Re: [squid-users] Squid 3.2.0.13 daily release

On 8/12/2011 12:21 a.m., Nguyen Hai Nam wrote:
> On 12/7/2011 4:13 AM, Amos Jeffries wrote:
>> cc'd to squid-dev so the developers can see this info.
>>
>> On Tue, 06 Dec 2011 16:43:38 +0700, Nguyen Hai Nam wrote:
>>> Hi,
>>>
>>> I've installed Squid 3.2.0.13 as an intercepting proxy server. Today
>>> I tried to build latest version 3.2.0.13 20111205, the problem is
>>> sometimes I suffer lost connection when downloading, eg. it freezes at
>>> xx% and I have to pause and start to continue, When open some
>>> websites, it's normal at first time, if I press refresh opened page I
>>> receive the Error The requested URL could not be retrieved. And if a
>>> https page that was redirected from other http page also had the same
>>> error.
>>>
>>> I still can't find the reason, besides the version 3.2.0.13 seems
>>> more stable.
>>>
>>> Best regards,
>>> ~ Neddie
>>
>> Thank you for testing and for the feedback.
>>
>> Is there any sign(s) in your cache.log about what is happening?
>>
>> Amos
>>
> HI Amos,
>
> Here is some results from cache.log:
>
> 2011/12/07 18:06:44.436 kid1| SECURITY ALERT: on URL:
> http://www.facebook.com/plugins/like.php?api_key=111569915535689&channel_url=https%3A%2F%2Fs-static.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df1d9058faa7a974%26origin%3Dhttp%253A%252F%252F9gag.com%252Ff3ff0bbf990ee1a%26relation%3Dparent.parent%26transport%3Dpostmessage&extended_social_context=false&href=http%3A%2F%2F9gag.com%2Fgag%2F921853%3Fref%3Dfb&layout=button_count&locale=en_US&node_type=link&sdk=joey&send=false&show_faces=false&width=90

alert starts here...
> 2011/12/07 18:06:44.663 kid1| SECURITY ALERT: Host header forgery
> detected on local=216.137.53.20:80 remote=10.2.178.178:9137 FD 26
> flags=33 (local IP does not match any domain IP)
> 2011/12/07 18:06:44.663 kid1| SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET
> CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Zune 4.7)
> 2011/12/07 18:06:44.663 kid1| SECURITY ALERT: on URL:
> http://d24w6bsrhbeh9d.cloudfront.net/img/favicon_v2.png
>
ends here. (hmm, maybe we should make these boundaries a bit clearer
somehow.)

So. Why does "d24w6bsrhbeh9d.cloudfront.net" not resolve to
216.137.53.20 for both the client and for Squid? (other IPs are ignored,
alert only happens on a complete absence of the client-visible IP)

>
> And from access.log:
>
<snip re-paste of cache.log trace>
> from debug "squid -d 1"
>
> 1323256004.434 46 10.2.178.178 NONE/409 7352 GET
> http://www.facebook.com/dialog/oauth? - HIER_NONE/- text/html
> 1323256004.438 4 10.2.178.178 NONE/409 6678 GET
> http://www.facebook.com/plugins/like.php? - HIER_NONE/- text/html
> 1323256004.438 2 10.2.178.178 NONE/409 6741 GET
> http://www.facebook.com/plugins/like.php? - HIER_NONE/- text/html
> 1323256004.485 544 10.2.178.178 TCP_MISS/200 752 GET
> http://api.facebook.com/restserver.php? - ORIGINAL_DST/69.171.224.21
> text/javascript
> 1323256004.498 114 10.2.178.178 TCP_MISS/200 2159 GET
> http://static.ak.fbcdn.net/rsrc.php/v1/y9/r/jKEcVPZFk-2.gif -
> ORIGINAL_DST/203.69.113.56 image/gif
> 1323256004.590 245 10.2.178.178 TCP_MISS/204 299 GET
> http://pixel.quantserve.com/pixel;r=27404736;a=p-f8Bn5MbvAQbXQ;fpan=0;fpa=P0-1342892764-1323250128624;ns=0;ce=1;je=1;sr=1280x1024x32;enc=n;dst=0;et=1323256056796;tzo=-420;ref=http%3A%2F%2F9gag.com%2F;url=http%3A%2F%2F9gag.com%2Fgag%2F921853;ogl=title.Props%20to%20the%20man%2Csite_name.9GAG%2Curl.http%3A%2F%2F9gag%252Ecom%2Fgag%2F921853%2Ctype.article%2Cimage.http%3A%2F%2Fd24w6bsrhbeh9d%252Ecloudfront%252Enet%2Fphoto%2F921853_460s%252Ejpg
> - ORIGINAL_DST/203.190.124.15 -
> 1323256004.664 420 10.2.178.178 NONE/409 4718 GET
> http://d24w6bsrhbeh9d.cloudfront.net/img/favicon_v2.png - HIER_NONE/-
> text/html
>
> The problem is:
>
> - Can't open any https website

Seems unrelated. The above are all http:// URLs, also HTTPS are not sent
over port 80 to be intercepted like this.

> - Got error when open/reopen a random website

By "error" you mean the 409's ? or another?

>
> I've installed new squid box for test, so feel free to tell me
> whatever to do or supply more log.

I know the latest 3.2 have a strange crash I hit. Causing random
disconnections.

These 409 are a worry in your setup though. Check the DNS servers used
by Squid are the same used by the client(s). For interception that is
important now.

>
> P/S: I think it related to something new to squid (I guess), because
> other services like: yahoo messenger, thunderbird (IMAP/SMTP), etc ...
> disconnected when I redirect to test

IMAP/SMTP ??! that would be protocols not related to Squid at all.
Perhapse your test box firewall or routing is different regarding them.
If you can only redirect port 80 traffic and make sure you use policy
routing (or whatever yoru hardware calls it) to send packets. Avoid
doing NAT, particularly DNAT (destination IP/port) changes, outside the
Squid box.

Amos
Received on Wed Dec 07 2011 - 12:42:11 MST