On Thu, 20 Apr 2000, Ounsted, Toby wrote:
> This one's starting to give me a headache.. - using ipchains for transparent
> proxying, the address section gets ripped out of URLs..
>
> I'm trying to get Squid to be a transparent proxy by setting my linux box as
> the default gateway and forwarding from port 80 to port 3128 as per the
> Transparent Proxy howto. I've previously been using squid quite happily,
> going directly to port 3128 - it works a treat.
> set IPV4 forwarding and defragmentation, and set ipchains rules as follows:
> (the server's called 'internet')..
>
> [root@internet sysconfig]# ipchains -L
> Chain input (policy ACCEPT):
> target prot opt source destination ports
> ACCEPT tcp ------ anywhere internet any ->
> www
> ACCEPT tcp ------ anywhere internet.psgint.com any ->
> www
> REDIRECT tcp ------ anywhere anywhere any ->
> www => 3128
> Chain forward (policy ACCEPT):
> Chain output (policy ACCEPT):
>
> If I turn of the proxy settings in the browser (i.e. try to go direct) the
> address of the site I'm trying to hit seems to get mashed. For example, I
> try and go to http://www.wideopen.com/story/757.html
> <http://www.wideopen.com/story/757.html>
> Squid responds with:
>
> ERROR
> The requested URL could not be retrieved
> While trying to retrieve the URL: /story/757.html </story/757.html>
> The following error was encountered:
> Invalid URL
> Etc.
>
> So it's as though the first part of the URL got murdered.
>
> The squid access log looks similar:
> 956237322.768 0 194.70.6.99 NONE/400 1075 GET /story/757.html - NONE/-
> -
>
> Software: MSIE5 browser, RH6.1, Squid2.2Stable4 supplied with RH6.1. Stock
> kernel which already has Ipchains support built in.
>
> Something's getting somewhere for squid to even be having a go - but the
> address isn't.
> TCPDump is also interesting (pooter is the client) as something is
> chattering to 206.132.41.223.www (which is wideopen.com for the purposes of
> this test) - despite squid's announcement that it had all gone wrong:
>
> [root@internet sysconfig]# !tcp
> tcpdump 'port 80'
> Kernel filter, protocol ALL, datagram packet socket
> tcpdump: listening on all devices
> 14:48:45.778563 eth0 < pooter.psgint.com.2608 > 206.132.41.223.www: S
> 2900626:2900626(0) win 8192 <mss 1460> (DF)
> 14:48:45.778637 eth0 > 206.132.41.223.www > pooter.psgint.com.2608: S
> 2802009305:2802009305(0) ack 2900627 win 30660 <mss 1460> (DF)
> 14:48:45.778774 eth0 < pooter.psgint.com.2608 > 206.132.41.223.www: . 1:1(0)
> ack 1 win 8760 (DF)
> 14:48:45.779095 eth0 < pooter.psgint.com.2608 > 206.132.41.223.www: P
> 1:294(293) ack 1 win 8760 (DF)
> 14:48:45.779129 eth0 > 206.132.41.223.www > pooter.psgint.com.2608: . 1:1(0)
> ack 294 win 30660 (DF)
> 14:48:45.780024 eth0 > 206.132.41.223.www > pooter.psgint.com.2608: P
> 1:1076(1075) ack 294 win 32120 (DF)
> 14:48:45.780230 eth0 > 206.132.41.223.www > pooter.psgint.com.2608: F
> 1076:1076(0) ack 294 win 32120 (DF)
> 14:48:45.781174 eth0 < pooter.psgint.com.2608 > 206.132.41.223.www: F
> 294:294(0) ack 1076 win 7685 (DF)
> 14:48:45.781237 eth0 > 206.132.41.223.www > pooter.psgint.com.2608: .
> 1077:1077(0) ack 295 win 32119 (DF)
> 14:48:45.781230 eth0 < pooter.psgint.com.2608 > 206.132.41.223.www: .
> 295:295(0) ack 1077 win 7685 (DF)
>
i think u need to tell squid that you are using transparent
proxying. eg. lines like "httpd_accel_uses_host_header on" in the
squid.conf.
there is info on this on the FAQ, i'm not sure if this helps - but anyway.
> So - suggestions welcome! It's got me..
>
>
> Thanks,
>
> Toby.
>
Received on Thu Apr 20 2000 - 10:06:04 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:53:00 MST