RE: squid3HEAD/TPROXY: interception log entries

From: Ritter, Nicholas <Nicholas.Ritter_at_americantv.com>
Date: Fri, 1 Aug 2008 10:45:55 -0500

 BTW-

Setting /proc/sys/net/ipv4/ip_nonlocal_bind to 1 had an interesting
affect.

For internal non-NAT'ed addresses, squid worked great and the getsockopt
errors in cache.log went away. But for external URLs from the same
workstation, the following happens:

1) the broswer hangs saying that is is waiting for the remote server
2) the getsockopt errors happen occasionally, the same (92) and (11)
errors
3) squid access.log shows TCP_MISS/000 0 GET messages for each attempt
URL access to a URL that is a public Internet address.

I my environment, as in most, the workstation is NAT'ed to a public IP
to get to the Internet. I don't know if the failure here is with the
NAT'ing and access controls/protections on my border firewall, or
something in between, like on the gateway router, etc. If I don't hit
the stop button in the browser, eventually the squid access log sees a
TCP_MISS/504 and what looks like a fetch of the page, but the client
shows an error page from squid saying the url could not be retrieved
because of a (110) connection timeout.

Nick

-----Original Message-----
From: Ritter, Nicholas
Sent: Tuesday, July 29, 2008 9:45 AM
To: 'Amos Jeffries'
Cc: 'squid-dev_at_squid-cache.org'
Subject: RE: squid3HEAD/TPROXY: interception log entries

 
Amos-

I applied that patch you sent over. I applied it against
squid-3.HEAD-20080721 and the build went fine. When I installed it and
did some testing this is what I observed trying to hit the url
http://www.cnn.com:

This testing was done with intercept removed and just tproxy directive
in the squid.conf.

cache.log:

2008/07/29 09:29:52| IPInterception.cc(171) NetfilterTransparent: NF
getsockopt(IP_TRANSPARENT) failed: (92) Protocol not available

access.log:

1217341792.820 0 10.48.1.198 NONE/400 1831 GET / - NONE/- text/html

Exact URL entered into IE7 on WindowsXP SP2 test machine:
http://www.cnn.com

Error on the client:

The following error was encountered while trying to retrieve the URL: /

Invalid URL

Some aspect of the requested URL is incorrect.

Some possible problems are:

Missing or incorrect access protocol (should be http:// or similar)

Missing hostname

Illegal double-escape in the URL-Path

Illegal character in hostname; underscores are not allowed.

It appears as though to much is being stripped from the URL. If I
renable both interception and tproxy in squid.conf, I get a working
system again, with this in cache.log:

2008/07/29 09:42:29| IPInterception.cc(137) NetfilterInterception: NF
getsockopt(SO_ORIGINAL_DST) failed: (11) Resource temporarily
unavailable
2008/07/29 09:42:29| IPInterception.cc(171) NetfilterTransparent: NF
getsockopt(IP_TRANSPARENT) failed: (92) Protocol not available
2008/07/29 09:42:50| commBind: Cannot bind socket FD 35 to
10.48.1.198:2173: (98) Address already in use
2008/07/29 09:42:50| comm.cc(1002) commResetFD: bind: (98) Address
already in use
2008/07/29 09:42:52| commBind: Cannot bind socket FD 30 to
10.48.1.198:2165: (98) Address already in use
2008/07/29 09:42:52| comm.cc(1002) commResetFD: bind: (98) Address
already in use

I noticed that there is a non-local bind setting in proc:
/proc/sys/net/ipv4/ip_nonlocal_bind should I set this to 1 or 0?
Received on Fri Aug 01 2008 - 15:46:05 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 01 2008 - 12:00:07 MDT