[squid-users] can't get to certain sites through proxy
Hello, Is there a page or an FAQ somewhere that may help me troubleshoot a problem where a site works fine when not going through squid but has errors when accessed through squid? I'm having trouble logging in to a site when the connection is going through the proxy and I'm not really sure where to start. I'm running squid version 2.5.STABLE9 and my configuration file is included below. Any hints, tips, or links are greatly appreciated. Thank You, Mark Drago /etc/squid.conf --- http_port 3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_dir ufs /var/squid/cache 7727 16 256 cache_access_log /dev/null cache_log /dev/null cache_store_log none refresh_pattern ^ftp: 144020% 10080 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 http_access allow all icp_access allow all miss_access allow all half_closed_clients off server_persistent_connections off client_persistent_connections off visible_hostname serial_number.bascom.net unique_hostname serial_number.bascom.net httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on maximum_object_size 12 KB redirect_program /usr/local/bin/jesred redirect_children 40 uri_whitespace deny signature.asc Description: This is a digitally signed message part
Re: [squid-users] can't get to certain sites through proxy
On Wednesday 26 October 2005 17:00, Mark Drago wrote: Is there a page or an FAQ somewhere that may help me troubleshoot a problem where a site works fine when not going through squid but has errors when accessed through squid? I'm having trouble logging in to a site when the connection is going through the proxy and I'm not really sure where to start. Perhaps you can tell what kind of trouble you have. Maybe even the URL if it's publicly available. Otherwise you can try tcpdump/tethereal/ethereal to dump the network traffic and analyse the difference between going through a proxy or bypassing it. httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Since you appear to be using interception caching... have you tried with normal forward proxying (pointing your browser to the proxy)? redirect_program /usr/local/bin/jesred Does it work without this? Christoph -- ~ ~ .signature [Modified] 1 line --100%--1,48 All
Re: [squid-users] can't get to certain sites through proxy
On Wed, 2005-10-26 at 18:56 +0200, Christoph Haas wrote: On Wednesday 26 October 2005 17:00, Mark Drago wrote: Is there a page or an FAQ somewhere that may help me troubleshoot a problem where a site works fine when not going through squid but has errors when accessed through squid? I'm having trouble logging in to a site when the connection is going through the proxy and I'm not really sure where to start. Perhaps you can tell what kind of trouble you have. Maybe even the URL if it's publicly available. The site is http://webmail.ne.rr.com - it's the webmail for the RoadRunner ISP that one of our customers is using. Our customer gave us a username and password to help diagnose the problem, but obviously and unfortunately I can't pass it on. I can get to the login screen without a problem, but when I try logging in I get an alert box that reads: 'Session timed out. Log in again' and it then redirects me back to the login screen. Otherwise you can try tcpdump/tethereal/ethereal to dump the network traffic and analyse the difference between going through a proxy or bypassing it. I tried this before, but it was largely useless because it is SSL traffic. httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Since you appear to be using interception caching... have you tried with normal forward proxying (pointing your browser to the proxy)? Yes. Although interception caching is enabled, all of the tests that I have been running have involved me pointing my browser directly at the proxy. redirect_program /usr/local/bin/jesred Does it work without this? Nope. I tried removing it and it still didn't work. After that didn't work I just started removing things that didn't seem entirely necessary. So, I ended up with a pretty bare-bones configuration and the error remained. Then I tried using the stock squid installation that Fedora Core 4 installs. The only thing I changed in Fedora's configuration was to allow connections to it from my network. I see the same problem. Could RoadRunner be doing something on purpose that would make proxies not work? What could they be doing that would make requests arriving through a proxy not work? Has anyone had any similar problems with other sites? Christoph Thank You, Mark Drago. signature.asc Description: This is a digitally signed message part
Re: [squid-users] can't get to certain sites through proxy
The error message, or a copy of cache.log would be a good start. Second, you appear to be trying to accel an http server. Are you doing this on purpose? This is NOT proxying as you see it. This is used to speed up web servers and should not be used. This applies to all your http_accel entries. Also, what happend to your 'http_access deny all' line? You don't really want anyone from anywhere to be able to use your proxy do you? If so, can you save me the trouble of hunting you down and give your IP address so I can toss it into the blacklist? :-) Please get a better understanding of how ACLs work before you drop a proxy device out there. That http_access deny all line is VERY important. Tim Rainier Information Services, Kalsec, INC [EMAIL PROTECTED] Mark Drago [EMAIL PROTECTED] wrote on 10/26/2005 11:00:47 AM: Hello, Is there a page or an FAQ somewhere that may help me troubleshoot a problem where a site works fine when not going through squid but has errors when accessed through squid? I'm having trouble logging in to a site when the connection is going through the proxy and I'm