had this exception since 2007:
Thanks, makes sense. It would be great if there was a way to slow down 407 responses; at the moment the only workaround I can think of is to write a log-watching script to maintain a list of offending IP/domain pairs, then write a helper to use that data to introduce delay when the request is first received (via http_access and the !all trick). If anyone has a better option, I'm all ears.
Luke
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
