Re: [squid-users] TCP_RESET non http requests on port 80
On 09/07/2016 01:56 AM, Matus UHLAR - fantomas wrote: > and how is this done? Which system or library call does drop connection to > send a RST immediately? This is not a squid-users question, but Squid calls comm_reset_close() (quoted below) to reset the connection. That function uses zero SO_LINGER option value to trigger a TCP reset when the connection is closed. AFAICT, this is a "standard" approach. I do not know whether that approach results in an actual TCP reset packet immediately sent (as opposed to responding to any incoming packets on the same connection with TCP reset packets). HTH, Alex. > /** > * enable linger with time of 0 so that when the socket is > * closed, TCP generates a RESET > */ > void > comm_reset_close(const Comm::ConnectionPointer &conn) > { > struct linger L; > L.l_onoff = 1; > L.l_linger = 0; > > if (setsockopt(conn->fd, SOL_SOCKET, SO_LINGER, (char *) &L, sizeof(L)) < > 0) { > int xerrno = errno; > debugs(50, DBG_CRITICAL, "ERROR: Closing " << conn << " with TCP RST: > " << xstrerr(xerrno)); > } > conn->close(); > } ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
On 05.09.16 23:32, Omid Kosari wrote: Filed a bug report http://bugs.squid-cache.org/show_bug.cgi?id=4585 On 09/06/2016 08:36 AM, Matus UHLAR - fantomas wrote: I wonder if this is doable at all. On 06.09.16 12:02, Alex Rousskov wrote: Yes, and Squid supports it in other contexts. and how is this done? Which system or library call does drop connection to send a RST immediately? Does any tcp stack allow sending reset AFTER the connection has been opened? A TCP RESET packet can be sent at any time. This is not something the protocol can (or needs to!) prohibit. I'm not saying that it should not be done, I was just unaware of how this is implemented. closing connection sends FIN, not RST, correct? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 2B|!2B, that's a question! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
On 09/06/2016 08:36 AM, Matus UHLAR - fantomas wrote: > On 05.09.16 23:32, Omid Kosari wrote: >> Filed a bug report http://bugs.squid-cache.org/show_bug.cgi?id=4585 > > I wonder if this is doable at all. Yes, and Squid supports it in other contexts. > Does any tcp stack allow sending reset AFTER the connection has been > opened? A TCP RESET packet can be sent at any time. This is not something the protocol can (or needs to!) prohibit. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
On 05.09.16 23:32, Omid Kosari wrote: Filed a bug report http://bugs.squid-cache.org/show_bug.cgi?id=4585 I wonder if this is doable at all. when squid accepts a connnection, it only can close it without noticing. Does any tcp stack allow sending reset AFTER the connection has been opened? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. LSD will make your ECS screen display 16.7 million colors ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
Filed a bug report http://bugs.squid-cache.org/show_bug.cgi?id=4585 -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-RESET-non-http-requests-on-port-80-tp4679102p4679361.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
On 08/29/2016 07:40 AM, Omid Kosari wrote: > config: > http_reply_access deny all > deny_info TCP_RESET all > > = > test type: > telnet 123.com 80 > sgsdgsdgsdgsdg > > RESULT: > HTTP/1.1 403 Forbidden > Server: squid > Mime-Version: 1.0 > Date: Mon, 29 Aug 2016 13:30:47 GMT > Content-Type: text/html;charset=utf-8 > Content-Length: 5 > X-Cache: MISS from cache1 > X-Cache-Lookup: NONE from cache1:3128 > Connection: close > > reset and > config: > acl test dst 69.58.188.49 > deny_info TCP_RESET test > http_reply_access deny test > > > = > test type: > telnet 123.com 80 > GET / HTTP/1.1 > host: 123.com > > > RESULT: > HTTP/1.1 403 Forbidden > Server: squid > Mime-Version: 1.0 > Date: Sun, 28 Aug 2016 08:45:23 GMT > Content-Type: text/html;charset=utf-8 > Content-Length: 5 > X-Cache: MISS from cache1 > X-Cache-Lookup: MISS from cache1:3128 > Connection: keep-alive > > reset Based on v3.5.19 test results you have posted, your Squid does not honor deny_info when processing http_reply_access. This problem definitely affects error messages generated by non-HTTP requests and probably affects regular responses as well. Most likely, Squid modifications would be required to fix/improve this. The next steps are outlined at http://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
