Re: [squid-users] When worlds collide
Mån 2008-07-14 klockan 11:03 -0400 skrev Tuc at T-B-O-H.NET: > > > I heard back from the company today. Yes, they said it is an internal > (onsite/VPN) only accessible site (Yet they use a Public IP.. And we wonder > where > all the good IPs have gone. ;) ). Heh.. > But shouldn't Squid be returning something other than "0 0"? It does if you are a bit patient.. TCP_MISS/0 0 is when the client aborts before anything is known about the response, i.e. before Squid has timed out the connection to the unreachable internal server.. The default timeout is 2 minutes. Regards Henrik
Re: [squid-users] When worlds collide
> On s=C3=B6n, 2008-07-13 at 10:46 -0400, Tuc at T-B-O-H.NET wrote: > > Thanks for the reply. It turns out, oddly, that the IP that the > > system is sending them to doesn't seem to be contactable either. Interest= > ingly, > > its generating those "0 0" (return code/bytes) I was seeing recently. So = > maybe > > if Squid gets a timeout to a site it causes the 0/0's? When the DNS could= > n't > > resolve I was getting 503/17?? (I forget exactly). > > Probably it's firewalled, only allowing specific IPs access.. > > Regards > Henrik > I heard back from the company today. Yes, they said it is an internal (onsite/VPN) only accessible site (Yet they use a Public IP.. And we wonder where all the good IPs have gone. ;) ). But shouldn't Squid be returning something other than "0 0"? Thanks, Tuc
Re: [squid-users] When worlds collide
On sön, 2008-07-13 at 10:46 -0400, Tuc at T-B-O-H.NET wrote: > Thanks for the reply. It turns out, oddly, that the IP that the > system is sending them to doesn't seem to be contactable either. > Interestingly, > its generating those "0 0" (return code/bytes) I was seeing recently. So maybe > if Squid gets a timeout to a site it causes the 0/0's? When the DNS couldn't > resolve I was getting 503/17?? (I forget exactly). Probably it's firewalled, only allowing specific IPs access.. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] When worlds collide
On sön, 2008-07-13 at 15:55 +1200, Amos Jeffries wrote: > Out of luck. Domain hijacking like this is precisely why squid doesn't > trust the client-given dst IP in transparent mode. > > They will have to: > > a) connect to that domain using raw IP address in the URL. > > b) negotiate with the proxy admin to configure the proxy to selectively > do the SNEAKY.EXAMPLE.COM redirect for them. or c) Teach their client to CONNECT to the site, establishing a direct connection via the proxy.. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] When worlds collide
Hi, Thats what I've done for this one user I found... The question becomes how many other users are experiencing it but I don't know about. (Userbase is the kind that generally doesn't complain. Anything that I've found/fixed I did because I watch logs/etc) Thanks, Tuc > > What I should have said was put an entry in /etc/hosts and then > modify /etc/nsswitch.conf on the Squid box so that it sees that same > host as valid. > > On Jul 12, 2008, at 10:36 PM, Paul Bertain wrote: > > > Would it work to put an entry on the Squid machine and to make sure > > that /etc/nsswitch.conf has "hosts:files dns"? > > > > That way, Squid sees it the same way, which is what it looks like > > Tuc is trying to do. > > > > Paul > > > > On Jul 12, 2008, at 8:55 PM, Amos Jeffries wrote: > > > >> Tuc at T-B-O-H.NET wrote: > >>> Hi, > >>> Running into a problem, not sure if or how to handle it. > >>> User running windows has an entry in their (Windows > >>> equiv of /etc/hosts) that says : > >>> 192.168.3.10SNEAKY.EXAMPLE.COM > >>> For the rest of the world, SNEAKY.EXAMPLE.COM doesn't > >>> exist (NXDOMAIN). > >>> Without squid in transparent/WCCP2 mode, it appears that the user > >>> contacts 192.168.3.10 and does his thing. With squid+ > >>> transparent+WCCP2, we end up with 503's. Is there even a way to > >>> be able to address this, or is > >>> the user just going to be out of luck period? > >> > >> Out of luck. Domain hijacking like this is precisely why squid > >> doesn't trust the client-given dst IP in transparent mode. > >> > >> They will have to: > >> > >> a) connect to that domain using raw IP address in the URL. > >> > >> b) negotiate with the proxy admin to configure the proxy to > >> selectively do the SNEAKY.EXAMPLE.COM redirect for them. > >> > >> Amos > >> -- > >> Please use Squid 2.7.STABLE3 or 3.0.STABLE7 > > >
