RE: [squid-users] Abridged URL gives weird squid error on STABLE10?

> On Tuesday, 31 May 2005 10:26 PM Henrik Nordstrom wrote
> Subject: Re: [squid-users] Abridged URL gives weird squid error on
> STABLE10?
>
Many thanks for the prompt response Henrik - answers to your questions
follow...

>
> On Tue, 31 May 2005, Frank Hamersley wrote:
>
> > I have been testing Squid 2.5 S10 on a RH80 Bastion
> > Firewall host (cable
> > network connected) for QA as a precursor to upgrading a
> > production system
> > and have been getting some weird stuff happening. I'm not
> > convinced Squid
> > is at fault but more on that later.
>
> What did access.log say?

Config #1 - iptables DNAT port 80 to 3128 - FAILED!!
------------------------------------------------------------------
1116851967.015 0 10.1.1.96 TCP_DENIED/400 1539 GET
/firefox?client=firefox-a&rls=org.mozilla:en-US:official - NONE/- text/html
1116851967.135 5 10.1.1.96 TCP_DENIED/400 1443 GET /favicon.ico -
NONE/- text/html
------------------------------------------------------------------

Config #2 - Firefox proxy configured on 3128 - WORKED!!
------------------------------------------------------------------
1117710959.686 421 10.1.1.96 TCP_MISS/302 520 GET
http://www.google.com/firefox? - DIRECT/66.102.7.147 text/html
1117710960.090 396 10.1.1.96 TCP_MISS/200 1852 GET
http://www.google.com.au/firefox? - DIRECT/66.102.7.99 text/html
------------------------------------------------------------------

>
> Is this a normal proxy config, or are you using transparent
> interception?
>

Config #1 is transparent, Config #2 conventional proxy (in my understanding
of the terms).

> >
> > http://www.google.com/firefox?client=firefox-a&rls=org.mozilla
> > :en-US:official
> > While trying to retrieve the URL:
> > /firefox?client=firefox-a&rls=org.mozilla:en-US:official

> This indicates the URL was sent to Squid a web server, not proxy.. so
> someone thought your Squid is the www.google.com web server.

To which Squid quite rightly denied access to the root of the filesystem!

> > I personally suspect the underlying problem is a flaky DNS.
>
> maybe, but it's not the only possible cause.
>
> For it to be DNS the DNS server needs to return the wrong IP address, not
> a failure.

DNS is now ruled out - problems with the ISP changing the Primary and
Secondary SIP's are resolved - no improvement resulted.

>
> > shown above is not one of my domains! Another factor is that I am using
> > iptables to redirect internal port 80 to 3128 (PREROUTING) to supply
> > squid with requests rather than having squid listen on 80.
>
My iptables statement for the record is (SECDEV is eth2 being the internal
secure network device)

$ADDNAT PREROUTING -i $SECDEV -p tcp --dport 80 -j REDIRECT --to-port 3128

> Is there any difference if you set your browser to use the Squid proxy
> port?

Yes - as mentioned above that arrangement works. The transparent mode works
on the production system (squid-2.5.STABLE1-3.9) and I want to retain that
so smart alecs can't bypass the proxy.

>
> > In light of this does this symptom appear to be what you would expect if
the
> > DNS lookup failed?
>
> No. If the DNS lookup failed your Squid returns an error saying so.
>
> Regards
> Henrik

Is there any useful debug settings that may throw more light on where the
problem arises? Curiously in the correctly functioning explicit proxy setup
the access.log only reports the URL up to the "?" separator, but in the
failing transparent proxy access.log shows all of the string after the "?"
char! Is that a design feature or does it indicate what the string parser
has been up to?

Cheers,
Frank.
Received on Thu Jun 02 2005 - 07:30:55 MDT