Alex Rousskov wrote > On 08/28/2016 03:10 AM, Omid Kosari wrote: >> Alex Rousskov wrote >>> I understand that it works for regular requests. Does it also work >>> (i.e., >>> does Squid reset the connection) when handling a non-HTTP request on >>> port 80? > >> No , when the request is non-HTTP it does not reset the connection . > > Great. Now please go back to the simpler configuration I asked you to > test some time ago: > > http_reply_access deny all > deny_info TCP_RESET all > > Does that work for non-HTTP request on port 80? config: http_reply_access deny all deny_info TCP_RESET all = test type: telnet 123.com 80 sgsdgsdgsdgsdg RESULT: HTTP/1.1 403 Forbidden Server: squid Mime-Version: 1.0 Date: Mon, 29 Aug 2016 13:30:47 GMT Content-Type: text/html;charset=utf-8 Content-Length: 5 X-Cache: MISS from cache1 X-Cache-Lookup: NONE from cache1:3128 Connection: close reset Connection to host lost. == Alex Rousskov wrote > I am confused. Earlier you said "As i mention before the deny_info works > in other configs" and gave a very similar configuration example with > dstdomain ACL. Now you are showing that this example does _not_ work > even with regular requests (you are getting HTTP headers from Squid > instead of a TCP connection reset). Am I missing something? Sorry i mean with adapted_http_access . Maybe my typo -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-RESET-non-http-requests-on-port-80-tp4679102p4679239.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
On 08/28/2016 03:10 AM, Omid Kosari wrote: > Alex Rousskov wrote >> I understand that it works for regular requests. Does it also work (i.e., >> does Squid reset the connection) when handling a non-HTTP request on port 80? > No , when the request is non-HTTP it does not reset the connection . Great. Now please go back to the simpler configuration I asked you to test some time ago: http_reply_access deny all deny_info TCP_RESET all Does that work for non-HTTP request on port 80? > config: > acl test dst 69.58.188.49 > deny_info TCP_RESET test > http_reply_access deny test > > > = > test type: > telnet 123.com 80 > GET / HTTP/1.1 > host: 123.com > > > RESULT: > HTTP/1.1 403 Forbidden I am confused. Earlier you said "As i mention before the deny_info works in other configs" and gave a very similar configuration example with dstdomain ACL. Now you are showing that this example does _not_ work even with regular requests (you are getting HTTP headers from Squid instead of a TCP connection reset). Am I missing something? > config: > acl test dst 69.58.188.49 > deny_info TCP_RESET test > adapted_http_access deny test > > > = > test type: > telnet 123.com 80 > GET / HTTP/1.1 > host: 123.com > > > > RESULT: > note:empty, just disconnects the telnet OK, this works as expected, but we need to get it working for the http_reply_access IMO. > = > test type: > telnet 123.com 80 > sgsdgsdgsdgsdg > > RESULT: > HTTP/1.1 400 Bad Request > Server: squid > Mime-Version: 1.0 > Date: Sun, 28 Aug 2016 08:56:14 GMT > Content-Type: text/html;charset=utf-8 > Content-Length: 0 > X-Cache: MISS from cache1 > X-Cache-Lookup: NONE from cache1:3128 > Connection: close OK, this does not work, as expected (there is no matching request and/or adapted_http_access is not evaluated at all in this case). You need http_reply_access. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
Alex Rousskov wrote > I understand that it works for regular requests. Does it also work (i.e., > does Squid > reset the connection) when handling a non-HTTP request on port 80? No , when the request is non-HTTP it does not reset the connection . Here is my test results . i would test with 123.com ip address which is 69.58.188.49 . config: acl test dst 69.58.188.49 deny_info TCP_RESET test http_reply_access deny test = test type: telnet 123.com 80 GET / HTTP/1.1 host: 123.com RESULT: HTTP/1.1 403 Forbidden Server: squid Mime-Version: 1.0 Date: Sun, 28 Aug 2016 08:45:23 GMT Content-Type: text/html;charset=utf-8 Content-Length: 5 X-Cache: MISS from cache1 X-Cache-Lookup: MISS from cache1:3128 Connection: keep-alive reset note:telnet will not disconnect until i hit few Enter = test type: telnet 123.com 80 sgsdgsdgsdgsdg RESULT: HTTP/1.1 400 Bad Request Server: squid Mime-Version: 1.0 Date: Sun, 28 Aug 2016 09:00:12 GMT Content-Type: text/html;charset=utf-8 Content-Length: 0 X-Cache: MISS from cache1 X-Cache-Lookup: NONE from cache1:3128 Connection: close Connection to host lost. config: acl test dst 69.58.188.49 deny_info TCP_RESET test adapted_http_access deny test = test type: telnet 123.com 80 GET / HTTP/1.1 host: 123.com RESULT: note:empty, just disconnects the telnet = test type: telnet 123.com 80 sgsdgsdgsdgsdg RESULT: HTTP/1.1 400 Bad Request Server: squid Mime-Version: 1.0 Date: Sun, 28 Aug 2016 08:56:14 GMT Content-Type: text/html;charset=utf-8 Content-Length: 0 X-Cache: MISS from cache1 X-Cache-Lookup: NONE from cache1:3128 Connection: close Connection to host lost. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-RESET-non-http-requests-on-port-80-tp4679102p4679222.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
