> On Tuesday, 31 May 2005 10:26 PM Henrik Nordstrom wrote > Subject: Re: [squid-users] Abridged URL gives weird squid error on > STABLE10? > Many thanks for the prompt response Henrik - answers to your questions follow... > > On Tue, 31 May 2005, Frank Hamersley wrote: > > > I have been testing Squid 2.5 S10 on a RH80 Bastion > > Firewall host (cable > > network connected) for QA as a precursor to upgrading a > > production system > > and have been getting some weird stuff happening. I'm not > > convinced Squid > > is at fault but more on that later. > > What did access.log say? Config #1 - iptables DNAT port 80 to 3128 - FAILED!! ------------------------------------------------------------------ 1116851967.015 0 10.1.1.96 TCP_DENIED/400 1539 GET /firefox?client=firefox-a&rls=org.mozilla:en-US:official - NONE/- text/html 1116851967.135 5 10.1.1.96 TCP_DENIED/400 1443 GET /favicon.ico - NONE/- text/html ------------------------------------------------------------------ Config #2 - Firefox proxy configured on 3128 - WORKED!! ------------------------------------------------------------------ 1117710959.686 421 10.1.1.96 TCP_MISS/302 520 GET http://www.google.com/firefox? - DIRECT/66.102.7.147 text/html 1117710960.090 396 10.1.1.96 TCP_MISS/200 1852 GET http://www.google.com.au/firefox? - DIRECT/66.102.7.99 text/html ------------------------------------------------------------------ > > Is this a normal proxy config, or are you using transparent > interception? > Config #1 is transparent, Config #2 conventional proxy (in my understanding of the terms). > > > > http://www.google.com/firefox?client=firefox-a&rls=org.mozilla > > :en-US:official > > While trying to retrieve the URL: > > /firefox?client=firefox-a&rls=org.mozilla:en-US:official > This indicates the URL was sent to Squid a web server, not proxy.. so > someone thought your Squid is the www.google.com web server. To which Squid quite rightly denied access to the root of the filesystem! > > I personally suspect the underlying problem is a flaky DNS. > > maybe, but it's not the only possible cause. > > For it to be DNS the DNS server needs to return the wrong IP address, not > a failure. DNS is now ruled out - problems with the ISP changing the Primary and Secondary SIP's are resolved - no improvement resulted. > > > shown above is not one of my domains! Another factor is that I am using > > iptables to redirect internal port 80 to 3128 (PREROUTING) to supply > > squid with requests rather than having squid listen on 80. > My iptables statement for the record is (SECDEV is eth2 being the internal secure network device) $ADDNAT PREROUTING -i $SECDEV -p tcp --dport 80 -j REDIRECT --to-port 3128 > Is there any difference if you set your browser to use the Squid proxy > port? Yes - as mentioned above that arrangement works. The transparent mode works on the production system (squid-2.5.STABLE1-3.9) and I want to retain that so smart alecs can't bypass the proxy. > > > In light of this does this symptom appear to be what you would expect if the > > DNS lookup failed? > > No. If the DNS lookup failed your Squid returns an error saying so. > > Regards > Henrik Is there any useful debug settings that may throw more light on where the problem arises? Curiously in the correctly functioning explicit proxy setup the access.log only reports the URL up to the "?" separator, but in the failing transparent proxy access.log shows all of the string after the "?" char! Is that a design feature or does it indicate what the string parser has been up to? Cheers, Frank.