Hello to everyone on the list, I’m having a peculiar problem between dansguardian and squid that I was hoping you all could help with. First I think I should give a little background to the network topology. I have Network A (192.168.1/24) and Network B (192.168.0/24) with an IPSec tunnel established between them. On the router for Network A (running pfSense/BSD) I have the following NAT Redirection rule. rdr on dc0 inet proto tcp from any to any port = http -> 192.168.0.12 port 8080 192.168.0.12 is the host running both squid and dansguardian (FreeBSD 6.1) If I tail the dansguardian.log on 192.168.0.12 I see the following. article/2006/10/21/AR2006102100487.html GET 1289 2006.10.21 22:32:09 - 192.168.1.37 http://www.washingtonpost.com/wp-dyn/content/ At the same time I get the following in the squid access log. 1161470040.990 7 192.168.0.12 TCP_DENIED/400 1659 GET /wp-dyn/content/article/2006/10/21/AR2006102100487.html - NONE/- text/html And Squid spits back the following error to my browser on host 192.168.1.37 ERROR The requested URL could not be retrieved While trying to retrieve the URL: /wp-dyn/content/article/2006/10/20/AR2006102000174.html?nav=hcmodule The following error was encountered: • Invalid URL Some aspect of the requested URL is incorrect. Possible problems: • Missing or incorrect access protocol (should be `http://'' or similar) • Missing hostname • Illegal double-escape in the URL-Path • Illegal character in hostname; underscores are not allowed Your cache administrator is admin@xxxxxxxxxxxx ________________________________________ Generated Sun, 22 Oct 2006 03:40:35 GMT by proxy-server.example.com (squid/2.5.STABLE14) Now an interesting thing to note is that if I open Internet Explorer and go to Tools -> Internet Options -> Connections -> Lan Settings -> and set the proxy server to 192.168.0.12:8080 while mainting the already set NAT Redirection rule the proxy will work just fine. Here are what the logs look like when I manually tell IE to use the DG/Squid proxy. In the logs below Squid is receiving the FQDN unlike in the above set of logs. Dansguardian.log 2006.10.22 3:43:52 - 192.168.1.37 http://media3.washingtonpost.com/wp-srv/ad/ad_configurations_article_v2.js GET 0 2006.10.22 3:43:52 - 192.168.1.37 http://media3.washingtonpost.com/wp-srv/popjs/popupCampaignClasses.js GET 0 2006.10.22 3:43:52 - 192.168.1.37 http://media3.washingtonpost.com/wp-srv/css/global.css GET 0 2006.10.22 3:43:52 - 192.168.1.37 http://media3.washingtonpost.com/wp-srv/css/layout/oring970.css GET 0 Squid Access Log 1161488632.513 100 192.168.0.12 TCP_MISS/304 224 GET http://media3.washingtonpost.com/wp-srv/ad/ad_configurations_article_v2.js - DIRECT/12.129.147.65 - 1161488632.701 96 192.168.0.12 TCP_MISS/304 224 GET http://media3.washingtonpost.com/wp-srv/popjs/popupCampaignClasses.js - DIRECT/12.129.147.65 - 1161488632.884 97 192.168.0.12 TCP_MISS/304 224 GET http://media3.washingtonpost.com/wp-srv/css/global.css - DIRECT/12.129.147.65 - 1161488632.898 103 192.168.0.12 TCP_MISS/304 224 GET http://media3.washingtonpost.com/wp-srv/css/layout/oring970.css - DIRECT/12.129.147.65 - Can anyone shed some light on this situation? Do the HTTP headers get fubar’d by the NAT RDR rule? If so why does it work when I set IE manually to use the 192.168.0.12:8080 proxy while keeping the NAT RDR rule? And also I want to mention that the proxy does work if IE is set to use the proxy but the NAT RDR rule is inexistent. I basically only want the NAT RDR rule for transparent filtering purposes. Thanks to those who can help and/or try to -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.408 / Virus Database: 268.13.9/490 - Release Date: 10/20/2006
