So let me get this straight: * Squid listens on 192.168.1.1:3128 * Apache listens on 192.168.1.1:80 * When IE is _configured_ for startup to load http://192.168.1.1/wpad.dat * IE for a URI (any URI?!) it sends a request squid can't handle. Next thing to check is that HTTP/1.1 is disabled in IE6 configuration. If that fails too, we are stuck looking at cache.log at a tcpdump/wireshark trace of the request to see WTF its doing. Amos > http://192.168.1.1/wpad.dat > > IE6 > -------------- Original message ---------------------- > From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx> >> > Amos, >> > >> > While I appreciate the input on my config file, do you see anything >> that >> > would cause it to give me these errors? >> > >> > Here is my wpad.dat: >> > >> > function FindProxyForURL(url,host) { >> > return "PROXY 192.168.1.1:3128"; >> > } >> >> Okay. That makes it a problem with the request the browser is sending. >> >> What are you typing into the address bar to get the error? >> Which browser? >> >> Amos >> >> > >> > Here is what I see in the logs: >> > >> > 1205192406.411 0 192.168.1.99 TCP_DENIED/400 1683 GET >> > error:invalid-request - NONE/- text/html [] [HTTP/1.0 400 Bad >> > Request\r\nServer: squid\r\nDate: Mon, 10 Mar 2008 23:40:06 >> > GMT\r\nContent-Type: text/html\r\nContent-Length: 1370\r\nExpires: >> Mon, 10 >> > Mar 2008 23:40:06 GMT\r\nX-Squid-Error: ERR_INVALID_REQ 0\r\n\r] >> > 1205192406.415 0 192.168.1.99 TCP_DENIED/400 1811 GET >> > error:invalid-request - NONE/- text/html [] [HTTP/1.0 400 Bad >> > Request\r\nServer: squid\r\nDate: Mon, 10 Mar 2008 23:40:06 >> > GMT\r\nContent-Type: text/html\r\nContent-Length: 1498\r\nExpires: >> Mon, 10 >> > Mar 2008 23:40:06 GMT\r\nX-Squid-Error: ERR_INVALID_REQ 0\r\n\r] >> > >> > -------------- Original message ---------------------- >> > From: Amos Jeffries <squid3@xxxxxxxxxxxxx> >> >> ffredrixson@xxxxxxxxxxx wrote: >> >> > I have squid 2.6stable18 on a debian sarge box in non-transparent >> >> mode. I also >> >> > have apache web server setup on this box and it works fine - when >> the >> >> browser >> >> is >> >> > pre-configured for the proxy. >> >> > >> >> > I have some people come in and use their laptops from time to time >> so >> >> I need a >> >> > way to automatically direct them to the proxy server. I've read >> about >> >> wpad.dat >> >> > and proxy.pac and tried setting that up but I always get the >> >> TCP_DENIED/400 >> >> > error:invalid-request in the access.log. >> >> > >> >> > When I pre-configure the browser for the proxy, the wpad.dat page >> >> shows me the >> >> > javascript which from what I've read is what it's supposed to do >> when >> >> I put >> >> the >> >> > URL in the address bar: http://192.168.1.1/wpad.dat. >> >> > >> >> > When I configure the browser to use a automatic configuration >> script >> >> with that >> >> > URL, I get the TCP_DENIED/400 errors again. >> >> > >> >> > I must be missing something, but I've read everything I could find. >> Is >> >> it an >> >> acl >> >> > that I'm missing? >> >> >> >> Probably a WPAD-DNS / WPAD-DHCP muckup or something in the .PAC >> itself. >> >> >> >> > >> >> > Can someone please help me out? >> >> > >> >> > Thank you in advance. >> >> > >> >> > Here is my squid.conf: >> >> > >> >> > memory_pools off >> >> > httpd_suppress_version_string on >> >> > cache_effective_user squid >> >> > cache_effective_group squid >> >> >> >> Better leave the group voodoo to the kernel. Setup the user/group on >> the >> >> OS properly and its not needed in squid.conf. effective_user is okay >> if >> >> its not built properly by the package maintainer (But it should be!). >> >> >> >> > http_port 3128 >> >> > >> >> > cache_access_log /usr/local/squid/var/logs/access.log >> >> >> >> Thats now: access_log ... >> >> >> >> > cache_log /usr/local/squid/var/logs/cache.log >> >> > mime_table /usr/local/squid/etc/mime.conf >> >> > log_mime_hdrs on >> >> > useragent_log /usr/local/squid/var/logs/useragent.log >> >> > >> >> > url_rewrite_program /usr/local/squid/bin/ufdbgclient -l >> >> > /usr/local/squid/var/logs >> >> > url_rewrite_children 16 >> >> > >> >> > #ACL's >> >> > acl all src 0/0 >> >> >> >> Make this: acl all src all >> >> >> >> > no_cache deny all >> >> >> >> Make this: cache deny all >> >> (or if you want things cached and bandwidth savings, remove it) >> >> >> >> > acl internal_net src 192.168.1.0/24 >> >> > >> >> > acl ok_downloads dstdomain "/var/domains.txt" >> >> > >> >> > acl SSL_ports port 443 >> >> > acl CONNECT method CONNECT >> >> > >> >> > http_access allow internal_net >> >> >> >> None of the other http_access will ever match after that line! >> >> >> >> > http_access allow ok_downloads internal_net ! >> >> > >> >> > http_reply_access allow internal_net ok_downloads >> >> >> >> Why do this restrictive allow when the next line is a duplicate but >> more >> >> friendly one? >> >> Better to just allow all replies. Remember Error pages and Access >> Denied >> >> etc are replies! >> >> >> >> > http_reply_access allow internal_net >> >> >> >> And ok. Good finish. >> >> >> >> > http_access deny all >> >> >> >> Amos >> >> -- >> >> Please use Squid 2.6STABLE17+ or 3.0STABLE1+ >> >> There are serious security advisories out on all earlier releases. >> > >> > >> >> > >