Re: [squid-users] When worlds collide
> > Tuc at T-B-O-H.NET wrote: > > Hi, > > > > Running into a problem, not sure if or how to handle it. > > > > User running windows has an entry in their (Windows > > equiv of /etc/hosts) that says : > > > > 192.168.3.10SNEAKY.EXAMPLE.COM > > > > For the rest of the world, SNEAKY.EXAMPLE.COM doesn't > > exist (NXDOMAIN). > > > > Without squid in transparent/WCCP2 mode, it appears that > > the user contacts 192.168.3.10 and does his thing. With squid+ > > transparent+WCCP2, we end up with 503's. > > > > Is there even a way to be able to address this, or is > > the user just going to be out of luck period? > > Out of luck. Domain hijacking like this is precisely why squid doesn't > trust the client-given dst IP in transparent mode. > > They will have to: > > a) connect to that domain using raw IP address in the URL. > > b) negotiate with the proxy admin to configure the proxy to selectively > do the SNEAKY.EXAMPLE.COM redirect for them. > Thanks for the reply. It turns out, oddly, that the IP that the system is sending them to doesn't seem to be contactable either. Interestingly, its generating those "0 0" (return code/bytes) I was seeing recently. So maybe if Squid gets a timeout to a site it causes the 0/0's? When the DNS couldn't resolve I was getting 503/17?? (I forget exactly). They are just out of luck. Atleast when I put the IP they WANT to go to in I only get them attempting every 45 seconds, not every 16 seconds. Tuc
Re: [squid-users] When worlds collide
pritam wrote: Amos Jeffries wrote: Paul Bertain wrote: What I should have said was put an entry in /etc/hosts and then modify /etc/nsswitch.conf on the Squid box so that it sees that same host as valid. You could. Although by using the internal DNS resolver for just squid, you only need to add the entry to /etc/hosts. Squid loads the hosts file to prime its internal DNS resolver. That would be the easiest way to configure it yes. But it makes the site available to all users of Squid. Not just the one client. Hi, I thing their is a tricky idea here. And I have tested with IE and Firefox as browser. User PC first checks /etc/hosts before DNS Server. In the browser setting use proxy with port 3128 ( link in non-transparent) and add the domain/host ( viz: .EXAMPLE.COM/SNEAKY.EXAMPLE.COM) in field of 'no-proxy for:' This works for my clients. May be in yours scenario too... Do you have a transparent/interception proxy there? The whole concept of the interception proxy is that the clients already going direct to the wbsite. I don't think it can work for a proxy like Tuc says he is using. Amos -- Please use Squid 2.7.STABLE3 or 3.0.STABLE7
Re: [squid-users] When worlds collide
Amos Jeffries wrote: Paul Bertain wrote: What I should have said was put an entry in /etc/hosts and then modify /etc/nsswitch.conf on the Squid box so that it sees that same host as valid. You could. Although by using the internal DNS resolver for just squid, you only need to add the entry to /etc/hosts. Squid loads the hosts file to prime its internal DNS resolver. That would be the easiest way to configure it yes. But it makes the site available to all users of Squid. Not just the one client. Hi, I thing their is a tricky idea here. And I have tested with IE and Firefox as browser. User PC first checks /etc/hosts before DNS Server. In the browser setting use proxy with port 3128 ( link in non-transparent) and add the domain/host ( viz: .EXAMPLE.COM/SNEAKY.EXAMPLE.COM) in field of 'no-proxy for:' This works for my clients. May be in yours scenario too... Regards, Pritam Amos
Re: [squid-users] When worlds collide
Paul Bertain wrote: What I should have said was put an entry in /etc/hosts and then modify /etc/nsswitch.conf on the Squid box so that it sees that same host as valid. You could. Although by using the internal DNS resolver for just squid, you only need to add the entry to /etc/hosts. Squid loads the hosts file to prime its internal DNS resolver. That would be the easiest way to configure it yes. But it makes the site available to all users of Squid. Not just the one client. Amos On Jul 12, 2008, at 10:36 PM, Paul Bertain wrote: Would it work to put an entry on the Squid machine and to make sure that /etc/nsswitch.conf has "hosts:files dns"? That way, Squid sees it the same way, which is what it looks like Tuc is trying to do. Paul On Jul 12, 2008, at 8:55 PM, Amos Jeffries wrote: Tuc at T-B-O-H.NET wrote: Hi, Running