server_http11 on will do the trick ----- Original Message ---- > From: "Kelly, Jack" <Jack.Kelly@xxxxxxxxxxxxxxxxx> > To: squid-users@xxxxxxxxxxxxxxx > Sent: Fri, October 9, 2009 12:10:02 AM > Subject: Strange issues with accessing facebook and other php driven sites via proxy > > Hi everyone, > At my office I've implemented a Squid server which uses LDAP credentials > to give certain users access to certain websites. Basically, everyone > belongs to a base 'Filtered' group, and individual users can be added to > a 'FacebookAccess' group for access to facebook. This is mainly because > some departments (read: marketing) need access to facebook while others > do not. > > I've only been working on in Squid for about a month and although I've > gotten pretty proficient at getting it to do what I want, I've > encountered what's seeming to be a higher-level problem. > > Here's the relevant section of my conf file: > > acl Unfiltered external InetGroup Unfiltered > acl FacebookAccess external InetGroup FacebookAccess > acl Filtered external InetGroup Filtered > > acl blocksites url_regex "/etc/squid3/block.acl" > acl whitelist url_regex "/etc/squid3/whitelist.acl" > acl facebook url_regex .facebook. > acl fbcdn url_regex .fbcdn. > > #Note: these two lines were added to troubleshoot > always_direct allow fbcdn > always_direct allow facebook > > http_access allow Unfiltered > http_access allow Filtered whitelist > http_access allow FacebookAccess facebook > http_access allow FacebookAccess whitelist > http_access deny Filtered blocksites > http_access deny FacebookAccess blocksites > http_access allow FacebookAccess > http_access allow Filtered > > And here's the problem: > Users in the FacebookAccess group can get to www.facebook.com > without a problem, and users who are only in > the Filtered group cannot. So that's great. However, when they log in > and reach www.facebook.com/home.php?, they just get a white screen - > sometimes. Occasionally it works and occasionally it doesnt; there > appears to be no rhyme or reason to it. I've added ".fbcdn." to my > whitelist.acl file, because I saw that content from that domain was > getting denied when facebook loads... but even after that, no go. > > When I visit the site and log in, the access.log just shows: > > jackk 08/Oct/2009 11:54:30 TCP_MISS/200 GET http://www.facebook.com/ > jackk 08/Oct/2009 11:54:36 TCP_MISS/200 CONNECT login.facebook.com:443 > jackk 08/Oct/2009 11:54:36 TCP_MISS/200 GET > http://www.facebook.com/home.php? > > And to troubleshoot I tried accessing facebook from a member of the > 'Unfiltered' group, to which no restrictive acl policies apply. Same > problem. Meanwhile obviously a direct, proxy-free connection to facebook > from my office works just fine. > > I'm very, very stuck. Any advice on what to try next would be hugely > appreciated. > > Thanks! > > Jack Kelly > Network Services Administrator > W/S Development Associates, LLC > Chestnut Hill, MA > > -------------------------------------------------------- > > This message (and any associated files) is the property of > S. R. Weiner and Associates Inc. and W/S Development Associates LLC > and is intended only for the use of the individual or entity to > which it is addressed and may contain information that is confidential, > subject to copyright or constitutes a trade secret. If you are not > the intended recipient you are hereby notified that any dissemination, > copying or distribution of this message, or files associated with this > message, is strictly prohibited. If you have received this message > in error, please notify us immediately by calling our corporate office > at 617-232-8900 and deleting this message from your computer. > > Internet communications cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. Therefore, S. R. Weiner > and Associates, Inc. and W/S Development Associates LLC do not accept > responsibility for any errors or omissions that are present in this > message, or any attachment, that have arisen as a result of e-mail > transmission. If verification is required, please request a hard-copy > version of this message. > > Any views or opinions presented in this message are solely those of > the author and do not necessarily represent those of the company.
