access_log acls

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

access_log acls

Marcus Kool

I have an issue with access_log acls when a load balancer sends a TCP probe.

The goal is to not log errors caused by the TCP probes of the load balancer.  All other errors must be logged.

I did a test with the following acls on one of our test systems to illustrate the issue:

logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %>ha
acl src_lb src 10.2.2.254/32
acl src_lb src 10.2.2.107/32
access_log stdio:/local/squid4/logs/lbaccess.log combha src_lb
access_log stdio:/local/squid4/logs/access.log   combha !src_lb


The logging is almost as expected: all HTTP(S) traffic from 10.2.2.107 goes to lbaccess.log and all other traffic to access.log,
but imitating the TCP probe of the LB with a telnet session from 10.2.2.107 to the squid server which is immediately terminated or sends garbage, is logged with transaction-end-before-headers to access.log, not lbaccess.log.

It seems that Squid, at the moment that it logs the transaction-end-before-headers error, does not consider the access_log acls or maybe has not yet processed the source IP to make the right decision.

Should the above acls send the errors to lbaccess.log ?  If not, what set of acls can do it?

Thanks,

Marcus





_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: access_log acls

Alex Rousskov
On 11/27/18 5:21 AM, Marcus Kool wrote:

> logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %>ha
> acl src_lb src 10.2.2.254/32
> acl src_lb src 10.2.2.107/32
> access_log stdio:/local/squid4/logs/lbaccess.log combha src_lb
> access_log stdio:/local/squid4/logs/access.log   combha !src_lb

> The logging is almost as expected: all HTTP(S) traffic from 10.2.2.107
> goes to lbaccess.log and all other traffic to access.log,
> *but* imitating the TCP probe of the LB with a telnet session from
> 10.2.2.107 to the squid server which is immediately terminated or sends
> garbage, is logged with transaction-end-before-headers to access.log,
> not lbaccess.log.

> Should the above acls send the errors to lbaccess.log?

Yes, src ACLs should work for all transactions associated with to-Squid
connections, including transaction-end-before-headers errors. If they do
not work, it is a Squid bug.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: access_log acls

Marcus Kool

On 27/11/2018 13:58, Alex Rousskov wrote:

> On 11/27/18 5:21 AM, Marcus Kool wrote:
>
>> logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %>ha
>> acl src_lb src 10.2.2.254/32
>> acl src_lb src 10.2.2.107/32
>> access_log stdio:/local/squid4/logs/lbaccess.log combha src_lb
>> access_log stdio:/local/squid4/logs/access.log   combha !src_lb
>> The logging is almost as expected: all HTTP(S) traffic from 10.2.2.107
>> goes to lbaccess.log and all other traffic to access.log,
>> *but* imitating the TCP probe of the LB with a telnet session from
>> 10.2.2.107 to the squid server which is immediately terminated or sends
>> garbage, is logged with transaction-end-before-headers to access.log,
>> not lbaccess.log.
>> Should the above acls send the errors to lbaccess.log?
> Yes, src ACLs should work for all transactions associated with to-Squid
> connections, including transaction-end-before-headers errors. If they do
> not work, it is a Squid bug.
>
> Alex.

Thanks, I filed bug 4906: https://bugs.squid-cache.org/show_bug.cgi?id=4906

Is it serious enough to get a fix in Squid 4?

Marcus


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: access_log acls

Matus UHLAR - fantomas
>>On 11/27/18 5:21 AM, Marcus Kool wrote:
>>>logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %>ha
>>>acl src_lb src 10.2.2.254/32
>>>acl src_lb src 10.2.2.107/32
>>>access_log stdio:/local/squid4/logs/lbaccess.log combha src_lb
>>>access_log stdio:/local/squid4/logs/access.log   combha !src_lb
>>>The logging is almost as expected: all HTTP(S) traffic from 10.2.2.107
>>>goes to lbaccess.log and all other traffic to access.log,
>>>*but* imitating the TCP probe of the LB with a telnet session from
>>>10.2.2.107 to the squid server which is immediately terminated or sends
>>>garbage, is logged with transaction-end-before-headers to access.log,
>>>not lbaccess.log.
>>>Should the above acls send the errors to lbaccess.log?

>On 27/11/2018 13:58, Alex Rousskov wrote:
>>Yes, src ACLs should work for all transactions associated with to-Squid
>>connections, including transaction-end-before-headers errors. If they do
>>not work, it is a Squid bug.

On 27.11.18 14:42, Marcus Kool wrote:
>Thanks, I filed bug 4906: https://bugs.squid-cache.org/show_bug.cgi?id=4906
>
>Is it serious enough to get a fix in Squid 4?

which "squid 4" exactly?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: access_log acls

Marcus Kool
4.5 would be nice.  4.6 would also be nice.

