LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 06-26-2012, 01:46 AM   #1
hari.vhn
LQ Newbie
 
Registered: Jun 2012
Posts: 20

Rep: Reputation: Disabled
Thumbs up Urgent "squid proxy'


Hi,

I installed squid proxy in RHEL server, its working fine.
for some sites its not working.
when i try to open ppcreport.php in browser its shows connection was reset and for some other sites it shows error324 empty response.
for http://www.safra.sg is not working in proxy it shows error 104 read error, connection reset by peer.
with out proxy its working fine.

can you help me

Thanks
Hari
 
Old 06-26-2012, 07:44 AM   #2
Snark1994
Senior Member
 
Registered: Sep 2010
Location: Wales, UK
Distribution: Arch
Posts: 1,630
Blog Entries: 3

Rep: Reputation: 345Reputation: 345Reputation: 345Reputation: 345
Don't put 'urgent' in your thread titles, please.

Have you followed a tutorial to configure squid, such as http://www.debiantutorials.com/insta...-proxy-server/? Have you checked squid's logfiles for any information?
 
Old 06-26-2012, 08:41 PM   #3
hari.vhn
LQ Newbie
 
Registered: Jun 2012
Posts: 20

Original Poster
Rep: Reputation: Disabled
Hi,
Thanks for your kind reply.

Yes, i followed the tutorial, my squid proxy service is running.
log file for squid:
27/Jun/2012:09:39:26 +0800 9103 127.0.0.1 172.17.2.50 TCP_MISS/502 1449 GET http://www.safra.sg/ - DIRECT/203.127.218.160 text/html
but it works in SSL.
 
Old 06-27-2012, 10:50 AM   #4
Snark1994
Senior Member
 
Registered: Sep 2010
Location: Wales, UK
Distribution: Arch
Posts: 1,630
Blog Entries: 3

Rep: Reputation: 345Reputation: 345Reputation: 345Reputation: 345
Certainly for safra.sg, I think the problem's at their end:

Code:
[joshua:~]$ wget www.safra.sg
--2012-06-27 16:46:53--  http://www.safra.sg/
Resolving www.safra.sg... 203.127.218.160
Connecting to www.safra.sg|203.127.218.160|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 112525 (110K) [text/html]
Saving to: `index.html.1'

100%[=======================================================================================================>] 112,525     56.4K/s   in 1.9s    

2012-06-27 16:46:57 (56.4 KB/s) - `index.html.1' saved [112525/112525]

[joshua:~]$ wget 203.127.218.160
--2012-06-27 16:43:13--  http://203.127.218.160/
Connecting to 203.127.218.160:80... connected.
HTTP request sent, awaiting response... 400 Bad Request
2012-06-27 16:43:14 ERROR 400: Bad Request.
[joshua:~]$
I don't quite understand why this is happening (something to do with their server setup), but it seems Squid is doing the same thing as me: trying to connect via IP, and getting a Bad Request response. I'll do some digging, but maybe someone more conversant in these matters will be able to help you in the meantime.
 
Old 06-27-2012, 08:49 PM   #5
hari.vhn
LQ Newbie
 
Registered: Jun 2012
Posts: 20

Original Poster
Rep: Reputation: Disabled
Hi
log file:

--2012-06-28 09:43:24-- http://safra.sg/
Resolving safra.sg... 203.127.218.160
Connecting to safra.sg|203.127.218.160|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.

--2012-06-28 09:43:29-- (try: 2) http://safra.sg/
Connecting to safra.sg|203.127.218.160|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.

--2012-06-28 09:43:34-- (try: 3) http://safra.sg/
Connecting to safra.sg|203.127.218.160|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.

and then i try this also http://asadev.buzzcity.com/report/pp...&type=campaign

log file:
[root@hq240 ~]# --2012-06-28 09:45:05-- http://asadev.buzzcity.com/report/ppcreport.php?emode=
Resolving asadev.buzzcity.com... 202.172.183.102
Connecting to asadev.buzzcity.com|202.172.183.102|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4234 (4.1K) [text/html]
Saving to: `ppcreport.php?emode='

100%[==================================================================================================== ===============>] 4,234 --.-K/s in 0.007s

2012-06-28 09:45:05 (601 KB/s) - `ppcreport.php?emode=' saved [4234/4234]


[1]- Done wget http://asadev.buzzcity.com/report/ppcreport.php?emode=
[2]+ Done pid=13046

browser page shows:
The connection was reset
The connection to the server was reset while the page was loading


The site could be temporarily unavailable or too busy. Try again in a few
moments.
If you are unable to load any pages, check your computer's network
connection.
If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.

not all sites only some sites...
 
