Hey,
Can you test if the details at bug 4253: http://bugs.squid-cache.org/show_bug.cgi?id=4253#c13 Helps you to resolve the issue? Eliezer ---- <http://ngtech.co.il/lmgtfy/> Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: [email protected] From: squid-users [mailto:[email protected]] On Behalf Of Ozgur Batur Sent: Monday, June 27, 2016 6:02 PM To: Amos Jeffries Cc: [email protected] Subject: Re: [squid-users] flickr.com redirect error Browser i used to test runs on same machine with squid, i changed it to explicit mode(no intercept - I set proxy ip in browser) during my attempts for ssl interception. Sorry I forgot to mention that in my last post of logs. So xff localhost is normal I guess. Here is the request log with port info: ---------- 2016/06/27 15:49:40.909 kid1| 11,2| http.cc(2234) sendRequest: HTTP Server local=10.100.136.56:47772 <http://10.100.136.56:47772/> remote=188.125.93.100:443 <http://188.125.93.100:443/> FD 47 flags=1 2016/06/27 15:49:40.909 kid1| 11,2| http.cc(2235) sendRequest: HTTP Server REQUEST: --------- GET / HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/50.0.2661.102 Chrome/50.0.2661.102 Safari/537.36 Accept-Encoding: gzip, deflate, sdch Accept-Language: tr,en-US;q=0.8,en;q=0.6 .. Host: www.flickr.com <http://www.flickr.com/> Via: 1.1 ubuntuozgen (squid/3.5.19) Surrogate-Capability: ubuntuozgen="Surrogate/1.0 ESI/1.0" X-Forwarded-For: ::1 Cache-Control: max-age=259200 Connection: keep-alive On Mon, Jun 27, 2016 at 2:27 PM, Amos Jeffries <[email protected] <mailto:[email protected]> > wrote: On 27/06/2016 11:01 p.m., Ozgur Batur wrote: > Yes that is much easier, thank you. > > Rafaels line is response header, I received the same. Here is the related > cachelog: > What is the content of the line above this one. With the IP:port details ? > 2016/06/27 13:52:49.194 kid1| 11,2| http.cc(2235) sendRequest: HTTP Server > REQUEST: > GET / HTTP/1.1 > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 > Upgrade-Insecure-Requests: 1 > User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like > Gecko) Ubuntu Chromium/50.0.2661.102 Chrome/50.0.2661.102 Safari/537.36 > Accept-Encoding: gzip, deflate, sdch > Accept-Language: tr,en-US;q=0.8,en;q=0.6 > ... > Host: www.flickr.com <http://www.flickr.com> > Via: 1.1 ubuntuozgen (squid/3.5.19) > Surrogate-Capability: ubuntuozgen="Surrogate/1.0 ESI/1.0" > X-Forwarded-For: ::1 You said this was using interception. But Squid XFF is telling Yahoo that its receiving localhost traffic. Try "forwarded_for transparent" in your squid.conf, and find out why that ::1 is happening on an intercepted proxy. There may be a bug in your NAT or routing configuration. > Cache-Control: max-age=0 > Connection: keep-alive > > .. > 2016/06/27 13:52:49.477 kid1| 11,2| http.cc(751) processReplyHeader: HTTP > Server REPLY: > --------- > HTTP/1.1 301 Moved Permanently > X-Frame-Options: SAMEORIGIN > X-Content-Type-Options: nosniff > X-XSS-Protection: 1; mode=block > X-Served-By: pprd1-node552-lh1.manhattan.bf1.yahoo.com > <http://pprd1-node552-lh1.manhattan.bf1.yahoo.com> > X-Instance: flickr.v1.production.manhattan.bf1.yahoo.com > <http://flickr.v1.production.manhattan.bf1.yahoo.com> > Cache-Control: no-cache, max-age=0, must-revalidate, no-store > Pragma: no-cache > X-Request-Id: 36e709a2 > Location: https://www.flickr.com/ > Vary: Accept > Content-Type: text/html; charset=utf-8 > Content-Length: 102 > Server: ATS > Date: Mon, 27 Jun 2016 10:52:40 GMT > Age: 0 > Via: http/1.1 fts111.flickr.bf1.yahoo.com > <http://fts111.flickr.bf1.yahoo.com> (ApacheTrafficServer [cMs f ]), > http/1.1 r11.ycpi.dea.yahoo.net <http://r11.ycpi.dea.yahoo.net> > (ApacheTrafficServer [cMs f ]) > Connection: keep-alive > .. > > And this repeats on and on. As I understand disabling Via header is an > acceptable solution. If I could disable the header only for problematic > domains that would be better of course. Okay. Unfortunately not possible. If that forwarded_for change works it would be better than disabling Via. Amos -- H Özgür Batur
_______________________________________________ squid-users mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-users
