Re: [squid-users] Strange issues with accessing facebook and other php driven sites via proxy

From: Chudy Fernandez <chudy_fernandez_at_yahoo.com>
Date: Thu, 8 Oct 2009 10:04:18 -0700 (PDT)

server_http11 on will do the trick

----- Original Message ----
> From: "Kelly, Jack" <Jack.Kelly_at_wsdevelopment.com>
> To: squid-users_at_squid-cache.org
> Sent: Fri, October 9, 2009 12:10:02 AM
> Subject: [squid-users] Strange issues with accessing facebook and other php driven sites via proxy
>
> Hi everyone,
> At my office I've implemented a Squid server which uses LDAP credentials
> to give certain users access to certain websites. Basically, everyone
> belongs to a base 'Filtered' group, and individual users can be added to
> a 'FacebookAccess' group for access to facebook. This is mainly because
> some departments (read: marketing) need access to facebook while others
> do not.
>
> I've only been working on in Squid for about a month and although I've
> gotten pretty proficient at getting it to do what I want, I've
> encountered what's seeming to be a higher-level problem.
>
> Here's the relevant section of my conf file:
>
> acl Unfiltered external InetGroup Unfiltered
> acl FacebookAccess external InetGroup FacebookAccess
> acl Filtered external InetGroup Filtered
>
> acl blocksites url_regex "/etc/squid3/block.acl"
> acl whitelist url_regex "/etc/squid3/whitelist.acl"
> acl facebook url_regex .facebook.
> acl fbcdn url_regex .fbcdn.
>
> #Note: these two lines were added to troubleshoot
> always_direct allow fbcdn
> always_direct allow facebook
>
> http_access allow Unfiltered
> http_access allow Filtered whitelist
> http_access allow FacebookAccess facebook
> http_access allow FacebookAccess whitelist
> http_access deny Filtered blocksites
> http_access deny FacebookAccess blocksites
> http_access allow FacebookAccess
> http_access allow Filtered
>
> And here's the problem:
> Users in the FacebookAccess group can get to www.facebook.com
> without a problem, and users who are only in
> the Filtered group cannot. So that's great. However, when they log in
> and reach www.facebook.com/home.php?, they just get a white screen -
> sometimes. Occasionally it works and occasionally it doesnt; there
> appears to be no rhyme or reason to it. I've added ".fbcdn." to my
> whitelist.acl file, because I saw that content from that domain was
> getting denied when facebook loads... but even after that, no go.
>
> When I visit the site and log in, the access.log just shows:
>
> jackk 08/Oct/2009 11:54:30 TCP_MISS/200 GET http://www.facebook.com/
> jackk 08/Oct/2009 11:54:36 TCP_MISS/200 CONNECT login.facebook.com:443
> jackk 08/Oct/2009 11:54:36 TCP_MISS/200 GET
> http://www.facebook.com/home.php?
>
> And to troubleshoot I tried accessing facebook from a member of the
> 'Unfiltered' group, to which no restrictive acl policies apply. Same
> problem. Meanwhile obviously a direct, proxy-free connection to facebook
> from my office works just fine.
>
> I'm very, very stuck. Any advice on what to try next would be hugely
> appreciated.
>
> Thanks!
>
> Jack Kelly
> Network Services Administrator
> W/S Development Associates, LLC
> Chestnut Hill, MA
>
> --------------------------------------------------------
>
> This message (and any associated files) is the property of
> S. R. Weiner and Associates Inc. and W/S Development Associates LLC
> and is intended only for the use of the individual or entity to
> which it is addressed and may contain information that is confidential,
> subject to copyright or constitutes a trade secret. If you are not
> the intended recipient you are hereby notified that any dissemination,
> copying or distribution of this message, or files associated with this
> message, is strictly prohibited. If you have received this message
> in error, please notify us immediately by calling our corporate office
> at 617-232-8900 and deleting this message from your computer.
>
> Internet communications cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, destroyed,
> arrive late or incomplete, or contain viruses. Therefore, S. R. Weiner
> and Associates, Inc. and W/S Development Associates LLC do not accept
> responsibility for any errors or omissions that are present in this
> message, or any attachment, that have arisen as a result of e-mail
> transmission. If verification is required, please request a hard-copy
> version of this message.
>
> Any views or opinions presented in this message are solely those of
> the author and do not necessarily represent those of the company.

      
Received on Thu Oct 08 2009 - 17:04:26 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 09 2009 - 12:00:02 MDT