not really sure where to start. I'm running squid version 2.5.STABLE9 and my configuration file is included below. Any hints, tips, or links are greatly appreciated. Thank You, Mark Drago /etc/squid.conf --- http_port 3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_dir ufs /var/squid/cache 7727 16 256 cache_access_log /dev/null cache_log /dev/null cache_store_log none refresh_pattern ^ftp: 144020% 10080 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 http_access allow all icp_access allow all miss_access allow all half_closed_clients off server_persistent_connections off client_persistent_connections off visible_hostname serial_number.bascom.net unique_hostname serial_number.bascom.net httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on maximum_object_size 12 KB redirect_program /usr/local/bin/jesred redirect_children 40 uri_whitespace deny [attachment signature.asc deleted by Tim Rainier/KAL/Kalsec]
Re: [squid-users] can't get to certain sites through proxy
On Wednesday 26 October 2005 20:11, Mark Drago wrote: The site is http://webmail.ne.rr.com - it's the webmail for the RoadRunner ISP that one of our customers is using. Our customer gave us a username and password to help diagnose the problem, but obviously and unfortunately I can't pass it on. I can get to the login screen without a problem, but when I try logging in I get an alert box that reads: 'Session timed out. Log in again' and it then redirects me back to the login screen. Sound suspiciously like cookie-based session handling in connection with additional security measures like checking your source IP address. Do you run more than one proxy or distribute requests to different parent proxies in a round-robin fashion? If the peer checks your IP address you will change your source IP address time and again and some authentication systems don't like that. Could RoadRunner be doing something on purpose that would make proxies not work? Possible though unlikely. I just know RoadRunner because they cost me days of my life to report spam... :( What could they be doing that would make requests arriving through a proxy not work? Has anyone had any similar problems with other sites? Only when we had a configuration problem on the load balancers which forward requests to the proxy cluster. Christoph -- ~ ~ .signature [Modified] 1 line --100%--1,48 All
Re: [squid-users] can't get to certain sites through proxy
On Wednesday 26 October 2005 20:13, [EMAIL PROTECTED] wrote: Second, you appear to be trying to accel an http server. Are you doing this on purpose? This is NOT proxying as you see it. This is used to speed up web servers and should not be used. Many people think differently. You would be surprised how many proxy admins believe that interception caching is all there is. Most admins don't have proper control of their network and thus don't control the proxy settings at their browsers. However I don't recommend using interception caching either as it has the usual number of drawbacks. Also, what happend to your 'http_access deny all' line? You don't really want anyone from anywhere to be able to use your proxy do you? If so, can you save me the trouble of hunting you down and give your IP address so I can toss it into the blacklist? :-) Since the OP runs it as a forward proxy it's only fair to assume that the proxy is running behind a firewall. Please get a better understanding of how ACLs work before you drop a proxy device out there. That http_access deny all line is VERY important. Yes, it definitely is. But it doesn't create the problem the OP seems to have. Sorry to be smartassing. Christoph -- ~ ~ .signature [Modified] 1 line --100%--1,48 All
Re: [squid-users] can't get to certain sites through proxy
On Wed, 2005-10-26 at 20:27 +0200, Christoph Haas wrote: On Wednesday 26 October 2005 20:11, Mark Drago wrote: The site is http://webmail.ne.rr.com - it's the webmail for the RoadRunner ISP that one of our customers is using. Our customer gave us a username and password to help diagnose the problem, but obviously and unfortunately I can't pass it on. I can get to the login screen without a problem, but when I try logging in I get an alert box that reads: 'Session timed out. Log in again' and it then redirects me back to the login screen. Sound suspiciously like cookie-based session handling in connection with additional security measures like checking your source IP address. Do you run more than one proxy or distribute requests to different parent proxies in a round-robin fashion? If the peer checks your IP address you will change your source IP address time and again and some authentication systems don't like that. Yeah I hear what you're saying. However, we're not doing anything like that. This proxy is installed at the head of a school's network and all of their traffic goes through the proxy. There is only one proxy - it's really rather simple. I'm not even quite sure how RoadRunner would be able to tell that the connection is going through a proxy. Since the error is a javascript alert I would really like to look at the javascript that they're sending back. Is there any kind of an extension to firefox that will aid me in doing that? Say by saving everything it downloads to a directory? Mark. Could RoadRunner be doing something on purpose that would make proxies not work? Possible though unlikely. I just know RoadRunner because they cost me days of my life to report spam... :( What could they be doing that would make requests arriving through a proxy not work? Has anyone had any similar problems with other sites? Only when we had a configuration problem on the load balancers which forward requests to the proxy cluster. Christoph signature.asc Description: This is a digitally signed message part