On 08/27/2016 05:44 AM, Omid Kosari wrote: > Alex Rousskov wrote >> I recommend starting with something like this: >> >> http_reply_access deny all >> deny_info TCP_RESET all >> >> Does that reset all connections to Squid (after Squid fetches the reply)? > > Thanks for reply . > > As i mention before the deny_info works in other configs AFAICT, the examples you mentioned before were all wrong, for one reason or another. > for example > > acl test dstdomain 123.com > deny_info TCP_RESET test > http_reply_access deny test > > works fine and it only reset the connection without any additional headers . You have not mentioned the above example before AFAICT. I understand that it works for regular requests. Does it also work (i.e., does Squid reset the connection) when handling a non-HTTP request on port 80? > But if you looking for special purpose i will schedule a maintenance time > and do following config as you said . > > http_reply_access deny all > deny_info TCP_RESET all We can start with dstdomain if that is easier for you. I am surprised you are testing this on a live Squid though. It would be much easier to get it working in a lab first... Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
Alex Rousskov wrote > I recommend starting with something like this: > > http_reply_access deny all > deny_info TCP_RESET all > > Does that reset all connections to Squid (after Squid fetches the reply)? Thanks for reply . As i mention before the deny_info works in other configs for example acl test dstdomain 123.com deny_info TCP_RESET test http_reply_access deny test works fine and it only reset the connection without any additional headers . But if you looking for special purpose i will schedule a maintenance time and do following config as you said . http_reply_access deny all deny_info TCP_RESET all -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-RESET-non-http-requests-on-port-80-tp4679102p4679212.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
On 08/26/2016 08:42 AM, Omid Kosari wrote: > Alex Rousskov wrote >> I do not know why deny_info does not work in your tests. > Should i give up ? I cannot answer that question, but if you decide to keep going, then I am sure that somebody can figure out why deny_info does not work for you. You may have to try various configurations, supply good debugging information, and/or pay somebody to make that happen. I recommend starting with something like this: http_reply_access deny all deny_info TCP_RESET all Does that reset all connections to Squid (after Squid fetches the reply)? Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
Alex Rousskov wrote > I do not know why deny_info does not work > in your tests. Should i give up ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-RESET-non-http-requests-on-port-80-tp4679102p4679207.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
On 08/24/2016 12:24 PM, Omid Kosari wrote: > Alex Rousskov wrote >> Thus, the existing implementation should cover non-HTTP >> requests on port 80 (or 3128). If it does not, it is a bug. We should >> polish the documentation to make this clear. > The problem is not squid itself . The problem is in some situations for > example DOS(with malformed requests) , infected clients sends lots of > requests to target server . The requests goes through squid tproxy so squid > will send back about 250 byte in reply to each request . > > So i am looking for a way to just send tcp reset and not that 250 bytes . What you said is orthogonal to what I said. There are two parts of the problem you are trying to solve: 1. Detect a non-HTTP request on port 80. 2. Reset the client connection when #1 happens. The existing on_unsupported_protocol directive already supports #1 -- bugs notwithstanding, it can be used to generate an error response when you want. It is also the default behavior. Once that error response is generated, you want to convert it into a TCP reset by denying that response _and_ using a matching "deny_info TCP_RESET". That is part #2. I do not know why deny_info does not work in your tests. N.B. Since resetting non-HTTP connections is a common need, it may be tempting to add a "terminate" action to the on_unsupported_protocol list of supported actions. However, I am not sure that is a good idea because resetting a connection is a common need in many contexts. Deny_info may be a better (more general) solution. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
