Search squid archive

Re: Squid, Symantec LiveUpdate, and HTTP 1.1 versus HTTP 1.0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

iptables can match a DNS name so you can use that and just restart the firewall if they mess it up.

If you do something like

iptables -t nat -a dst not liveupdate.s.com -j REDIRECT

it should work - it will make multiple rules and add them the the chain.

Not sure on the real command line but email me if you are stuck.

Cheers,

Pieter

----- Original Message ----- From: "Wong" <wongbali@xxxxxxxxxx>
To: "Marcus Kool" <marcus.kool@xxxxxxxxxxxxxxx>
Cc: "Squid-users" <squid-users@xxxxxxxxxxxxxxx>
Sent: Friday, March 27, 2009 7:40 PM
Subject: Re: Squid, Symantec LiveUpdate, and HTTP 1.1 versus HTTP 1.0


Dear all,

I found that Symantec LU has round robin DNS. And they can change DNS A
record at anytime.

Isn't it better if Squid can bypass the domain name in squid.conf?
Is it possible?

Wong

===snip===

[root@squid root]# nslookup liveupdate.symantec.com
Server:         192.168.1.1
Address:        192.168.1.1#53

Non-authoritative answer:
liveupdate.symantec.com canonical name = liveupdate.symantec.d4p.net.
liveupdate.symantec.d4p.net     canonical name =
symantec.georedirector.akadns.net.
symantec.georedirector.akadns.net canonical name = a568.d.akamai.net.
Name:   a568.d.akamai.net
Address: 60.254.140.170
Name:   a568.d.akamai.net
Address: 60.254.140.177
Name:   a568.d.akamai.net
Address: 60.254.140.179
Name:   a568.d.akamai.net
Address: 60.254.140.160
Name:   a568.d.akamai.net
Address: 60.254.140.171
Name:   a568.d.akamai.net
Address: 60.254.140.161

----- Original Message ----- From: "Marcus Kool" <marcus.kool@xxxxxxxxxxxxxxx>
To: "Nathan Eady" <galionlibrary@xxxxxxxxx>
Cc: <squid-users@xxxxxxxxxxxxxxx>
Sent: Thursday, March 26, 2009 04:09
Subject: Re:  Squid, Symantec LiveUpdate, and HTTP 1.1 versus
HTTP 1.0


The story about Squid and HTTP 1.1 is long...

To get your LiveUpdate working ASAP you might want to
fiddle with the firewall rules and to NOT redirect
port 80 traffic of Symantec servers to Squid, but
simply let the traffic pass.

Nathan Eady wrote:
Okay, we've got port 80 traffic going transparently to a Squid proxy
here, and I need to make a small configuration change, and I can't
seem to find, either in the man pages nor on the web, the
documentation on how to do it.  It's probably one little line in
squid.conf, but I can't find it.

Here's the deal:
When I access a site (I tested with Google as well as our own offsite
web server) from a computer that is NOT behind the transparent squid
proxy, issuing an HTTP/1.1 request, I get the normal expected HTTP/1.1
response:

nathan@externalbox$ telnet www.galionlibrary.org 80
Trying 209.143.16.23...
Connected to galionlibrary.org.
Escape character is '^]'.
GET / HTTP/1.1
Host: www.galionlibrary.org

HTTP/1.1 200 OK
[snip the rest]

However, when I do the same thing from a system that IS behind the
proxy, I get an HTTP/1.0 response back:
nathan@donalbain:~$ telnet www.galionlibrary.org 80
Trying 209.143.16.23...
Connected to galionlibrary.org.
Escape character is '^]'.
GET / HTTP/1.1
Host: www.galionlibrary.org

HTTP/1.0 200 OK
[snip the rest]

Until recently I never even noticed this, but now Symantec LiveUpdate
is failing on all the systems behind the proxy.  I posted about that
on the Norton Community forum, umm, here:
http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=42361

The long and short of that thread is that recent updates to LU have
caused it to no longer support HTTP 1.0.  The LU servers are all HTTP
1.1, and now the client requires this.  Our setup is not the only
thing breaking as a result (apparently, the built-in "firewalls" on
some home routers also have problems with it), but now that I'm aware
Squid is doing this, it ought to be easy to make some small change in
the configuration and get it to return HTTP 1.1 responses, at least
when the server does -- right?

But I'm coming up blank on how.

One other note:  the version of Squid we have, for reasons that aren't
worth going into here, is I believe somewhat outdated (-v says
2.5.STABLE13).  But HTTP 1.1 is certifiably older than dirt, so I'd be
extremely amazed if the Squid that we have doesn't support it...
We're going to update it hopefully pretty soon, but getting LiveUpdate
working again is significantly more urgent (and, hopefully, easier;
updating Squid in our case  probably means a fresh OS install...)

So where and how do I configure what Squid does with HTTP versions?
Where is this documented?

TIA,

Nathan Eady
Technology Coordinator
Galion Public Library







[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux