* On 22/10/06 08:28 -0700, Reza wrote:
| Hello to everyone on the list,
| I’m having a peculiar problem between dansguardian and squid that I
| was hoping you all could help with. First I think I should give a little
| background to the network topology.
| I have Network A (192.168.1/24) and Network B (192.168.0/24) with an IPSec
| tunnel established between them. On the router for Network A (running
| pfSense/BSD) I have the following NAT Redirection rule.
| rdr on dc0 inet proto tcp from any to any port = http -> 192.168.0.12 port
| 8080
| 192.168.0.12 is the host running both squid and dansguardian (FreeBSD 6.1)
So client hosts are on Network A while DG+Squid are on Network B.
| If I tail the dansguardian.log on 192.168.0.12 I see the following.
|
| article/2006/10/21/AR2006102100487.html GET 1289
| 2006.10.21 22:32:09 - 192.168.1.37
| http://www.washingtonpost.com/wp-dyn/content/
|
| At the same time I get the following in the squid access log.
| 1161470040.990 7 192.168.0.12 TCP_DENIED/400 1659 GET
| /wp-dyn/content/article/2006/10/21/AR2006102100487.html - NONE/- text/html
|
| And Squid spits back the following error to my browser on host 192.168.1.37
| ERROR
| The requested URL could not be retrieved
| While trying to retrieve the URL:
| /wp-dyn/content/article/2006/10/20/AR2006102000174.html?nav=hcmodule
| The following error was encountered:
| • Invalid URL
| Some aspect of the requested URL is incorrect. Possible problems:
| • Missing or incorrect access protocol (should be `http://'' or similar)
| • Missing hostname
| • Illegal double-escape in the URL-Path
| • Illegal character in hostname; underscores are not allowed
| Your cache administrator is admin@example.com.
I think that something goes wrong within your IPSEC tunnel, but I am not
sure/certain!
I am running Squid (2.6.3) and DG (2.9.8.) in a transparent proxy
setup in: Client (NAT rdr) -> DG (8080) -> Squid (3128), where DG and
Squid are on the same box, and I have never seen such a problem at all.
I also use FreeBSD 6.x with PF, just like you. The only thing I miss in
my setup is that IPSEC thingy!
| Now an interesting thing to note is that if I open Internet Explorer and go
| to Tools -> Internet Options -> Connections -> Lan Settings -> and set the
| proxy server to 192.168.0.12:8080 while mainting the already set NAT
| Redirection rule the proxy will work just fine.
| Here are what the logs look like when I manually tell IE to use the DG/Squid
| proxy. In the logs below Squid is receiving the FQDN unlike in the above set
| of logs.
|
| Dansguardian.log
| 2006.10.22 3:43:52 - 192.168.1.37
| http://media3.washingtonpost.com/wp-srv/ad/ad_configurations_article_v2.js
| GET 0
| 2006.10.22 3:43:52 - 192.168.1.37
| http://media3.washingtonpost.com/wp-srv/popjs/popupCampaignClasses.js GET 0
| 2006.10.22 3:43:52 - 192.168.1.37
| http://media3.washingtonpost.com/wp-srv/css/global.css GET 0
| 2006.10.22 3:43:52 - 192.168.1.37
| http://media3.washingtonpost.com/wp-srv/css/layout/oring970.css GET 0
|
| Squid Access Log
| 1161488632.513 100 192.168.0.12 TCP_MISS/304 224 GET
| http://media3.washingtonpost.com/wp-srv/ad/ad_configurations_article_v2.js -
| DIRECT/12.129.147.65 -
| 1161488632.701 96 192.168.0.12 TCP_MISS/304 224 GET
| http://media3.washingtonpost.com/wp-srv/popjs/popupCampaignClasses.js -
| DIRECT/12.129.147.65 -
| 1161488632.884 97 192.168.0.12 TCP_MISS/304 224 GET
| http://media3.washingtonpost.com/wp-srv/css/global.css -
| DIRECT/12.129.147.65 -
| 1161488632.898 103 192.168.0.12 TCP_MISS/304 224 GET
| http://media3.washingtonpost.com/wp-srv/css/layout/oring970.css -
| DIRECT/12.129.147.65 -
|
| Can anyone shed some light on this situation? Do the HTTP headers get
| fubar’d by the NAT RDR rule?
Definately not!!!
| If so why does it work when I set IE manually to use the 192.168.0.12:8080 proxy
| while keeping the NAT RDR rule?
That's the hard part (for me) ;)
| And also I want to mention that the proxy does work if IE is set to use the
| proxy but the NAT RDR rule is inexistent.
There is "direct" connection via your ipsec tunnel.
I'd have wanted to see your config files for DG & Squid but I think the
problem is NOT at their level.
-Wash
http://www.netmeister.org/news/learn2quote.html
DISCLAIMER: See http://www.wananchi.com/bms/terms.php
-- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington <wash@wananchi.com> Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ It's not reality or how you perceive things that's important -- it's what you're taking for it...Received on Sun Oct 22 2006 - 14:46:09 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Nov 01 2006 - 12:00:04 MST