Joe wrote:
I'm going to have a hemorrhagic stroke over this and I
hope I can get some insight from one of you kind
souls.
Here's my essential problem: I have two separate
squid proxies setup on two different VPSs. I
configured, compiled, installed, and setup both
identically (or thought I did, anyway). Through both
of these Squids I can proxy using Opera/Firefox just
fine, for http and https using whatever protocol is
needed (GET/POST/CONNECT). So far so good.
Indeed.
I also need to run some PERL http requests through
those proxies, and that's where it gets weird. Though
squid A, everything works perfectly fine. Though
squid B, only requests for http work, and everything
else is DENIED with (71) Connection Refused returned.
Given that I thought both squid proxies were setup the
same, I'm hurting to explain why one works and the
other doesn't. There's obviously some difference
between them but I can't fathom what. I even copied
the squid.conf file from one to the other without any
love. I tried turning off ALL the acl denial rules
just to see but still nothing.
That aside, I can't work out why Opera is fine but the
PERL isn't being accepted. There's obviously some
difference in the way the requests are coming in, but
the access.log files aren't helping me at all. Of
course, looking at the logs, Opera is using CONNECT to
get the https and Perl is trying to use GET/POST, but
squid-A is perfectly fine with this so I'm not sure
why squid-B isn't.
I'm not so sure why squid-A would be OK with it. More specifically, the
web site that squid-A passes the request to shouldn't be OK with it.
Though the method of the error is odd. I wouldn't expect a connection
refused, but a connection reset. The SSL set up really shouldn't work
as a GET request, to the best of my understanding...
I've scoured the wikis, google, and documentation to
no avail. Maybe I'm missing something obvious? Is
this a problem with SSL keys or something? Any help is
greatly appreciated.
Here's the details:
-------------------------------------------------------------------------
squid - A (works fine for Opera/Firefox/IE and also
for all my PERL requests)
-------------------------------------------------------------------------
squid.conf file:
http_port 3141
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Nibbler src 147.126.141.0/255.255.255.0
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow Nibbler
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname jvds.com
deny_info TCP_RESET all
via off
forwarded_for off
header_access all deny all
header_access From deny all
header_access Referer deny all
header_access Server deny all
header_access WWW-authenticate deny all
header_access Link deny all
header_access User-Agent deny all
header_access Proxy-Authorization deny all
header_access Proxy-Authentication deny all
header_access Proxy-Connection deny all
coredump_dir /usr/local/squid/var/cache
-------------------------------------------------------------------------
squid B (works for Opera, etc, but NOT for PERL)
-------------------------------------------------------------------------
squid.conf:
http_port 3141
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Nibbler src 147.126.141.0/255.255.255.0
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
Huh... There's a difference here. You've neglected the following lines:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
No, my attention to detail is not that good. Cut & paste + diff.
http_access allow Nibbler
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname jvds.com
deny_info TCP_RESET all
via off
forwarded_for off
header_access all deny all
header_access From deny all
header_access Referer deny all
header_access Server deny all
header_access WWW-authenticate deny all
header_access Link deny all
header_access User-Agent deny all
header_access Proxy-Authorization deny all
header_access Proxy-Authentication deny all
header_access Proxy-Connection deny all
coredump_dir /usr/local/squid/var/cache
-------------------------------------------------------------------------
Squid - B: Access.log file
-------------------------------------------------------------------------
A selection of the log file:
USING OPERA:
1192153002.874 14 67.163.91.153 TCP_MISS/200 39
CONNECT www.yahoo.com:443 - DIRECT/69.147.114.210 -
1192153283.477 818 67.163.91.153 TCP_MISS/200 1939
POST http://ocsp.verisign.com/ - DIRECT/199.7.48.72
application/ocsp-response
USING PERL:
1192153251.478 7 67.163.91.153 TCP_DENIED/501
1312 GET https://www.wellsfargo.com - NONE/- text/html
1192153378.916 5 67.163.91.153 TCP_DENIED/501
1522 POST
https://www.ticketmaster.ca/checkout/reserve/D31k5IiYM2z0ebOSvKG0wdEGnRhd9NBlZia4npSJfqQ6wz2iBm_fjNLuQCBAXhbS6uaw-MQYR4G-yS10GLlwqQ
- NONE/- text/html
What I'd like to see is the successful GET requests for SSL ports
through squid-A.
Chris