Discussion:
[squid-users] access_log acls
Marcus Kool
2018-11-27 12:21:20 UTC
Permalink
I have an issue with access_log acls when a load balancer sends a TCP probe.

The goal is to not log errors caused by the TCP probes of the load balancer.  All other errors must be logged.

I did a test with the following acls on one of our test systems to illustrate the issue:

logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %>ha
acl src_lb src 10.2.2.254/32
acl src_lb src 10.2.2.107/32
access_log stdio:/local/squid4/logs/*lb*access.log combha src_lb
access_log stdio:/local/squid4/logs/access.log   combha !src_lb


The logging is almost as expected: all HTTP(S) traffic from 10.2.2.107 goes to lbaccess.log and all other traffic to access.log,
*but* imitating the TCP probe of the LB with a telnet session from 10.2.2.107 to the squid server which is immediately terminated or sends garbage, is logged with transaction-end-before-headers to
access.log, not lbaccess.log.

It seems that Squid, at the moment that it logs the transaction-end-before-headers error, does not consider the access_log acls or maybe has not yet processed the source IP to make the right decision.

Should the above acls send the errors to lbaccess.log ?  If not, what set of acls can do it?

Thanks,

Marcus
Alex Rousskov
2018-11-27 15:58:49 UTC
Permalink
Post by Marcus Kool
logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %>ha
acl src_lb src 10.2.2.254/32
acl src_lb src 10.2.2.107/32
access_log stdio:/local/squid4/logs/lbaccess.log combha src_lb
access_log stdio:/local/squid4/logs/access.log   combha !src_lb
The logging is almost as expected: all HTTP(S) traffic from 10.2.2.107
goes to lbaccess.log and all other traffic to access.log,
*but* imitating the TCP probe of the LB with a telnet session from
10.2.2.107 to the squid server which is immediately terminated or sends
garbage, is logged with transaction-end-before-headers to access.log,
not lbaccess.log.
Should the above acls send the errors to lbaccess.log?
Yes, src ACLs should work for all transactions associated with to-Squid
connections, including transaction-end-before-headers errors. If they do
not work, it is a Squid bug.

Alex.
Marcus Kool
2018-11-27 16:42:51 UTC
Permalink
Post by Alex Rousskov
Post by Marcus Kool
logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %>ha
acl src_lb src 10.2.2.254/32
acl src_lb src 10.2.2.107/32
access_log stdio:/local/squid4/logs/lbaccess.log combha src_lb
access_log stdio:/local/squid4/logs/access.log   combha !src_lb
The logging is almost as expected: all HTTP(S) traffic from 10.2.2.107
goes to lbaccess.log and all other traffic to access.log,
*but* imitating the TCP probe of the LB with a telnet session from
10.2.2.107 to the squid server which is immediately terminated or sends
garbage, is logged with transaction-end-before-headers to access.log,
not lbaccess.log.
Should the above acls send the errors to lbaccess.log?
Yes, src ACLs should work for all transactions associated with to-Squid
connections, including transaction-end-before-headers errors. If they do
not work, it is a Squid bug.
Alex.
Thanks, I filed bug 4906: https://bugs.squid-cache.org/show_bug.cgi?id=4906

Is it serious enough to get a fix in Squid 4?