Old 06-28-2012, 03:39 AM   #6
Snark1994
Senior Member
 
Registered: Sep 2010
Location: Wales, UK
Distribution: Arch
Posts: 1,630
Blog Entries: 3

Rep: Reputation: 345Reputation: 345Reputation: 345Reputation: 345
You're using firefox? Install https://getfirebug.com/ and use the 'NET' panel to look at the headers you're sending. I've worked out why the site rejects the connection:

Code:
[joshua:~]$ telnet www.safra.sg 80                                                                                                 (28-06 09:31)
Trying 203.127.218.160...
Connected to www.safra.sg.
Escape character is '^]'.
GET / HTTP/1.1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Thu, 28 Jun 2012 08:29:37 GMT
Connection: close
Content-Length: 39

<h1>Bad Request (Invalid Hostname)</h1>Connection closed by foreign host.
[joshua:~]$ telnet www.safra.sg 80                                                                                                 (28-06 09:32)
Trying 203.127.218.160...
Connected to www.safra.sg.
Escape character is '^]'.
GET / HTTP/1.1
Host: www.safra.sg

HTTP/1.1 200 OK
Date: Thu, 28 Jun 2012 08:29:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 112285
so my guess is that either your browser isn't sending the 'HOST' header, or your squid server is removing it.
 
Old 06-28-2012, 04:00 AM   #7
hari.vhn
LQ Newbie
 
Registered: Jun 2012
Posts: 20

Original Poster
Rep: Reputation: Disabled
i think my squid server is removing it.
i installed squid + clamav +dansguardian.
in my FF browser i set dansguardian port 6081. squid port is 8080.
everything is working fine.... but somesites are not allowing by proxy.
please look my iptables:
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 6081 -m limit --limit 500/sec --limit-burst 800 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 6081 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 6081 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 6081
COMMIT
*raw
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
COMMIT

and another error:
http://asadev.buzzcity.com/report/pp...&type=campaign, its not working in port 6081.
but its working in port 8080. i can see the loading page in browser.

but i dont know how to bypass the url in squid or to do in dansguardian.

can you help me.

thanks
 
Old 06-29-2012, 07:49 AM   #8
Snark1994
Senior Member
 
Registered: Sep 2010
Location: Wales, UK
Distribution: Arch
Posts: 1,630
Blog Entries: 3

Rep: Reputation: 345Reputation: 345Reputation: 345Reputation: 345
Have you checked FF is sending the host header? It should do (unless it's an old version), but it's worth checking before we move on to debugging other things.

Also, what are your proxy settings in FF? Are you running it through DansGuardian or Squid when you get the error? Or does one redirect through the other?
 
Old 06-29-2012, 09:56 PM   #9
hari.vhn
LQ Newbie
 
Registered: Jun 2012
Posts: 20

Original Poster
Rep: Reputation: Disabled
my proxy settings in FF running in dansguardian.this error occurs.
--2012-06-28 09:43:34-- (try: 3) http://safra.sg/
Connecting to safra.sg|203.127.218.160|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.

and then i try this also http://asadev.buzzcity.com/report/pp...&type=campaign

log file:
[root@hq240 ~]# --2012-06-28 09:45:05-- http://asadev.buzzcity.com/report/ppcreport.php?emode=
Resolving asadev.buzzcity.com... 202.172.183.102
Connecting to asadev.buzzcity.com|202.172.183.102|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4234 (4.1K) [text/html]
Saving to: `ppcreport.php?emode='

100%[==================================================================================================== ===============>] 4,234 --.-K/s in 0.007s

2012-06-28 09:45:05 (601 KB/s) - `ppcreport.php?emode=' saved [4234/4234]


[1]- Done wget http://asadev.buzzcity.com/report/ppcreport.php?emode=
[2]+ Done pid=13046

browser page shows:
The connection was reset
The connection to the server was reset while the page was loading


The site could be temporarily unavailable or too busy. Try again in a few
moments.
If you are unable to load any pages, check your computer's network
connection.
If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.
 
