Hello to everyone on the list,
I’m having a peculiar problem between dansguardian and squid that I
was hoping you all could help with. First I think I should give a little
background to the network topology.
I have Network A (192.168.1/24) and Network B (192.168.0/24) with an IPSec
tunnel established between them. On the router for Network A (running
pfSense/BSD) I have the following NAT Redirection rule.
rdr on dc0 inet proto tcp from any to any port = http -> 192.168.0.12 port
8080
192.168.0.12 is the host running both squid and dansguardian (FreeBSD 6.1)
If I tail the dansguardian.log on 192.168.0.12 I see the following.
article/2006/10/21/AR2006102100487.html GET 1289
2006.10.21 22:32:09 - 192.168.1.37
http://www.washingtonpost.com/wp-dyn/content/
At the same time I get the following in the squid access log.
1161470040.990 7 192.168.0.12 TCP_DENIED/400 1659 GET
/wp-dyn/content/article/2006/10/21/AR2006102100487.html - NONE/- text/html
And Squid spits back the following error to my browser on host 192.168.1.37
ERROR
The requested URL could not be retrieved
While trying to retrieve the URL:
/wp-dyn/content/article/2006/10/20/AR2006102000174.html?nav=hcmodule
The following error was encountered:
• Invalid URL
Some aspect of the requested URL is incorrect. Possible problems:
• Missing or incorrect access protocol (should be `http://'' or similar)
• Missing hostname
• Illegal double-escape in the URL-Path
• Illegal character in hostname; underscores are not allowed
Your cache administrator is admin@example.com.
________________________________________
Generated Sun, 22 Oct 2006 03:40:35 GMT by proxy-server.example.com
(squid/2.5.STABLE14)
Now an interesting thing to note is that if I open Internet Explorer and go
to Tools -> Internet Options -> Connections -> Lan Settings -> and set the
proxy server to 192.168.0.12:8080 while mainting the already set NAT
Redirection rule the proxy will work just fine.
Here are what the logs look like when I manually tell IE to use the DG/Squid
proxy. In the logs below Squid is receiving the FQDN unlike in the above set
of logs.
Dansguardian.log
2006.10.22 3:43:52 - 192.168.1.37
http://media3.washingtonpost.com/wp-srv/ad/ad_configurations_article_v2.js
GET 0
2006.10.22 3:43:52 - 192.168.1.37
http://media3.washingtonpost.com/wp-srv/popjs/popupCampaignClasses.js GET 0
2006.10.22 3:43:52 - 192.168.1.37
http://media3.washingtonpost.com/wp-srv/css/global.css GET 0
2006.10.22 3:43:52 - 192.168.1.37
http://media3.washingtonpost.com/wp-srv/css/layout/oring970.css GET 0
Squid Access Log
1161488632.513 100 192.168.0.12 TCP_MISS/304 224 GET
http://media3.washingtonpost.com/wp-srv/ad/ad_configurations_article_v2.js -
DIRECT/12.129.147.65 -
1161488632.701 96 192.168.0.12 TCP_MISS/304 224 GET
http://media3.washingtonpost.com/wp-srv/popjs/popupCampaignClasses.js -
DIRECT/12.129.147.65 -
1161488632.884 97 192.168.0.12 TCP_MISS/304 224 GET
http://media3.washingtonpost.com/wp-srv/css/global.css -
DIRECT/12.129.147.65 -
1161488632.898 103 192.168.0.12 TCP_MISS/304 224 GET
http://media3.washingtonpost.com/wp-srv/css/layout/oring970.css -
DIRECT/12.129.147.65 -
Can anyone shed some light on this situation? Do the HTTP headers get
fubar’d by the NAT RDR rule? If so why does it work when I set IE manually
to use the 192.168.0.12:8080 proxy while keeping the NAT RDR rule? And also
I want to mention that the proxy does work if IE is set to use the proxy but
the NAT RDR rule is inexistent. I basically only want the NAT RDR rule for
transparent filtering purposes.
Thanks to those who can help and/or try to
-- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.408 / Virus Database: 268.13.9/490 - Release Date: 10/20/2006Received on Sun Oct 22 2006 - 09:28:32 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Nov 01 2006 - 12:00:04 MST