Marcus
Matus UHLAR - fantomas
2018-11-27 16:47:17 UTC
Permalink
Post by Marcus Kool
Post by Alex Rousskov
Post by Marcus Kool
logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %>ha
acl src_lb src 10.2.2.254/32
acl src_lb src 10.2.2.107/32
access_log stdio:/local/squid4/logs/lbaccess.log combha src_lb
access_log stdio:/local/squid4/logs/access.log   combha !src_lb
The logging is almost as expected: all HTTP(S) traffic from 10.2.2.107
goes to lbaccess.log and all other traffic to access.log,
*but* imitating the TCP probe of the LB with a telnet session from
10.2.2.107 to the squid server which is immediately terminated or sends
garbage, is logged with transaction-end-before-headers to access.log,
not lbaccess.log.
Should the above acls send the errors to lbaccess.log?
Yes, src ACLs should work for all transactions associated with to-Squid
connections, including transaction-end-before-headers errors. If they do
not work, it is a Squid bug.
Thanks, I filed bug 4906: https://bugs.squid-cache.org/show_bug.cgi?id=4906
Is it serious enough to get a fix in Squid 4?
which "squid 4" exactly?
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
Marcus Kool
2018-11-27 17:04:25 UTC
Permalink
4.5 would be nice.  4.6 would also be nice.
Post by Matus UHLAR - fantomas
Post by Marcus Kool
Post by Alex Rousskov
Post by Marcus Kool
logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %>ha
acl src_lb src 10.2.2.254/32
acl src_lb src 10.2.2.107/32
access_log stdio:/local/squid4/logs/lbaccess.log combha src_lb
access_log stdio:/local/squid4/logs/access.log   combha !src_lb
The logging is almost as expected: all HTTP(S) traffic from 10.2.2.107
goes to lbaccess.log and all other traffic to access.log,
*but* imitating the TCP probe of the LB with a telnet session from
10.2.2.107 to the squid server which is immediately terminated or sends
garbage, is logged with transaction-end-before-headers to access.log,
not lbaccess.log.
Should the above acls send the errors to lbaccess.log?
Yes, src ACLs should work for all transactions associated with to-Squid
connections, including transaction-end-before-headers errors. If they do
not work, it is a Squid bug.
Thanks, I filed bug 4906: https://bugs.squid-cache.org/show_bug.cgi?id=4906
Is it serious enough to get a fix in Squid 4?
which "squid 4" exactly?
Matus UHLAR - fantomas
2018-11-28 11:24:30 UTC
Permalink
Post by Marcus Kool
4.5 would be nice.  4.6 would also be nice.
OK, I will rephrase my question: which squid version do you find this in?
Post by Marcus Kool
Post by Matus UHLAR - fantomas
Post by Marcus Kool
Post by Alex Rousskov
Post by Marcus Kool
logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %>ha
acl src_lb src 10.2.2.254/32
acl src_lb src 10.2.2.107/32
access_log stdio:/local/squid4/logs/lbaccess.log combha src_lb
access_log stdio:/local/squid4/logs/access.log   combha !src_lb
The logging is almost as expected: all HTTP(S) traffic from 10.2.2.107
goes to lbaccess.log and all other traffic to access.log,
*but* imitating the TCP probe of the LB with a telnet session from
10.2.2.107 to the squid server which is immediately terminated or sends
garbage, is logged with transaction-end-before-headers to access.log,
not lbaccess.log.
Should the above acls send the errors to lbaccess.log?
Yes, src ACLs should work for all transactions associated with to-Squid
connections, including transaction-end-before-headers errors. If they do
not work, it is a Squid bug.
Thanks, I filed bug 4906: https://bugs.squid-cache.org/show_bug.cgi?id=4906
Is it serious enough to get a fix in Squid 4?
which "squid 4" exactly?
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watson. -- Daffy Duck & Porky Pig
Marcus Kool
2018-11-28 12:10:39 UTC
Permalink
Post by Matus UHLAR - fantomas
Post by Marcus Kool
4.5 would be nice.  4.6 would also be nice.
OK, I will rephrase my question: which squid version do you find this in?
This issue was found in Squid 4.3
Post by Matus UHLAR - fantomas
Post by Marcus Kool
Post by Matus UHLAR - fantomas
Post by Marcus Kool
Post by Alex Rousskov
Post by Marcus Kool
logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %>ha
acl src_lb src 10.2.2.254/32
acl src_lb src 10.2.2.107/32
access_log stdio:/local/squid4/logs/lbaccess.log combha src_lb
access_log stdio:/local/squid4/logs/access.log   combha !src_lb
The logging is almost as expected: all HTTP(S) traffic from 10.2.2.107
goes to lbaccess.log and all other traffic to access.log,
*but* imitating the TCP probe of the LB with a telnet session from
10.2.2.107 to the squid server which is immediately terminated or sends
garbage, is logged with transaction-end-before-headers to access.log,
not lbaccess.log.
Should the above acls send the errors to lbaccess.log?
Yes, src ACLs should work for all transactions associated with to-Squid
connections, including transaction-end-before-headers errors. If they do
not work, it is a Squid bug.
Thanks, I filed bug 4906: https://bugs.squid-cache.org/show_bug.cgi?id=4906
Is it serious enough to get a fix in Squid 4?
which "squid 4" exactly?
--
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watson. -- Daffy Duck & Porky Pig
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Continue reading on narkive:
Loading...