Hi, Sorry for the late reply, 2011/2/25 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > On 25/02/11 22:53, Ãmit Kablan wrote: >> >> 2011/2/24 Amos Jeffries<squid3@xxxxxxxxxxxxx>: >>> >>> On Wed, 23 Feb 2011 12:32:56 +0200, Ãmit Kablan wrote: >>>> >>>> >>>> 2011/2/22 Amos Jeffries : >>>>> >>>>> On Tue, 22 Feb 2011 17:24:39 +0200, Ãmit Kablan wrote: >>>>>> >>>>>> 2011/2/21 Amos Jeffries wrote: >>>>>>> >>>>>>> On Mon, 21 Feb 2011 16:19:53 +0200, Ãmit Kablan wrote: >>>>>>>> >>>>>>>> ------- >>>>>>>> GET >>>>>>>> >>>>>>>> /search?hl=tr&source=hp&biw=1276&bih=823&q=eee+ktu&aq=0&aqi=g10&aql=&oq=eee&fp=64d53dfd7a69225a&tch=3&ech=1Ï=6UBOTbHmCtah_Aa2haXRDw12969740590425&wrapid=tlif129697480915821&safe=active >>>>>>>> HTTP/1.1 >>>>>>> >>>>>>> Note the missing http://domain details in the URL. This is not a >>>>>>> browser->proxy HTTP request. It is a browsers->origin request. >>>>>>> >>>>>>> IIRC interception of this type of request does not work in Windows, >>>>>>> since >>>>>>> the kernel NAT details are not available without proprietary >>>>>>> third-party >>>>>>> network drivers. Look at WPAD configuration of the localnet browsers >>>>>>> instead, that way they will send browser->proxy requests nicely. >>>>>> >>>>>> Exactly! The working requests are all starting with http://domain/ as >>>>>> you mentioned. (I must say I couldn't capture loopback network packets >>>>>> ... >>>>> >>>>> Squid needs to be configured via the http_port to know what mode/type >>>>> of >>>>> traffic it is going to receive. The browsers need to be sending the >>>>> right >>>>> type as well. >>>> >>>> I have >>>> ----- >>>> http_port 3128 >>>> ----- >>>> in my configuration. Do I miss something? >>> >>> Yes. But you keep omitting the details of *how* browsers are getting to >>> squid, so we can't tell if you are attempting to run a transparent proxy >>> or >>> a reverse proxy. Two very different configurations both in Squid and in >>> the >>> network underneath. >>> >>> Please confirm your network layout and traffic flows including software >>> which is involved on each related machine. >>> >> >> My network has 20+ machines all connecting to internet individually >> through ONE adsl modem in my network (those are connected to each >> other with a switch). My browsers are configured to use the squid >> proxy explicitly (so I think it has nothing to to with transparency) >> > > Okay. Then it is VERY weird that they would be behaving as if the proxy were > an origin server and not a proxy. None of the major browsers or thousands of > other agents out there display that type of confusion. > >>> >>> You say this Squid is on Windows where interception type of transparent >>> proxy is not possible for free, but keep mentioning the public website >>> google as working. >> >> Actually I was trying to stress on the weird problem I encountered to >> help shed some light on the problem. >> >>> >>> I suspect you are trying to perform NAT interception on a separate box to >>> Squid. Which is highly dangerous. >>> >> >> I think NAT inspection you mentioned is not executed on the XP machine >> where squid is running, yes. But I am not sharing my internet >> connection through that windows machine. I just want clients (those >> browsers configured to use proxy) use the internal proxy. > > If the NAT anywhere is forwarding packets to Squid it would display like > this inside Squid. > > > Check for NAT (sometimes called port forwarding) rules on that box > mentioning the Squid box. Remove any found. > > As an experiment you can also add an full firewall block of HTTP traffic > coming out of the network form anywhere except the Squid box. If the > browsers are correctly configured and going > browser->squid->firewall->Internet then the client will not even notice the > firewall block. Amos, I couldn't make that experiment you defined but I installed wireshark on that client machine (192.168.1.120) to sniff the network conversation with the proxy (192.168.1.10). Here is what I got: Enter the search engine: [192.168.1.10 -> 192.168.1.120] GET http://www.google.com/ HTTP/1.1 Host: www.google.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4 Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.3 Cookie: NID=44=gkt-jx_qa_J60q_7Kh4Js1k6NWv6AiHLRZ9CS-rvoyYOmqzicK-QCaJ0G6i0NEWMU_ZMLkbmSi3SM1lY87Wa-4xbeSbMW587mgMopt52Ft63oWkorPWy1qT2lT7yOkh_; PREF=ID=35a4f1ae7230beb1:U=b17222c86da2e9a2:FF=0:TM=1298386458:LM=1298903279:S=lsWVEGvnUbx5O1tO Start typing a phase and it tries to autocomplete: [192.168.1.10 -> 192.168.1.120] GET http://clients1.google.com.tr/complete/search?hl=tr&client=hp&q=ert&cp=3 HTTP/1.1 Host: clients1.google.com.tr Proxy-Connection: keep-alive Referer: http://www.google.com.tr/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4 Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.3 Cookie: NID=44=WDrVJT3IHROI8LLhYljiGzpNonvug9envnNeEoo6qdVxw1B1eHwarlfgZgODzoTsj7i7QGza5luXEqgQuFx7eWduz3Pcc-8IFrLp8tTyIaJC9VgyXEyQAv0qBQD3Dxm9; PREF=ID=e5ce72ddfd5e542a:U=0163fee991eaa35b:FF=0:TM=1298386459:LM=1298903279:S=6Sakp_hgUHZXMW1W Enter the full phrase and hit enter: [192.168.1.10 -> 192.168.1.120] GET /search?hl=tr&source=hp&biw=1280&bih=897&q=ertex&aq=2&aqi=g10&aql=&oq=ert&fp=3405898bc8895081&tch=1&ech=1&psi=_LBrTd6iFM-o8QPm5P3tDA12989033090755&safe=active HTTP/1.1 Host: www.google.com.tr Proxy-Connection: keep-alive Referer: http://www.google.com.tr/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4 Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.3 Cookie: NID=44=WDrVJT3IHROI8LLhYljiGzpNonvug9envnNeEoo6qdVxw1B1eHwarlfgZgODzoTsj7i7QGza5luXEqgQuFx7eWduz3Pcc-8IFrLp8tTyIaJC9VgyXEyQAv0qBQD3Dxm9; PREF=ID=e5ce72ddfd5e542a:U=0163fee991eaa35b:FF=0:TM=1298386459:LM=1298903279:S=6Sakp_hgUHZXMW1W [192.168.1.120 -> 192.168.1.10] HTTP/1.0 400 Bad Request Server: squid/2.7.STABLE8 Date: Mon, 28 Feb 2011 14:30:43 GMT Content-Type: text/html Content-Length: 2044 X-Squid-Error: ERR_INVALID_REQ 0 X-Cache: MISS from kiemserver X-Cache-Lookup: NONE from kiemserver:3128 Via: 1.0 kiemserver:3128 (squid/2.7.STABLE8) Connection: close Last is the weird part. It crops the full url and it thinks it is talking directly to the origin as you already said. Or I am skipping something obvious. > > Amos > -- Regards, -- Ãmit
