On 2014-07-08 13:17, Dan Charlesworth wrote:
Hey folks
So I support a bunch of Squid deployments and every so often I’ll get
a call about a poor performance, or very large access logs files etc.
Oftentimes as soon as I crack open the access log I see there’s a
handful of machines (sometimes just one) practically DoSing the proxy
with failed requests (failing because the client app won’t comply with
proxy authentication).
Here’s a recent example of one of these bugs from Google Chrome:
https://code.google.com/p/chromium/issues/detail?id=373181
So I just wanted to see if anyone had any advice or suggestions for
dealing with this kind of thing. I’m guessing iptables would be the
logical place to try and prevent it, but I wouldn’t know where to
start with rate limiting in iptables…
Anyone care to share?
Andrew Beverleys QoS and traffic shaping documentation
(<http://andybev.com/index.php/Main_Page>) is probably the best place to
look for iptables based solutions, with the official netfilter
documentation coming in second.
Squid-3.5 is coming with a new helper (ext_delayer_acl) which can be
configured to help in this type of situation. For older Squid versions
you can download the perl script from
<http://bazaar.launchpad.net/~squid/squid/trunk/files/head:/helpers/external_acl/delayer/>
- documentation for it is inside the script.
Amos