Old 06-30-2012, 04:23 AM   #10
Snark1994
Senior Member
 
Registered: Sep 2010
Location: Wales, UK
Distribution: Arch
Posts: 1,630
Blog Entries: 3

Rep: Reputation: 345Reputation: 345Reputation: 345Reputation: 345
Quote:
Originally Posted by hari.vhn View Post
my proxy settings in FF running in dansguardian
What are your actual settings? HTTP Proxy: 127.0.0.1 Port: 6081 ?

Also, in /etc/squid/squid.conf, try changing the following settings:

Code:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_single_host off
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
and adding the following iptables rule:

Code:
iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j REDIRECT --to-port 8080
(all based on http://www.thornock.us/presentations/dansguardian/ - I don't konw if you need to change the '--to-port 8080' to '--to-port 6081')
 
Old 07-02-2012, 08:59 PM   #11
hari.vhn
LQ Newbie
 
Registered: Jun 2012
Posts: 20

Original Poster
Rep: Reputation: Disabled
Thanks for your kind reply.

the above solution which u gave for squid as a transparent proxy. i already tried before it doesn't work.

my squid conguration:

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

acl directors src 172.17.2.240
http_access allow directors

acl HTTPS proto HTTPS
acl purge method PURGE
#acl localnet src 172.17.2.240/32
acl localnet src 172.17.2.0/24
acl localnet src 172.17.3.0/24
acl localnet src 172.17.4.0/24
acl SSL_ports port 443 563 1863 5190 5222 5050 6667
acl SSL_ports port 7071
#acl SSL_ports port 8675
acl Safe_ports port 80 # http
acl Safe_ports port 81 # http2
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 1863 5190 5222 5050 6667 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 554 # multiling http
acl Safe_ports port 8675 # rackspace
acl Safe_ports port 1200 # Nokia remote device program
acl Safe_ports port 8080 # Nokia remote device program
#acl Safe_ports port 7071 # Zimbra Admin
acl webapp_port port 81
acl webapp_ip dst 127.0.0.1
acl CONNECT method CONNECT

acl src_local src 127.0.0.1

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

acl our_networks src 172.17.2.0/24
http_access allow our_networks

http_access allow webapp_port webapp_ip
http_access allow Safe_ports
http_access allow localnet
http_access allow localhost
http_access allow all
http_access deny all
http_access deny to_localhost
http_access allow purge localhost
http_access allow purge src_local
http_access deny purge
#url_rewrite_access deny localhost


#Default:
http_reply_access allow all

# TAG: icp_access
# Allowing or Denying access to the ICP port based on defined
# access lists
#
# icp_access allow|deny [!]aclname ...
#
# See http_access for details
#
#Default:
icp_access allow localnet
icp_access deny all
#
#Allow ICP queries from everyone
icp_access allow all

follow_x_forwarded_for deny all
acl_uses_indirect_client on
delay_pool_uses_indirect_client on
log_uses_indirect_client on
http_port 8080
hierarchy_stoplist cgi-bin ?
cache_mem 1024 MB
maximum_object_size_in_memory 8 KB
cache_dir ufs /var/spool/squid 5000 16 256
maximum_object_size 16384 KB
debug_options ALL,1

acl QUERY urlpath_regex cgi-bin \? \.php$ \.asp$ \.shtml$ \.cfm$ \.cfml$ \.phtml$ \.php3$ \.do$
#cache deny QUERY
acl local-servers dstdomain .mygamma.com .buzzcity.com
always_direct allow local-servers
always_direct allow QUERY

#Suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

extension_methods REPORT MERGE MKACTIVITY CHECKOUT
forward_timeout 4 minutes
connect_timeout 180 seconds
read_timeout 30 minutes
request_timeout 30 minutes
persistent_request_timeout 30 minutes
pconn_timeout 30 minutes

the above mention i send my iptables rule.
my configuration working fine. i want to know how to bypass some url in my proxy.

