On 25/07/2015 4:59 a.m., Jagannath Naidu wrote: > 1. Its not a transparent proxy. > > 2. My clients get wpad configuration from AD server. So there are two > question. > 2.1 :I know that wpad is used to identify proxy server and port(and rest > other bypass rules). When clients resolve to wpad.abc.com, is there way > that I can overwrite the wpad file off client. Like creating a webserver to > to serve wpad file and I change /etc/hosts file to "<myhwebserveripaddress> > wpad.abc.com" > 2.2 Is there any other way to tell clients via squid server, to do not come > to squid server and re initiate the request. Exactly that if you wish. Its not clear whether WPAD is the problem though. The fact that you have Squid logs showing access indicates the traffic us actually getting there okay. The responses do seem to be coming back from 10.* servers as well. So what is happening is something is causing those servers not to like the traffic being requested from them. > > On 24 July 2015 at 21:10, Jagannath Naidu < > jagannath.naidu@xxxxxxxxxxxxxxxxxx> wrote: > >> >> >> On 24 July 2015 at 21:05, Jagannath Naidu < >> jagannath.naidu@xxxxxxxxxxxxxxxxxx> wrote: >> >>> Dear List, >>> >>> I have been working on this for last two weeks, but never got it >>> resolved. >>> >>> We have a application server (SERVER) in our local network and a desktop >>> application (CLIENT). The application picks proxy settings from IE. And we >>> also have a wensense proxy server >>> >>> case 1: when there is no proxy set >>> application works. No logs in squid server access.log >>> >>> case 2: when proxy ip address set and checked "bypass local network" >>> application works. No logs in squid server access.log >>> >>> case 3: when proxy ip address is set to wensense proxy server. UNCHECKED >>> "bypass local network" >>> application works. We dont have access to websense server and hence we >>> can not check logs Can you explain "not works" in any better detail? application expected vs actual behaviour? if you can relate that to particular HTTP messages even better. >>> >>> >>> case 4: when proxy ip address is set to proxy server ip address. >>> UNCHECKED "bypass local network" >>> application does not work :-(. Below are the logs. >>> >>> >>> 1437751240.149 7 192.168.122.1 TCP_MISS/404 579 GET >>> http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application >>> - HIER_DIRECT/10.1.4.46 text/html 404. The URL you see above references an object that does not exist on that server. Things to look into: Is it the right server? Is it the right URL? Why was it requested? Does the server actually know its "dlwvdialce.htmedia.net" name? >>> 1437751240.992 94 192.168.122.1 TCP_DENIED/407 3757 CONNECT >>> 0.client-channel.google.com:443 - HIER_NONE/- text/html >>> 1437751240.996 0 192.168.122.1 TCP_DENIED/407 4059 CONNECT >>> 0.client-channel.google.com:443 - HIER_NONE/- text/html Authentication. Normal I think. >>> 1437751242.327 5 192.168.122.1 TCP_MISS/404 579 GET >>> http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - HIER_DIRECT/ >>> 10.1.4.46 text/html Same as the first 404'd URL. >>> 1437751244.777 1 192.168.122.1 TCP_MISS/503 4048 POST >>> http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal >>> - HIER_NONE/- text/html 503 usually indicates the attempted server failed. Makes sense if TCP to cs-711-core.htmedia.net port 8180 did not work. Which would also match the lack of server IP in the log. >>> >>> UPDATE: correct logs >> >> 1437752279.774 6 192.168.122.1 TCP_MISS/404 579 GET >> http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application >> - HIER_DIRECT/10.1.4.46 text/html >> 1437752281.854 5 192.168.122.1 TCP_MISS/404 579 GET >> http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - HIER_DIRECT/ >> 10.1.4.46 text/html >> 1437752284.265 2 192.168.122.1 TCP_MISS/503 4048 POST >> http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal >> - HIER_NONE/- text/html >> Same comments as above. >> >> >>> squid -v >>> Squid Cache: Version 3.3.8 >>> configure options: '--build=x86_64-redhat-linux-gnu' >>> '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' >>> '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' >>> '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' >>> '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' >>> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' >>> '--infodir=/usr/share/info' '--disable-strict-error-checking' >>> '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' >>> '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' >>> '--with-logdir=$(localstatedir)/log/squid' >>> '--with-pidfile=$(localstatedir)/run/squid.pid' >>> '--disable-dependency-tracking' '--enable-eui' >>> '--enable-follow-x-forwarded-for' '--enable-auth' >>> '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' >>> '--enable-auth-ntlm=smb_lm,fake' >>> '--enable-auth-digest=file,LDAP,eDirectory' >>> '--enable-auth-negotiate=kerberos' >>> '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group' >>> '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' >>> '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' >>> '--enable-ident-lookups' '--enable-linux-netfilter' >>> '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' >>> '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' >>> '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' >>> '--with-filedescriptors=16384' '--with-dl' '--with-openssl' >>> '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' >>> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall >>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong >>> --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic >>> -fpie' 'LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 >>> -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions >>> -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches >>> -m64 -mtune=generic -fpie' >>> 'PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig' >>> >>> >>> squid.conf >>> >>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network >>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network >>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network >>> acl localnet src fc00::/7 # RFC 4193 local private network range >>> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) >>> machines >>> acl SSL_ports port 443 >>> acl Safe_ports port 80 # http >>> acl Safe_ports port 21 # ftp >>> acl Safe_ports port 443 # https >>> acl Safe_ports port 70 # gopher >>> acl Safe_ports port 210 # wais >>> acl Safe_ports port 1025-65535 # unregistered ports >>> acl Safe_ports port 280 # http-mgmt >>> acl Safe_ports port 488 # gss-http >>> acl Safe_ports port 591 # filemaker >>> acl Safe_ports port 777 # multiling http >>> acl Safe_ports port 8180 >>> acl CONNECT method CONNECT >>> acl wvdial dst 10.1.4.45 10.1.4.50 10.1.4.53 10.1.4.48 10.1.4.54 >>> 10.1.4.46 10.1.4.51 10.1.4.47 10.1.4.55 10.1.4.49 10.1.4.52 10.1.2.4 For easier reading: acl wvdial dst 10.1.4.45-10.1.4.55/27 10.1.2.4 (at least I think they are all in one /27, double-check that) >>> http_access allow wvdial >>> acl dialer dstdomain .htmedia.net >>> http_access allow dialer >>> http_access deny !Safe_ports >>> http_access deny CONNECT !SSL_ports >>> http_access allow localhost manager >>> http_access deny manager >>> visible_hostname = NOIDAPROXY01.MYDOMAIN.NET "=" is a funny domain name. I suspect you wanted the domain-name part of the line to be used instead. Remove the "= " bit. >>> append_domain .mydomain.net >>> ignore_expect_100 on The ignore_* directive should not be useful in 3.3. You can remove it now. >>> dns_v4_first on >>> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics >>> --helper-protocol=squid-2.5-ntlmssp --domain=HTMEDIA.NET >>> auth_param ntlm children 1000 >>> auth_param ntlm keep_alive off >>> auth_param basic program /usr/bin/ntlm_auth >>> --helper-protocol=squid-2.5-basic >>> auth_param basic children 100 >>> auth_param basic realm Squid proxy-caching web server >>> auth_param basic credentialsttl 2 hours >>> acl auth proxy_auth REQUIRED >>> http_access allow all auth "allow all auth" means the same as "allow auth". "all" only has meaning on the end (right-hand side) of the line which would otherwise end in a proxy_auth ACL. It should either be on the end of that line, or not used at all. >>> http_access allow localnet >>> http_access allow localhost >>> http_access deny all >>> http_port 0.0.0.0:8080 >>> coredump_dir /var/spool/squid >>> refresh_pattern ^ftp: 1440 20% 10080 >>> refresh_pattern ^gopher: 1440 0% 1440 >>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >>> refresh_pattern . 0 20% 4320 >>> >>> >>> It was the same behavior with squid-3.1.10-19. I thought, upgrading to >>> squid 3.3 would help. Please help me resolving this mystery. Looks to me like the server at 10.1.4.46 does not know what to do with the URLs requested. I would start looking at whether the application is actually supposed to be going there for its requests. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
