Re: [squid-users] Squid3 reverse proxy & Failed to select source strange errors

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 24 Nov 2009 12:37:20 +1300

On Mon, 23 Nov 2009 16:29:20 +0100, "David B." <haazeloud_at_gmail.com>
wrote:
> Amos Jeffries a écrit :
>> [snip]
>>>
>>>
>>> Exemple :
>>> 2009/11/23 08:36:28| Failed to select source for
>>> 'http://img43.imageshack.us/img43/416/greysanatomypromotional.jpg'
>>> 2009/11/23 08:36:28| always_direct = 0
>>> 2009/11/23 08:36:28| never_direct = 0
>>> 2009/11/23 08:36:28| timedout = 0
>>> [snip]
>>> 2009/11/23 11:02:26| Failed to select source for
>>> 'http://pagead2.googlesyndication.com/pagead/show_ads.js'
>>> 2009/11/23 11:02:26| always_direct = 0
>>> 2009/11/23 11:02:26| never_direct = 0
>>> 2009/11/23 11:02:26| timedout = 0
>>>
>>> I'm not imageshack or google. :)
>>>
>>
>> Normal website attacks.
>>
>> One of the benefits of using Squid is to prevent these resource
>> wasters getting near the backend processors. "Failed to select
>> source" is good news.
> This is quite strange, I think I'm misunderstanding something.
> I'm using squid as a reverse proxy.

I understand.

> Clients (internet people surfing on my website) should connect to squid
> boxes to retrieve static content. Squid send the right file or connect
> to cache_peer to retrieve file before the resend process.

... and reject bad requests. As you pointed out
"http://pagead2.googlesyndication.com"... was not one of your images....

> How can someone could tell to squid to retrieve something on a server
> not defined to a cache_peer ?

Easily. They sends a HTTP request like this:

 GET http://foo.example.com/somethingbad HTTP/1.1

or this:

  GET /somethingbad HTTP/1.1
  host: foo.example.com

What you saw in your log was Squid receiving one of those bad requests,
checking for places where it can find the foo.example.com domain. Started
searching for places to get a reply from...
 => Finding that it was not part of the local website (can/should not pass
it to the peer)
 => Finding that its a reverse proxy (should not go direct to the external
foo.example.com).

 Since it was NOT one of your domains squid finished by sending a 404 "not
one of mine. go away" or something similar back to the nasty visitor.

This is good. Your website is safe. Squid is acting a little bit like a
firewall blocking the bad stuff, letting the good requests through.

>>
>> You might also want to occasionally scan the access.log to see if any
>> foreign requests do get through (2xx or 3xx status). If any do you
>> have a problem, otherwise everything is fine.
> Something like this ?
>
> 2009/11/23 07:26:07| clientParseRequestMethod: Unsupported method in
> request 'HTTP/1.0 200 OK
> Last-Modified: Tue, 06 Jan 2009 14:02:42 GMT
> Accept-Ranges: bytes
> Content-Length: 166
> Content-Type: image/gif
> Date: Mon, 23 Nov 2009 01:03:56 GMT
> Server: Apache
> ETag: "1247de8-a6-45fd0dc60a480"
> Expires: Tue, 24 Nov 2009 01:03:56 GMT
> Cache-Control: max-age=86400
> Age: 19331
> X-Cache: HIT from static.myhost.com
> X-Cache-Lookup: HIT from static.myhost.com:80
> Connection: keep-alive
>
> GIF89a^P'
>
> ?
Something broken with that log. Thats a reply. :) one of your static
images being sent out. A 166-byte *.gif file.

If there was any attack problem it would show up in _access.log_ similar
to this:

time - visitorIP 200 45235 GET http://example.com/bad - DIRECT/example.com
...
or
time - visitorIP 302 1651 GET http://example.com/bad - ...
or
[time] visitorIP - - "GET http://example.com/bad HTTP/1.1" 200 42489 ...

Note the codes "200" attack retrieving an object, and "302" attack using a
redirect URL.

Amos
Received on Mon Nov 23 2009 - 23:37:37 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 24 2009 - 12:00:04 MST