Thanks
Hari
 
Old 07-03-2012, 05:43 AM   #12
Snark1994
Senior Member
 
Registered: Sep 2010
Location: Wales, UK
Distribution: Arch
Posts: 1,630
Blog Entries: 3

Rep: Reputation: 345Reputation: 345Reputation: 345Reputation: 345
Quote:
Originally Posted by hari.vhn View Post
i want to know how to bypass some url in my proxy.
Just add them to /etc/dansguardian/exceptionsitelist
 
Old 07-03-2012, 08:49 PM   #13
hari.vhn
LQ Newbie
 
Registered: Jun 2012
Posts: 20

Original Poster
Rep: Reputation: Disabled
hi,
i added "safra.sg" in exceptonsitelist, still the same error 104 read error.
pls look below.

#Sites in exception list
#Don't bother with the www. or
#the http://
#
#These are specifically domains and are not URLs.
#For example 'foo.bar/porn/' is no good, you need
#to just have 'foo.bar'.
#
#You can also match IPs here too.
#
#As of DansGuardian 2.7.3 you can now include
#.tld so for example you can match .gov for example


# Time limiting syntax:
# #time: <start hour> <start minute> <end hour> <end minute> <days>
# Example:
##time: 9 0 17 0 01234
# Remove the first # from the line above to enable this list only from
# 9am to 5pm, Monday to Friday.


# Blanket exception. To allow all sites except those in the
# exceptionsitelist and greysitelist files, remove
# the # from the next line to leave only a '**':
#**

# Blanket SSL/CONNECT exception. To allow all SSL
# and CONNECT tunnels except to addresses in the
# exceptionsitelist and greysitelist files, remove
# the # from the next line to leave only a '**s':
#**s

# Blanket IP exception. To allow all sites specified only as an IP,
# remove the # from the next line to leave only a '*ip':
#*ip

# Blanket SSL/CONNECT IP exception. To allow all SSL and CONNECT
# tunnels to sites specified only as an IP,
# remove the # from the next line to leave only a '*ips':
#*ips


windowsupdate.microsoft.com
cvs.buzzcity.com
svn.buzzcity.com
asadev.buzzcity.com/report/ppcreport.php
safra.sg

even ppcreport.php also not working.

thanks
 
Old 07-04-2012, 05:00 AM   #14
Snark1994
Senior Member
 
Registered: Sep 2010
Location: Wales, UK
Distribution: Arch
Posts: 1,630
Blog Entries: 3

Rep: Reputation: 345Reputation: 345Reputation: 345Reputation: 345
Why don't you comment out all the sites you entered, and uncomment the line which says:

Code:
# Blanket exception. To allow all sites except those in the
# exceptionsitelist and greysitelist files, remove
# the # from the next line to leave only a '**':
#**
so you've completely disabled DansGuardian, and so you know if the problem is with Squid.
 
Old 07-04-2012, 05:06 AM   #15
hari.vhn
LQ Newbie
 
Registered: Jun 2012
Posts: 20

Original Poster
Rep: Reputation: Disabled
*windowsupdate.microsoft.com
*cvs.buzzcity.com
*svn.buzzcity.com
**asadev.buzzcity.com/report/ppcreport.php
**safra.sg

even i did the changes still the same error
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with squid as transparent proxy: "Invalid request" only on certain pages dtinazzi Linux - Networking 3 08-10-2011 03:41 AM
Urgent!! unable to Connect Windows live Messenger through Squid Proxy farrukhndm Linux - Server 0 11-29-2008 03:45 AM
*urgent* Squid and ISP proxy piforever Fedora 4 08-25-2007 05:37 AM
Urgent and imp. Making Squid 2.6 stable as tranpsarent proxy mikdadhussain Linux - Networking 3 08-03-2006 08:17 AM


All times are GMT -5. The time now is 10:48 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration