Re: URGENT -- Suddenly Cant open Facebook

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Jorge Perez wrote:
> Hello, we suddenly today we cant open facebook and we need it urgently for work.
>
> There is no DNS Issue, all i get is a blank page and nothing happens. Before it was everything ok...
>
> Any ideas??

Lucky day, I was about to post the answers :)  We have had an unusually 
high number of people on IRC live help with the same problem in the last 
few hours.

Squid-2.7 can be made to work by adding "server_http11 on" to squid.conf.

Squid-3.1 is not affected.

Other versions have no good fix yet. Perhapse routing requests through 
one of the unaffected versions or allowing clients to go direct to 
facebook without the proxy.

Why?
  Facebook seem to have changed something on their servers very, very 
recently. They are right now violating HTTP in several ways.

 The bad violation resulting in blank pages is that some the mandatory 
HTTP headers, including Date: are missing from their replies to HTTP/1.0 
clients.

 The other violation is that they are responding with different HTTP 
versions and header sets to HTTP/1.0 and HTTP/1.1 depending on which 
version is used to query them.
  When queried with HTTP/1.1 request the right headers, or at least a 
minimally usable set are sent out.

Amos

> Here is access.log
>
> 1279813884.035    144 192.168.169.238 TCP_MISS/200 1704 GET http://static.ak.fbcdn.net/rsrc.php/zANMV/hash/9hba0udp.css - DIRECT/65.216.161.59 text/css
> 1279813885.265   2175 192.168.169.238 TCP_MISS/200 793 GET http://www.facebook.com/? - DIRECT/66.220.147.11 text/html
> 1279813887.957   5110 192.168.169.238 TCP_MISS/404 11091 GET http://www.facebook.com/t - DIRECT/66.220.147.11 text/html
> 1279813888.020   1558 192.168.169.238 TCP_MISS/200 453 GET http://www.facebook.com/? - DIRECT/66.220.147.11 text/html
> 1279813893.897   9622 192.168.169.238 TCP_MISS/200 688 GET http://search.twitter.com/search.json? - DIRECT/128.242.245.43 application/json
>
> iptables proxy rules:
>
> echo "Aplicando reglas iptables..."
> iptables -t nat -F
> iptables -t nat -X
> iptables -t nat -Z
> iptables -F
> iptables -X
> iptables -Z
> ##
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -t nat -P PREROUTING ACCEPT
> iptables -t nat -P POSTROUTING ACCEPT
> ##
> iptables -t nat -A POSTROUTING -s 192.168.169.0/24 -o eth2 -j MASQUERADE
> iptables -t nat -A PREROUTING -s 192.168.169.0/24 -d ! 192.168.169.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
> ##
> iptables -A FORWARD -s 192.168.169.0/24 -i eth2 -p tcp --dport 993 -j ACCEPT
> iptables -A FORWARD -s 192.168.169.0/24 -i eth2 -p tcp --dport 110 -j ACCEPT
> iptables -A FORWARD -s 192.168.169.0/24 -i eth2 -p tcp --dport 465 -j ACCEPT
> iptables -A FORWARD -s 192.168.169.0/24 -i eth2 -p tcp --dport 25 -j ACCEPT
> iptables -A FORWARD -s 192.168.169.0/24 -i eth2 -p tcp --dport 80 -j ACCEPT
> iptables -A FORWARD -s 192.168.169.0/24 -i eth2 -p tcp --dport 443 -j ACCEPT
> iptables -A FORWARD -s 192.168.169.0/24 -i eth2 -p tcp --dport 53 -j ACCEPT
> iptables -A FORWARD -s 192.168.169.0/24 -i eth2 -p udp --dport 53 -j ACCEPT
> iptables -A FORWARD -s 192.168.2.0/24 -i eth2 -p tcp --dport 1863 -j ACCEPT
> ##
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
>
>
>
>
> squid.conf
>
> http_port 192.168.169.3:3128 transparent
> cache_dir ufs /usr/local/squid/var/cache 250 16 256
> cache_effective_user squid
> cache_effective_group squid
> access_log /usr/local/squid/var/logs/access.log squid
> ################################
> acl localnet src 192.168.169.0/255.255.255.0
> acl localhost src 127.0.0.1/255.255.255.255
> acl all src 0.0.0.0/0.0.0.0
> ###########################
> acl SSL_ports port 443 563
> acl Safe_ports port 80        # http
> acl Safe_ports port 21        # ftp
> acl Safe_ports port 443        # https
> acl Safe_ports port 70        # gopher
> acl Safe_ports port 210        # wais
> acl Safe_ports port 1025-65535    # unregistered ports
> acl Safe_ports port 280        # http-mgmt
> acl Safe_ports port 488        # gss-http
> acl Safe_ports port 591        # filemaker
> acl Safe_ports port 777        # multiling http
> acl CONNECT method CONNECT
> #### SITIOS BLOKEADOS #####
> acl restobb src 192.168.169.1-192.168.169.129
> acl sucky_urls dstdomain .facebook.com .twitter.com .doubleclick.com .fotolog.com .warez-bb.org .fotolog.cl .chilewarez.org .rapidshare.com .megaupload.com .rapidshare.de .medi$
> deny_info http://www.trabajoweb.cl/error.html sucky_urls
> http_access deny restobb sucky_urls
> ######################## NO DESCARGAS #####
> acl resto src 192.168.169.1-192.168.169.29/32
> acl descargas_negadas urlpath_regex -i \.(exe|vqf|gz|zip|r[ap][rwm]|avi|mpe?g?3?|qt|ra?m|iso|wav|mov|torrent)(\?.*)?$
> deny_info http://www.trabajoweb.cl/error.html descargas_negadas
> http_access deny resto descargas_negadas
> ######################## SITIOS PROYECTOS ###############
> acl restobb2 src 192.168.169.130-192.168.169.149
> acl sucky_urls2 dstdomain .doubleclick.com .warez-bb.org .fotolog.cl .chilewarez.org .rapidshare.com .megaupload.com .rapidshare.de .mediafire.com .depositfiles.com .taringa.co$
> deny_info http://www.trabajoweb.cl/error.html sucky_urls2
> http_access deny restobb2 sucky_urls2
> ########################
> ######################## SITIOS ESTUDIO ###############
> acl restobb3 src 192.168.169.190-192.168.169.219
> acl sucky_urls3 dstdomain .doubleclick.com .warez-bb.org .fotolog.cl .chilewarez.org .rapidshare.com .megaupload.com .rapidshare.de .mediafire.com .depositfiles.com .taringa.co$
> deny_info http://www.trabajoweb.cl/error.html sucky_urls2
> http_access deny restobb3 sucky_urls2
> ########################
> ########################
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> ##############################
> http_reply_access allow localnet
> http_reply_access deny all
> acl FTP proto FTP
> always_direct allow FTP
> #############################
> #REGLAS DESCARGAS
> acl normales src 192.168.169.30-192.168.169.129/32
> acl tecnicos src 192.168.169.130-192.168.169.149/32
> acl administrador src 192.168.169.150-192.168.169.189/32
> acl estudio src 192.168.169.190-192.168.169.219/32
> acl descargas urlpath_regex -i \.(exe|vqf|gz|zip|r[ap][rwm]|avi|mpe?g?3?|qt|ra?m|iso|wav|mov)(\?.*)?$
>
> delay_pools 4
> ####
> delay_class 1 1
> delay_parameters 1 10240/10485760 10240/10485760
> delay_access 1 allow normales descargas
> delay_access 1 deny all
> ###
> ###
> delay_class 2 1
> delay_parameters 2 30720/104857600 30720/104857600
> delay_access 2 allow tecnicos descargas
> delay_access 2 deny all
> ####
> delay_class 3 1
> delay_parameters 3 30720/104857600 30720/104857600
> delay_access 3 allow administrador descargas
> delay_access 3 deny all
> ###
> delay_class 4 1
> delay_parameters 4 10240/10240 10240/10240
> delay_access 4 allow estudio
> delay_access 4 deny all


--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.5