* On 22/10/06 08:28 -0700, Reza wrote: | Hello to everyone on the list, | I’m having a peculiar problem between dansguardian and squid that I | was hoping you all could help with. First I think I should give a little | background to the network topology. | I have Network A (192.168.1/24) and Network B (192.168.0/24) with an IPSec | tunnel established between them. On the router for Network A (running | pfSense/BSD) I have the following NAT Redirection rule. | rdr on dc0 inet proto tcp from any to any port = http -> 192.168.0.12 port | 8080 | 192.168.0.12 is the host running both squid and dansguardian (FreeBSD 6.1) So client hosts are on Network A while DG+Squid are on Network B. | If I tail the dansguardian.log on 192.168.0.12 I see the following. | | article/2006/10/21/AR2006102100487.html GET 1289 | 2006.10.21 22:32:09 - 192.168.1.37 | http://www.washingtonpost.com/wp-dyn/content/ | | At the same time I get the following in the squid access log. | 1161470040.990 7 192.168.0.12 TCP_DENIED/400 1659 GET | /wp-dyn/content/article/2006/10/21/AR2006102100487.html - NONE/- text/html | | And Squid spits back the following error to my browser on host 192.168.1.37 | ERROR | The requested URL could not be retrieved | While trying to retrieve the URL: | /wp-dyn/content/article/2006/10/20/AR2006102000174.html?nav=hcmodule | The following error was encountered: | • Invalid URL | Some aspect of the requested URL is incorrect. Possible problems: | • Missing or incorrect access protocol (should be `http://'' or similar) | • Missing hostname | • Illegal double-escape in the URL-Path | • Illegal character in hostname; underscores are not allowed | Your cache administrator is admin@xxxxxxxxxxxx I think that something goes wrong within your IPSEC tunnel, but I am not sure/certain! I am running Squid (2.6.3) and DG (2.9.8.) in a transparent proxy setup in: Client (NAT rdr) -> DG (8080) -> Squid (3128), where DG and Squid are on the same box, and I have never seen such a problem at all. I also use FreeBSD 6.x with PF, just like you. The only thing I miss in my setup is that IPSEC thingy! | Now an interesting thing to note is that if I open Internet Explorer and go | to Tools -> Internet Options -> Connections -> Lan Settings -> and set the | proxy server to 192.168.0.12:8080 while mainting the already set NAT | Redirection rule the proxy will work just fine. | Here are what the logs look like when I manually tell IE to use the DG/Squid | proxy. In the logs below Squid is receiving the FQDN unlike in the above set | of logs. | | Dansguardian.log | 2006.10.22 3:43:52 - 192.168.1.37 | http://media3.washingtonpost.com/wp-srv/ad/ad_configurations_article_v2.js | GET 0 | 2006.10.22 3:43:52 - 192.168.1.37 | http://media3.washingtonpost.com/wp-srv/popjs/popupCampaignClasses.js GET 0 | 2006.10.22 3:43:52 - 192.168.1.37 | http://media3.washingtonpost.com/wp-srv/css/global.css GET 0 | 2006.10.22 3:43:52 - 192.168.1.37 | http://media3.washingtonpost.com/wp-srv/css/layout/oring970.css GET 0 | | Squid Access Log | 1161488632.513 100 192.168.0.12 TCP_MISS/304 224 GET | http://media3.washingtonpost.com/wp-srv/ad/ad_configurations_article_v2.js - | DIRECT/12.129.147.65 - | 1161488632.701 96 192.168.0.12 TCP_MISS/304 224 GET | http://media3.washingtonpost.com/wp-srv/popjs/popupCampaignClasses.js - | DIRECT/12.129.147.65 - | 1161488632.884 97 192.168.0.12 TCP_MISS/304 224 GET | http://media3.washingtonpost.com/wp-srv/css/global.css - | DIRECT/12.129.147.65 - | 1161488632.898 103 192.168.0.12 TCP_MISS/304 224 GET | http://media3.washingtonpost.com/wp-srv/css/layout/oring970.css - | DIRECT/12.129.147.65 - | | Can anyone shed some light on this situation? Do the HTTP headers get | fubar’d by the NAT RDR rule? Definately not!!! | If so why does it work when I set IE manually to use the 192.168.0.12:8080 proxy | while keeping the NAT RDR rule? That's the hard part (for me) ;) | And also I want to mention that the proxy does work if IE is set to use the | proxy but the NAT RDR rule is inexistent. There is "direct" connection via your ipsec tunnel. I'd have wanted to see your config files for DG & Squid but I think the problem is NOT at their level. -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington <wash@xxxxxxxxxxxx> Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ It's not reality or how you perceive things that's important -- it's what you're taking for it...
