Everyday I get tons of these GETs, a lot from the same IP, then a
lot from other IPs of our local intranet (we have some APs plugged
on our intranet). This is happening since forever, but I'm trying
to understand/get rid of it.
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Date: Tue, 12 Dec 2017 10:34:02 GMT
Expires: Thu, 11 Jan 2018 10:34:02 GMT
Cache-Control: public, max-age=2592000
X-XSS-Protection: 1; mode=block
X-Cache: HIT from proxy
Via: 1.1 proxy (squid)
The document has moved
> Hi guys,
> Everyday I get tons of these GETs, a lot from the same IP, then a lot
> from other IPs of our local intranet (we have some APs plugged on our
> intranet). This is happening since forever, but I'm trying to
> understand/get rid of it.
> Any ideas?
The client software is broken.
1) using explicit URLs with raw-IPv4 to make its requests, and ..
2) performing Host header forgery. www.google.com is hosted in Googles
servers assigned the 216/8 IP range not the 172/8 range. And ..
3) not obeying the clear instruction that the given Domain is *only*
available when fetched by name (not by raw-IP).
Your options are to either;
get the client software fixed
configure ACLs detecting when such clients deliver those raw-IP URLs
and reject them with a 403 instead of a 301,
That can be done with an external ACL helper in http_reply_access that
tracks 301 + Content-Location and which client they were sent to.
Rejecting them with a 403 after an arbitrary number of repeats.