LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-14-2008, 04:41 AM   #1
joadoor
Member
 
Registered: Apr 2002
Location: Clevedon, UK
Distribution: SUSE 8.2, 9.2, 10.0 OSS
Posts: 57

Rep: Reputation: 15
Squid proxy not allowing a dll through to web browser


Hi all,

I have recently setup and configured Squid version 2.6.STABLE14 on suse 10.3 kernel 2.6.22.5-31-default. It uses NTLM authentication to our Active Directory, and it is all working fine (names are logged against requests etc, and I have SARG setup to view reports etc.)

My problem is that one website (so far?!) is having a problem. Its http://www.ukpalletsonline.biz/ which tries to use a .dll file, but my squid is blocking it with this message:

------------------

ERROR
Cache Access Denied

While trying to retrieve the URL: http://www.ukpalletsonline.biz/scripts/omnisapi.dll

The following error was encountered:

Cache Access Denied.

Sorry, you are not currently allowed to request:

http://www.ukpalletsonline.biz/scripts/omnisapi.dll from this cache until you have authenticated yourself.

You need to use Netscape version 2.0 or greater, or Microsoft Internet Explorer 3.0, or an HTTP/1.1 compliant browser for this to work. Please contact the cache administrator if you have difficulties authenticating yourself or change your default password.

------------------

I have checked on a different machine, and bypassed the proxy, and its only a problem when using squid.

I have done a search online, but cannot find a similar problem ... most are regarding safe ports and regex blocking which as far as I'm aware, I'm not doing.
----------
Here is my squid.conf:
http_port 8000
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
url_rewrite_program /usr/sbin/squidGuard -c /etc/squidguard.conf
url_rewrite_children 4
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
auth_param ntlm program /usr/sbin/ntlm_auth -d DOMAINNAME\\dc02
auth_param ntlm children 5
auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid Proxy Server
auth_param basic credentialsttl 5 minutes

acl authenticated_users proxy_auth REQUIRED
http_access allow authenticated_users
http_access allow localhost
http_access deny all
icp_access allow all
coredump_dir /var/cache/squid

and my squidguard.conf

logdir /var/log/squidGuard
dbhome /var/lib/squidGuard/db
dest blacklist {
domainlist blacklist/domains
urllist blacklist/urls
}
acl {
default {
pass !blacklist all
redirect http://localhost/rejected.html
}
}

----------

Can someone recommend some tests that I can do, or what might be causing the problem??

Many thanks,
Andy
 
Old 10-14-2008, 05:08 AM   #2
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
You're running squidguard... chances are one of your blacklists has DLL's listed as an unsafe type. Check /var/log/squidGuard/* for the filename.
 
Old 10-14-2008, 05:39 AM   #3
joadoor
Member
 
Registered: Apr 2002
Location: Clevedon, UK
Distribution: SUSE 8.2, 9.2, 10.0 OSS
Posts: 57

Original Poster
Rep: Reputation: 15
Hi ledow,

Thanks for your quick response. I thought the same as you, but my squidguard is only using domains and urls, and neither have the omnisapi.dll file listed, or even dll. I also have a 'rejected.htm' file that is displayed when a restricted website is accessed using squidguard, but this website isn't blocked, so I don't think it is squidguard causing the problem.

I wonder if its possible to tackle this from a different angle .. can I allow this website straight through to the internet and bypass the proxy cache (not bypass the proxy entirely ie port 8000) as this machines default gateway will not allow port 80 traffic.

I need the web request to hit the proxy server on port 8000, squid to recognise that its for this specific website (ukpallets) and pass it straight through, no credentials, no blocking of dll's etc. Is this possible?

Cheers,
Andy
 
Old 10-14-2008, 06:32 AM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,065

Rep: Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894
when I try this (Squid 3) I get
Quote:
400 Bad Request - OMNIS port not specified or invalid (Reported by OMNIS ISAPI extension)
(so a somewhat different error message, but still an error message).

