On 10/05/2016 05:49 PM, squid-users@xxxxxxxxxxxxxxx wrote:
>> See "early return"
>> statements in clientReplyContext::processReplyAccess(), including:
>>
>>> /** Don't block our own responses or HTTP status messages */
>>> if (http->logType.oldType == LOG_TCP_DENIED ||
>>> http->logType.oldType == LOG_TCP_DENIED_REPLY ||
>>> alwaysAllowResponse(reply->sline.status())) {
>>> headers_sz = reply->hdr_sz;
>>> processReplyAccessResult(ACCESS_ALLOWED);
>>> return;
>>> }
> It would be great if there was a way to slow
> down 407 responses; at the moment the only workaround I can think of
> is to write a log-watching script to maintain a list of offending
> IP/domain pairs, then write a helper to use that data to introduce
> delay when the request is first received (via http_access and the
> !all trick). If anyone has a better option, I'm all ears.
An alternative idea: Change clientReplyContext::processReplyAccess() and
related code so that the http_reply_access ACL is always checked but,
under the conditions quoted above, the result of that check is forced to
be interpreted as ACCESS_ALLOWED.
This alternative requires a little bit of Squid development and testing,
of course, and I am not sure such a trick can be officially accepted.
Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