On 27/11/2018 14:47, Matus UHLAR - fantomas wrote:

>>> On 11/27/18 5:21 AM, Marcus Kool wrote:
>>>> logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %>ha
>>>> acl src_lb src 10.2.2.254/32
>>>> acl src_lb src 10.2.2.107/32
>>>> access_log stdio:/local/squid4/logs/lbaccess.log combha src_lb
>>>> access_log stdio:/local/squid4/logs/access.log   combha !src_lb
>>>> The logging is almost as expected: all HTTP(S) traffic from 10.2.2.107
>>>> goes to lbaccess.log and all other traffic to access.log,
>>>> *but* imitating the TCP probe of the LB with a telnet session from
>>>> 10.2.2.107 to the squid server which is immediately terminated or sends
>>>> garbage, is logged with transaction-end-before-headers to access.log,
>>>> not lbaccess.log.
>>>> Should the above acls send the errors to lbaccess.log?
>
>> On 27/11/2018 13:58, Alex Rousskov wrote:
>>> Yes, src ACLs should work for all transactions associated with to-Squid
>>> connections, including transaction-end-before-headers errors. If they do
>>> not work, it is a Squid bug.
>
> On 27.11.18 14:42, Marcus Kool wrote:
>> Thanks, I filed bug 4906: https://bugs.squid-cache.org/show_bug.cgi?id=4906
>>
>> Is it serious enough to get a fix in Squid 4?
>
> which "squid 4" exactly?
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: access_log acls

Matus UHLAR - fantomas
On 27.11.18 15:04, Marcus Kool wrote:
>4.5 would be nice.  4.6 would also be nice.

OK, I will rephrase my question: which squid version do you find this in?

>On 27/11/2018 14:47, Matus UHLAR - fantomas wrote:
>>>>On 11/27/18 5:21 AM, Marcus Kool wrote:
>>>>>logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %>ha
>>>>>acl src_lb src 10.2.2.254/32
>>>>>acl src_lb src 10.2.2.107/32
>>>>>access_log stdio:/local/squid4/logs/lbaccess.log combha src_lb
>>>>>access_log stdio:/local/squid4/logs/access.log   combha !src_lb
>>>>>The logging is almost as expected: all HTTP(S) traffic from 10.2.2.107
>>>>>goes to lbaccess.log and all other traffic to access.log,
>>>>>*but* imitating the TCP probe of the LB with a telnet session from
>>>>>10.2.2.107 to the squid server which is immediately terminated or sends
>>>>>garbage, is logged with transaction-end-before-headers to access.log,
>>>>>not lbaccess.log.
>>>>>Should the above acls send the errors to lbaccess.log?
>>
>>>On 27/11/2018 13:58, Alex Rousskov wrote:
>>>>Yes, src ACLs should work for all transactions associated with to-Squid
>>>>connections, including transaction-end-before-headers errors. If they do
>>>>not work, it is a Squid bug.
>>
>>On 27.11.18 14:42, Marcus Kool wrote:
>>>Thanks, I filed bug 4906: https://bugs.squid-cache.org/show_bug.cgi?id=4906
>>>
>>>Is it serious enough to get a fix in Squid 4?
>>
>>which "squid 4" exactly?


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watson.  -- Daffy Duck & Porky Pig
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: access_log acls

Marcus Kool
On Wed, Nov 28, 2018 at 12:24:30PM +0100, Matus UHLAR - fantomas wrote:
> On 27.11.18 15:04, Marcus Kool wrote:
> > 4.5 would be nice.  4.6 would also be nice.
>
> OK, I will rephrase my question: which squid version do you find this in?

This issue was found in Squid 4.3

>
> > On 27/11/2018 14:47, Matus UHLAR - fantomas wrote:
> > > > > On 11/27/18 5:21 AM, Marcus Kool wrote:
> > > > > > logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %>ha
> > > > > > acl src_lb src 10.2.2.254/32
> > > > > > acl src_lb src 10.2.2.107/32
> > > > > > access_log stdio:/local/squid4/logs/lbaccess.log combha src_lb
> > > > > > access_log stdio:/local/squid4/logs/access.log   combha !src_lb
> > > > > > The logging is almost as expected: all HTTP(S) traffic from 10.2.2.107
> > > > > > goes to lbaccess.log and all other traffic to access.log,
> > > > > > *but* imitating the TCP probe of the LB with a telnet session from
> > > > > > 10.2.2.107 to the squid server which is immediately terminated or sends
> > > > > > garbage, is logged with transaction-end-before-headers to access.log,
> > > > > > not lbaccess.log.
> > > > > > Should the above acls send the errors to lbaccess.log?
> > >
> > > > On 27/11/2018 13:58, Alex Rousskov wrote:
> > > > > Yes, src ACLs should work for all transactions associated with to-Squid
> > > > > connections, including transaction-end-before-headers errors. If they do
> > > > > not work, it is a Squid bug.
> > >
> > > On 27.11.18 14:42, Marcus Kool wrote:
> > > > Thanks, I filed bug 4906: https://bugs.squid-cache.org/show_bug.cgi?id=4906
> > > >
> > > > Is it serious enough to get a fix in Squid 4?
> > >
> > > which "squid 4" exactly?
>
>
> --
> Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> - Holmes, what kind of school did you study to be a detective?
> - Elementary, Watson.  -- Daffy Duck & Porky Pig
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users