On 4/13/23 21:23, andre.bolinhas@xxxxxxxxxxxxxx wrote:
I'm seeing to many requests to website mainnet.infura.io, by analyzing the
access.log seams that the website is blocked
Which directive/mechanism blocks them (e.g., http_access,
reply_body_max_size, ICAP/eCAP, etc.)?
Each TCP_DENIED request is consuming 400000+ bytes
Assuming you do not use huge custom TCP_DENIED error pages, I agree that
these entries look suspicious, as if Squid denied access but continued
to tunnel the traffic. The response times are fairly small, but probably
large enough to transmit those amounts of data from a fast server.
Since most requests (for the affected domain) are problematic, can you
collect a packet trace and see if you can confirm that these
transactions transmit a lot of data from Squid to the client? If IPs are
not enough, logging client TCP port (%>p) may help you match specific
access.log entries with TCP connections in the packet trace...
What Squid version are you using for this? Does SslBump affect the
problematic transactions?
Thank you,
Alex.
but I also notice that the
request is consuming bandwidth, here a example
Squid access.log format.
%ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a:%<p %mt mac="%>eui"
%note ua="%{User-Agent}>h" exterr="%err_code|%err_detail"
Access.log request.
1681099742.517 35 10.81.216.114 TCP_DENIED_ABORTED/407 41154 CONNECT
mainnet.infura.io:443 - HIER_NONE/-:- text/html mac="00:00:00:00:00:00"
category:%20143%0D%0Acategory-name:%20Trackers%0D%0Aclog:%20cinfo:143-Tracke
rs;%0D%0A ua="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
exterr="ERR_CACHE_ACCESS_DENIED|-"
1681099742.575 41 10.81.216.114 TCP_DENIED/407 511819 CONNECT
mainnet.infura.io:443 - HIER_NONE/-:- text/html mac="00:00:00:00:00:00"
category:%20143%0D%0Acategory-name:%20Trackers%0D%0Aclog:%20cinfo:143-Tracke
rs;%0D%0A ua="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
exterr="ERR_CACHE_ACCESS_DENIED|-"
1681099742.664 73 10.81.216.114 NONE/200 0 CONNECT mainnet.infura.io:443
HLBHO/tsyafiq HIER_NONE/-:- - mac="00:00:00:00:00:00"
category:%20143%0D%0Acategory-name:%20Trackers%0D%0Aclog:%20cinfo:143-Tracke
rs;%0D%0Auser:%20HLBHO/tsyafiq%0D%0A ua="Mozilla/5.0 (Macintosh; Intel Mac
OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0
Safari/537.36" exterr="-|-"
1681099742.685 20 10.81.216.114 TCP_DENIED_ABORTED/403 450655 CONNECT
mainnet.infura.io:443 HLBHO/tsyafiq HIER_NONE/-:- text/html
mac="00:00:00:00:00:00"
category:%20143%0D%0Acategory-name:%20Trackers%0D%0Aclog:%20cinfo:143-Tracke
rs;%0D%0Auser:%20HLBHO/tsyafiq%0D%0A ua="-" exterr="ERR_ACCESS_DENIED|-"
Each TCP_DENIED request is consuming 400000+ bytes so at the end of the day
sometimes I have a total of 56k request to mainnet.infura.io consuming
around 15GB of bandwidth.
My question is, assuming that %<st is the total size of reply, why
TCP_DENIED is taking a lot of bandwidth to block a website?
Best regards
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users