Alex Rousskov wrote > Thus, the existing implementation should cover non-HTTP > requests on port 80 (or 3128). If it does not, it is a bug. We should > polish the documentation to make this clear. The problem is not squid itself . The problem is in some situations for example DOS(with malformed requests) , infected clients sends lots of requests to target server . The requests goes through squid tproxy so squid will send back about 250 byte in reply to each request . So i am looking for a way to just send tcp reset and not that 250 bytes . HTTP/1.1 403 Forbidden Server: squid Mime-Version: 1.0 Date: Wed, 24 Aug 2016 14:11:35 GMT Content-Type: text/html;charset=utf-8 Content-Length: 5 X-Cache: MISS from cache1 X-Cache-Lookup: NONE from cache1:3128 Connection: close -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-RESET-non-http-requests-on-port-80-tp4679102p4679147.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
On 08/24/2016 07:54 AM, Amos Jeffries wrote: > on_unsupported_protocol will need patching to be applied when HTTP > parser detects unsupported protocol on port 80 (or 3128). on_unsupported_protocol determines (among other things) Squid behavior when encountering a strange (i.e., probably non-HTTP) request at the beginning of an accepted TCP connection (where Squid expects to see an HTTP request). Thus, the existing implementation should cover non-HTTP requests on port 80 (or 3128). If it does not, it is a bug. We should polish the documentation to make this clear. > AFAIK it is > currently only done by SSL-Bump'ing code detecting non-TLS protocols on > port 443. Yes, the above use case is also covered by the existing implementation. You might also be thinking about non-HTTP inside a bumped TLS tunnel. IIRC, that is indeed not supported, but Factory is working on that. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
acl status_400 http_status 400 deny_info TCP_RESET status_400 http_reply_access deny status_400 still send headers . just the 400 changed to 403 HTTP/1.1 403 Forbidden Server: squid Mime-Version: 1.0 Date: Wed, 24 Aug 2016 14:11:35 GMT Content-Type: text/html;charset=utf-8 Content-Length: 5 X-Cache: MISS from cache1 X-Cache-Lookup: NONE from cache1:3128 Connection: close reset Isn't a way that squid does not send these headers and just send reset ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-RESET-non-http-requests-on-port-80-tp4679102p4679139.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
On 25/08/2016 12:39 a.m., Omid Kosari wrote: > This config works for dstdomain acl type > > acl test dstdomain 123.com > deny_info TCP_RESET test > adapted_http_access deny test > > > but it is not what i want . I want > > acl status_400 http_status 400 > deny_info TCP_RESET status_400 > adapted_http_access deny status_400 > > OR > > acl HTTP proto HTTP > acl PORT_80 port 80 > deny_info TCP_RESET PORT_80 !HTTP > adapted_http_access deny PORT_80 !HTTP > Status code is only available in the response processing pathways. So use "http_reply_access deny test". As Alex showed the generated errors do go through that access control. For better control Squid-4 will be needed, and also the on_unsupported_protocol will need patching to be applied when HTTP parser detects unsupported protocol on port 80 (or 3128). AFAIK it is currently only done by SSL-Bump'ing code detecting non-TLS protocols on port 443. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
This config works for dstdomain acl type acl test dstdomain 123.com deny_info TCP_RESET test adapted_http_access deny test but it is not what i want . I want acl status_400 http_status 400 deny_info TCP_RESET status_400 adapted_http_access deny status_400 OR acl HTTP proto HTTP acl PORT_80 port 80 deny_info TCP_RESET PORT_80 !HTTP adapted_http_access deny PORT_80 !HTTP -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-RESET-non-http-requests-on-port-80-tp4679102p4679126.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users