squid proxy: Invalid request

espiya7 · 08-02-2007, 03:11 AM

My windows client PCs are automatically redirected by my OpenBSD firewall to my squid proxy server (so that they won't have to reconfigure their browser). However, the proxy server reports an Invalid Request. Is this even possible? If so, how can I fix this problem? Sorry for asking this question but Thanks anyway.

acid_kewpie · 08-02-2007, 03:28 AM

What is the request being made? any error messages in the log files etc...? you can't actually request a webpage from the server itself. if you are doing an http 302 redirect to the squid box, then it would lose it's host header so actaully look for / on the squid server, and squid doesn't sere http content at all itself so can't understand it.

espiya7 · 08-04-2007, 12:01 PM

Quote:

Originally Posted by acid_kewpie

What is the request being made? any error messages in the log files etc...? you can't actually request a webpage from the server itself. if you are doing an http 302 redirect to the squid box, then it would lose it's host header so actaully look for / on the squid server, and squid doesn't sere http content at all itself so can't understand it.

So, right from the start this wasn't possible right? Do you have any suggestions or solutions for this situation?

Gee I thought the packets would still be the same even if they were redirected.e

-> me

hehe.

Thanx acid_kewpie

acid_kewpie · 08-05-2007, 02:04 AM

depends what a "redirect" really means... is this an HTTP 302 or a NAT?

espiya7 · 08-05-2007, 06:29 AM

a ok... i was using using the ff pf command:

rdr on xl1 inet proto tcp from { 192.168.165.0/24, !192.168.165.2 } to port 80 -> 192.168.165.2 port 3128

i really don't know if this is an http 302 redirect but i'm sure though that this is not a NAT

acid_kewpie · 08-05-2007, 10:54 AM

ok, that is a nat, sorry!

yes that should work fine, IF squid is correctly configured to work transparently.

espiya7 · 08-05-2007, 11:15 AM

i thought it wasn't a NAT coz it didn't have a nat command on it sorry.

acid_kewpie · 08-05-2007, 12:21 PM

you have Translated a Network Address... TNA... erm... NAT!

espiya7 · 08-06-2007, 10:26 PM

Thanks! I was able to redirect the local computers using a different address to use the proxy but I still have to specify the proxy server's address and port. Is it possible to use the proxy without even supplying it on the client's browser given that one has a firewall?

acid_kewpie · 08-07-2007, 01:42 AM

to be honest i can't see a problem with your intended setup, as long as you have explicitly configured squid to act as a transparent proxy. can you show us the squid.conf where this is done?

espiya7 · 08-07-2007, 02:27 AM

I was using this one, I got this from the net but it didn't help:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

it said something like, uknown code or something when i restarted squid???

by the way my squid's version is 2.6

acid_kewpie · 08-07-2007, 03:33 AM

you need to offically state it's transparent. http://patchlog.com/general/squid-26-transparent-proxy/

espiya7 · 08-08-2007, 07:39 AM

I already made it transparent yet it still doesn't work. There must be something wrong here but I can't figure it out.

acid_kewpie · 08-08-2007, 08:45 AM

well as above, can you show us the actual configuration then... what you've already pasted is not enough to make it transparent.

espiya7 · 08-08-2007, 09:02 PM

Here's the code:

http_port 3128 transparent
icp_port 3130 transparent

#cache_peer 202.90.128.21 parent 3128 3130 no-query default

cache_mem 512 MB

cache_effective_user squidadm
cache_effective_group squidadm

cache_dir ufs /usr/local/squid/cache 40000 94 256

cache_access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log /var/squid/logs/store.log

##########################################Chisteng!!!
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
###########################################
#auth_param scripts
###########################################
#auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/etc/passwd

###################################################################

# ACCESS CONTROLS
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 81 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https

# It is safe to enable these ports if you need these services

#acl Safe_ports port 563 # snews
#acl Safe_ports port 70 # gopher
#acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
#acl Safe_ports port 280 # http-mgmt
#acl Safe_ports port 488 # gss-http
#acl Safe_ports port 591 # filemaker
#acl Safe_ports port 777 # multiling http
acl Safe_ports port 443 # sss
acl CONNECT method CONNECT

acl BADPORTS port 7 9 11 19 22 23 25 53 110 119 513 514

#We recommend you to use the following two lines.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

http_access allow manager localhost
http_access allow localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access deny BADPORTS

################################################
# custom config
#
################################################

#acl ncsa_users proxy_auth REQUIRED
acl our_network src 192.168.165.0/255.255.255.0 202.90.133.32/29
acl ceac_network src 192.168.105.0/24
acl test_network src 193.7.7.0/24
acl banned_browser browser "/etc/squid/browser.txt"
acl banned_sites url_regex "/etc/squid/banned_sites.txt"

http_access deny banned_browser
http_access deny banned_sites

#http_access allow ncsa_users
http_access allow our_network
http_access allow ceac_network
http_access allow test_network

http_access deny all

#http_reply_access allow all
icp_access allow all

----------------------------------------------------