However
Quote:
You need to use Netscape version 2.0 or greater, or Microsoft Internet Explorer 3.0, or an HTTP/1.1 compliant browser for this to work. Please contact the cache administrator if you have difficulties authenticating yourself or change your default password.
suggests that the site is doing some browser identification and that is doing something that isn't exactly good. If the site is doing some browser ident and the result is that it intends that you do something with you accessing a .dll file, you'd have to wonder if its really doing something that you think was desirable (or, errr, not, with the 'not desirable' category including malware and stuff that while it might not be vicious per se includes stuff that you would have probably rejected if you knew it was going on).
 
Old 10-14-2008, 07:37 AM   #5
joadoor
Member
 
Registered: Apr 2002
Location: Clevedon, UK
Distribution: SUSE 8.2, 9.2, 10.0 OSS
Posts: 57

Original Poster
Rep: Reputation: 15
Hi salasi,
Thanks for your reply. Which log file did you get the '400 Bad Request' from?

I thought the bit at the bottom regarding 'you need netscape' etc.etc. was a generic message generated by squid, not from the website. Or am I barking up the wrong tree?

TIA,
Andy
 
Old 10-14-2008, 09:18 PM   #6
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: pclinuxos slackware64 tails kali
Posts: 3,377
Blog Entries: 33

Rep: Reputation: 217Reputation: 217Reputation: 217
Hi, could it be that the dll is trying to refresh the page?

I'm not sure, but I noticed that I have this line at the end of squid.conf...

ie_refresh on

(holding the "shift" key while clicking refresh will bypass the cache, squid)

Hope that contibutes something, all the best, Glenn

<edit> did not work for me with the link you provided </edit>

Last edited by GlennsPref; 10-14-2008 at 09:20 PM.
 
Old 10-15-2008, 05:18 AM   #7
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,065

Rep: Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894
Quote:
Originally Posted by joadoor View Post
Hi salasi,
Thanks for your reply. Which log file did you get the '400 Bad Request' from?
That's not from a log file; that's the response in the window that the user is trying to open.

Quote:
I thought the bit at the bottom regarding 'you need netscape' etc.etc. was a generic message generated by squid, not from the website. Or am I barking up the wrong tree?
No, I am pretty sure that is a website, not a squid message;
  • Why would squid care (it caches stuff and relays the cached stuff to the browser)?
  • Why would squid suddenly generate that message when that site is accessed and not others?
And I'm absolutely sure that squid wouldn't express a preference for something as antiquated as an ancient version of Netscape, in the case of your error message.

What usually happens is this; someone at the originating site notices that, due to browser differences, the site doesn't render as they would like on all browsers. They end up writing code like this (in very simplified schematic form, and there are likely to be more choices):
if browser = blah v1 then ...
if browser = blah v2 then ...
if browser = blahdeblah v1 then ...
if browser = blahdeblah v1 then ...
else browser unrecognised

(where blah and blahdeblah are popular browsers of the day). The result is:
  • code that may well work on the day that it is written, but is susceptible to failing on newer browsers
  • code that can easily be badly written if all browsers and platforms aren't taken into account (Yeah, they will probably check for IE, firefox, but Chrome, dillo, Links, Lynks, konqueror???). and will they re-check every time a new version of a browser is released into the wild (you know that's going to be a no, don't you; if you are lucky, they may take bug reports seriously, otherwise they will go for 'you should use an industry standard of cr*p' as their response.)
  • (code that is difficult to maintain and test, because of the previous points)

The end result is almost always that, as the user of a nice shiny new browser, you are told that you ought to upgrade to Netscape 2 or some version of IE that pre-dates the discovery of dust.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Allowing FTP on Squid Proxy Server A Simple Noob Linux - Server 3 11-16-2007 08:40 PM
not allowing users to access internet using port 80 through squid proxy dolreich_c Linux - Security 1 08-02-2007 02:28 AM
Allowing Mails thru Squid Proxy? krishvij Linux - Newbie 3 04-07-2005 04:12 AM
web browser problem with proxy tacca SUSE / openSUSE 3 10-16-2004 08:48 AM
setting up proxy in Konqueror web browser ako Linux - Newbie 1 02-07-2004 09:11 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration