Search squid archive

Re: disable access.log logging on a specific entrys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 21/09/17 01:42, Holger Wybranietz wrote:
> Hello Amos,
>
> Yast doesn't show any newer version then 3.5.21 (you meant 3.5.27 is
> working fine?).
>
Yes. I tested with 3.5.27, 4.0.21, and latest v5 code. All hide the log entries when !logNoSpamresolver is used. 


> By the way:
> The entrys I want to get filtered are similar to:
>
> 192.168.12.84 - - [18/Sep/2017:15:22:40 +0200] "POST
> /SpamResolverNG/SpamResolverNG.dll?DoNewRequest HTTP/1.1" 400 3990
> TAG_NONE:HIER_NONE
>
> I think, that this is not a "normal" url, "/SpamResolverNG/Spa..." seems
> to be a directory path?
It's called an origin-form URI and is the true form of URLs delivered to web servers on port 80 and 443.
I suspect there is no Host header delivered by the client to allow Squid to convert it into an absolute-form URL for proxy consumption. Which would also explain the 400 status and *_NONE server details. 


> Is there another way to treat this kind of entries?
>
That depends on your definition of "treat". They are all actual traffic consuming resources on the proxy, so it is a little odd to hide them from view. On the other hand you are using a web server log format in a proxy, which is very lossy anyway.
The config mentioned earlier was correct for what you tried to do. Its odd that it was not working.
Maybe something wrong with the regex. I'm thinking unicode characters etc not quite matching what the eyes seem to indicate - in either the URL itself or the config regex.
It might be a good idea to try and resolve the problem in the client software if you can;
- if the AV software is configured to use the proxy (including with auto-config methods, WPAD/PAC etc) then it is a bug to be sending that URL form to a proxy. The vendor may want to know and fix it since other customers will be having the same issue and this type of bug is security vulnerability for AV.
- if you are intercepting the traffic from port 80 or 443 somehow, then your interception would appear to be broken. Squid should always be able to determine the ORIGINAL_DST for intercepted traffic and transparently deliver it there when Host is missing or invalid. 

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux