Odd log entries

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Odd log entries

Ralf Hildebrandt
I got quite a lot of those, dunno if they are from 5.0.2 oder 6.HEAD,
though (mixed log):

1601367473.708      0 172.29.138.187 TCP_DENIED/403 3900 CONNECT:35415 - HIER_NONE/- text/html accessRule=notsslports -
1601368555.365      2 172.29.130.245 TCP_DENIED/403 3839 CONNECT:31481 - HIER_NONE/- text/html accessRule=notsslports -
1601383160.341    435 10.47.52.135 TCP_DENIED/403 4057 CONNECT:5001 - HIER_NONE/- text/html accessRule=notsslports -

CONNECT, yes, but why is the host missing?

Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
[hidden email]
https://www.charite.de
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Odd log entries

Alex Rousskov
On 9/30/20 5:29 AM, Ralf Hildebrandt wrote:
> I got quite a lot of those, dunno if they are from 5.0.2 oder 6.HEAD,
> though (mixed log):

> 1601367473.708      0 172.29.138.187 TCP_DENIED/403 3900 CONNECT:35415 - HIER_NONE/- text/html accessRule=notsslports -
> 1601368555.365      2 172.29.130.245 TCP_DENIED/403 3839 CONNECT:31481 - HIER_NONE/- text/html accessRule=notsslports -
> 1601383160.341    435 10.47.52.135 TCP_DENIED/403 4057 CONNECT:5001 - HIER_NONE/- text/html accessRule=notsslports -

> CONNECT, yes, but why is the host missing?

I am even more concerned about the lack of a space character after
"CONNECT". What is your custom logformat definition?

If the problem applies to all denied transactions, then you can probably
tell whether this is v5 or master/v6 problem by sending a manual
to-be-denied request to one or both of the Squid instances in question
and looking for your client address/timestamp in the access log.
Long-term, if you are going to continue mixing access records from
different Squid instances, then I would recommend adding a instance (and
worker) IDs to each access log record.

FWIW, I cannot reproduce this problem using a maser/v6-based branch with
default logformat and CONNECT requests to banned ports, but perhaps the
problem is specific to some CONNECT transactions or some listening port
configurations.


Cheers,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users