Hey Ryan,
I noticed that you are using a windows version of squid and ontop of
that a 2.X version.
Technically this version is not supported anymore by the squid-cache
project and from the settings either you are running a very old machine
or something else not really known to me.
It's hard to know what is the difference in the request that squid does
compared to BlueCoat or other proxies without sniffing the network.
And since it's a HTTP connection it would not be very hard to find the
culprit with couple wireshark dumps.
The options I can think about are:
- squid 2 uses http/1.0 instead of http/1.1 which the service requires
- squid 2 adds something to the request that breaks the connection
- the upstream proxy(proxy1.ap.webscanningservice.com) is doing
something to the connection.
- the combination of both squid2 and the upstream complicates things and
the web application doesn't like it.
If you do have any way to upgrade the service from 2.X to anything newer
do that instead of something else.
Try to take a look at:
http://squid.diladele.com/
If you do have the option to run it on a Linux machine instead of a
windows consider to do so.
If you want me to analyze the wireshark dumps from the proxy server send
them privately.
Eliezer
On 01/03/2016 01:09, Ryan Slick wrote:
Hi this is not an SSL site.
Here is the config (I have stripped out the ACL's)
#WELCOME TO SQUID 2
#------------------
# NETWORK OPTIONS
#
-----------------------------------------------------------------------------
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
#
-----------------------------------------------------------------------------
# TAG: cache_peer
cache_peer proxy1.ap.webscanningservice.com parent 3128 0000 default
no-query no-digest
# cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default
no-query no-digest
# cache_peer proxy1.us.webscanningservice.com parent 3128 0000 default
no-query no-digest
# cache_peer proxy1.hk.webscanningservice.com parent 3128 0000 default
no-query no-digest
# cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default
no-query no-digest
# disable local cache digest generation
digest_generation off
# TAG: hierarchy_stoplist
hierarchy_stoplist cgi-bin ?
#define the all here as it will be used by the no_cache
acl all src 0.0.0.0/0.0.0.0
# TAG: no_cache
cache deny all
# OPTIONS WHICH AFFECT THE CACHE SIZE
#
-----------------------------------------------------------------------------
# TAG: maximum_object_size(bytes)
maximum_object_size 0 KB
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
#
-----------------------------------------------------------------------------
log_uses_indirect_client on
# Enable Log Rotation
logfile_rotate 7
# TAG: emulate_httpd_logon|off
emulate_httpd_log on
# TAG: debug_options
debug_options ALL,1
#debug_options ALL,9
# By default, the store and access log is disabled to avoid large size
log files
cache_store_log none
access_log none
useragent_log none
#cache_log c:/ClientSiteProxy/var/logs/cache.log
#access_log C:/ClientSiteProxy/var/logs/access.log
cache_log D:/SquidDefinitions/logs/cache.log
access_log D:/SquidDefinitions/logs/access.log
#useragent_log c:/ClientSiteProxy/var/logs/useragent.log
# IGNORE EXPECT 100 HTTP HEADER
#
-----------------------------------------------------------------------------
ignore_expect_100 on
# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
#
-----------------------------------------------------------------------------
# TAG: auth_param
auth_param ntlm program c:/clientsiteproxy/libexec/mswin_ntlm_auth.exe
auth_param ntlm children 80
auth_param ntlm keep_alive on
# auth_param negotiate program
c:/clientsiteproxy/libexec/mswin_negotiate_auth.exe
auth_param negotiate children 80
auth_param basic program c:/clientsiteproxy/libexec/ncsa_auth.exe
C:/clientsiteproxy/etc/passwd.txt
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
# Use this tag to specify how long the IP authentication credentials
will be cached
# If multiple users connect from a single IP (ie: terminal services)
comment out the
# following line and uncomment the next.
#authenticate_ip_shortcircuit_ttl 30 seconds
authenticate_ip_shortcircuit_access none
# OPTIONS FOR TUNING THE CACHE
#
-----------------------------------------------------------------------------
# TAG: refresh_pattern
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern .020%4320
# TIMEOUTS
#
-----------------------------------------------------------------------------
read_timeout 15 minutes
# X-Saucer
#
------------------------------------------------------------------------------
# TAG: fqdn_xsaucer
# Turn this on if you wish to use fully qualified domain names instead of
# user names in X-Saucer. To do this Squid does a DNS lookup of all
# IP's connecting to it. This can (in some situations) increase
# latency, which makes your cache seem slower for interactive
# browsing. By default, it is off.
# The FQDN will be prepended with a backslash and converted to lower
case since
# ClientNet only accepts custom user name with backslash. If log_fqdn is
# also enabled, the FQDN will be logged in access.log.
# For example, an FQDN of www.XYz.com in access.log will require specifying
# a custom user "\www.xyz.com" (no quotes) in ClientNet.
#
# fqdn_xsaucer off
# TAG: hash_username_xsaucer
#Turn this on if you wish to apply hex representative of hashed(SHA-1)
#to domain name\user name (before encryption) in X-Saucer instead.
#
# hash_username_xsaucer off
# ACCESS CONTROLS
#
-----------------------------------------------------------------------------
# TAG: acl
# TAG: disable password on conf file
#cachemgr_passwd none config
acl SSL_ports port 443 563 5443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443 563 5443# https, snews, medicare
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl_uses_indirect_client on
acl CONNECT method CONNECT
acl authproxy proxy_auth REQUIRED
# the IP list of "acl our_networks src" may potentially be long while
the maximum number of characters supported by squid is around 500.
# therefore, you should try to splite long ip list to multiple lines for
readabilty and maintenability, see the following lines as an example:
# acl our_networks src x.x.x.x/z x.x.x.x/x x.x.x.x/z ....
# acl our_networks src y.y.y.y/z y.y.y.y/y y.y.y.y/z ....
acl our_networks src 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16
# __________________________________________________________________________
acl HEAD method HEAD
follow_x_forwarded_for allow f5lb_prxy
# TAG: http_access
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
# __________________________________________________________________________
#http_access allow CONNECT SSL_ports
# __________________________________________________________________________
http_access deny CONNECT !SSL_ports
#Allow the header as IE does not process the Head authentication
http_access allow HEAD
http_access deny !our_networks
http_access allow Smartconnect
# __________________________________________________________________________
# __________________________________________________________________________
# NTLM bypasses and specific domain bypass come after this comment block.
# http_access = NTLM bypass. always_direct = bypasses the MessageLabs proxy
# and sends the connection directly. The first sample below creates a
bypass
# named 'uniqueBypass1' which bypasses NTLM and sends the connection
directly
# for sample.com. The second sample will bypass NTLM authentication for
# connections to sample.com.
# Begin Sample 1:
#acl uniqueBypass1 dstdomain sample.com
# http_access allow uniqueBypass1
# always_direct allow uniqueBypass1
# Begin Sample 2:
#acl NTLMBypass dstdomain sample.com
#http_access allow NTLMBypass
http_access allow authproxy
http_access deny all
# TAG: icp_access
icp_access allow all
# TAG: httpd_suppress_version_stringon|off
#Suppress Squid version string info in HTTP headers and HTML error pages.
#
httpd_suppress_version_string on
# ADMINISTRATIVE PARAMETERS
#
-----------------------------------------------------------------------------
# TAG: visible_hostname
visible_hostname ClientSiteProxy
# OPTIONS FOR THE CACHE REGISTRATION SERVICE
#
-----------------------------------------------------------------------------
# HTTPD-ACCELERATOR OPTIONS
#
-----------------------------------------------------------------------------
# MISCELLANEOUS
#
-----------------------------------------------------------------------------
# Forwarding proxy client IP addresses in X-Forwarded-For header.
# Disabled to prevent leakage of internal network configuration details.
forwarded_for truncate
# Do not reveal CSP version in "Via" HTTP header
header_access Via deny all
# TAG: never_direct
never_direct allow all
# DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
#
-----------------------------------------------------------------------------
# TAG: coredump_dir
# completely disable checks for cache consistency (and/or garbage
collection) and
# there will be no need to initialize cache dirs which amount to be
over 2000 dir.
cache_dir null c:/ClientSiteProxy
coredump_dir c:/clientsiteproxy/var/cache
http_port 80
http_port 8080
On Tuesday, 1 March 2016 11:49 AM, Eliezer Croitoru
<eliezer@xxxxxxxxxxxx> wrote:
Can you send me or the list your squid.conf?
Also are you using SSl-BUMP? is this a https site?
Eliezer
On 01/03/2016 00:36, Ryan Slick wrote:
> Hi Guys,
>
> So here is an issue I am having,
>
> there is a external website some of our users need to access. When
> accessing via the Squid proxy, the site throws this error on the page:
>
> iisnode encountered an error when processing the request.
> HRESULT: 0xb
> HTTP status: 500
> HTTP reason: Internal Server Error
> You are receiving this HTTP 200 response because
> system.webServer/iisnode/@devErrorsEnabled
> <mailto:system.webServer/iisnode/@devErrorsEnabled> configuration
> setting is 'true'.
>
> We configured on a pc that goes directly to the internet the page loads
> fine, when going via a bluecoat proxy on a different network it loads
> fine, When I put in a direct access rule on squid the error is still
thrown.
>
> I am convinced the issue is on the external webserver, however it would
> appear squid is not playing nice with it, is there anything I can do to
> attempt to fix it? Now the users have tested on their remote devices and
> from home they are convinced the issue lies on the proxy.
>
> regards
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
<mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