into a problem, not sure if or how to handle it. User running windows has an entry in their (Windows equiv of /etc/hosts) that says : 192.168.3.10SNEAKY.EXAMPLE.COM For the rest of the world, SNEAKY.EXAMPLE.COM doesn't exist (NXDOMAIN). Without squid in transparent/WCCP2 mode, it appears that the user contacts 192.168.3.10 and does his thing. With squid+ transparent+WCCP2, we end up with 503's. Is there even a way to be able to address this, or is the user just going to be out of luck period? Out of luck. Domain hijacking like this is precisely why squid doesn't trust the client-given dst IP in transparent mode. They will have to: a) connect to that domain using raw IP address in the URL. b) negotiate with the proxy admin to configure the proxy to selectively do the SNEAKY.EXAMPLE.COM redirect for them. Amos -- Please use Squid 2.7.STABLE3 or 3.0.STABLE7 -- Please use Squid 2.7.STABLE3 or 3.0.STABLE7
Re: [squid-users] When worlds collide
What I should have said was put an entry in /etc/hosts and then modify /etc/nsswitch.conf on the Squid box so that it sees that same host as valid. On Jul 12, 2008, at 10:36 PM, Paul Bertain wrote: Would it work to put an entry on the Squid machine and to make sure that /etc/nsswitch.conf has "hosts:files dns"? That way, Squid sees it the same way, which is what it looks like Tuc is trying to do. Paul On Jul 12, 2008, at 8:55 PM, Amos Jeffries wrote: Tuc at T-B-O-H.NET wrote: Hi, Running into a problem, not sure if or how to handle it. User running windows has an entry in their (Windows equiv of /etc/hosts) that says : 192.168.3.10SNEAKY.EXAMPLE.COM For the rest of the world, SNEAKY.EXAMPLE.COM doesn't exist (NXDOMAIN). Without squid in transparent/WCCP2 mode, it appears that the user contacts 192.168.3.10 and does his thing. With squid+ transparent+WCCP2, we end up with 503's. Is there even a way to be able to address this, or is the user just going to be out of luck period? Out of luck. Domain hijacking like this is precisely why squid doesn't trust the client-given dst IP in transparent mode. They will have to: a) connect to that domain using raw IP address in the URL. b) negotiate with the proxy admin to configure the proxy to selectively do the SNEAKY.EXAMPLE.COM redirect for them. Amos -- Please use Squid 2.7.STABLE3 or 3.0.STABLE7
Re: [squid-users] When worlds collide
Would it work to put an entry on the Squid machine and to make sure that /etc/nsswitch.conf has "hosts:files dns"? That way, Squid sees it the same way, which is what it looks like Tuc is trying to do. Paul On Jul 12, 2008, at 8:55 PM, Amos Jeffries wrote: Tuc at T-B-O-H.NET wrote: Hi, Running into a problem, not sure if or how to handle it. User running windows has an entry in their (Windows equiv of /etc/hosts) that says : 192.168.3.10SNEAKY.EXAMPLE.COM For the rest of the world, SNEAKY.EXAMPLE.COM doesn't exist (NXDOMAIN). Without squid in transparent/WCCP2 mode, it appears that the user contacts 192.168.3.10 and does his thing. With squid+ transparent+WCCP2, we end up with 503's. Is there even a way to be able to address this, or is the user just going to be out of luck period? Out of luck. Domain hijacking like this is precisely why squid doesn't trust the client-given dst IP in transparent mode. They will have to: a) connect to that domain using raw IP address in the URL. b) negotiate with the proxy admin to configure the proxy to selectively do the SNEAKY.EXAMPLE.COM redirect for them. Amos -- Please use Squid 2.7.STABLE3 or 3.0.STABLE7
Re: [squid-users] When worlds collide
Tuc at T-B-O-H.NET wrote: Hi, Running into a problem, not sure if or how to handle it. User running windows has an entry in their (Windows equiv of /etc/hosts) that says : 192.168.3.10SNEAKY.EXAMPLE.COM For the rest of the world, SNEAKY.EXAMPLE.COM doesn't exist (NXDOMAIN). Without squid in transparent/WCCP2 mode, it appears that the user contacts 192.168.3.10 and does his thing. With squid+ transparent+WCCP2, we end up with 503's. Is there even a way to be able to address this, or is the user just going to be out of luck period? Out of luck. Domain hijacking like this is precisely why squid doesn't trust the client-given dst IP in transparent mode. They will have to: a) connect to that domain using raw IP address in the URL. b) negotiate with the proxy admin to configure the proxy to selectively do the SNEAKY.EXAMPLE.COM redirect for them. Amos -- Please use Squid 2.7.STABLE3 or 3.0.STABLE7