Re: [squid-users] TCP_DENIED/400 error:invalid-request

ffredrixson@comcast.net wrote:
> I have squid 2.6stable18 on a debian sarge box in non-transparent mode. I also
> have apache web server setup on this box and it works fine - when the browser is
> pre-configured for the proxy.
>
> I have some people come in and use their laptops from time to time so I need a
> way to automatically direct them to the proxy server. I've read about wpad.dat
> and proxy.pac and tried setting that up but I always get the TCP_DENIED/400
> error:invalid-request in the access.log.
>
> When I pre-configure the browser for the proxy, the wpad.dat page shows me the
> javascript which from what I've read is what it's supposed to do when I put the
> URL in the address bar: http://192.168.1.1/wpad.dat.
>
> When I configure the browser to use a automatic configuration script with that
> URL, I get the TCP_DENIED/400 errors again.
>
> I must be missing something, but I've read everything I could find. Is it an acl
> that I'm missing?

Probably a WPAD-DNS / WPAD-DHCP muckup or something in the .PAC itself.

>
> Can someone please help me out?
>
> Thank you in advance.
>
> Here is my squid.conf:
>
> memory_pools off
> httpd_suppress_version_string on
> cache_effective_user squid
> cache_effective_group squid

Better leave the group voodoo to the kernel. Setup the user/group on the
OS properly and its not needed in squid.conf. effective_user is okay if
its not built properly by the package maintainer (But it should be!).

> http_port 3128
>
> cache_access_log /usr/local/squid/var/logs/access.log

Thats now: access_log ...

> cache_log /usr/local/squid/var/logs/cache.log
> mime_table /usr/local/squid/etc/mime.conf
> log_mime_hdrs on
> useragent_log /usr/local/squid/var/logs/useragent.log
>
> url_rewrite_program /usr/local/squid/bin/ufdbgclient -l
> /usr/local/squid/var/logs
> url_rewrite_children 16
>
> #ACL's
> acl all src 0/0

Make this: acl all src all

> no_cache deny all

Make this: cache deny all
(or if you want things cached and bandwidth savings, remove it)

> acl internal_net src 192.168.1.0/24
>
> acl ok_downloads dstdomain "/var/domains.txt"
>
> acl SSL_ports port 443
> acl CONNECT method CONNECT
>
> http_access allow internal_net

None of the other http_access will ever match after that line!

> http_access allow ok_downloads internal_net !
>
> http_reply_access allow internal_net ok_downloads

Why do this restrictive allow when the next line is a duplicate but more
friendly one?
Better to just allow all replies. Remember Error pages and Access Denied
etc are replies!

> http_reply_access allow internal_net

And ok. Good finish.

> http_access deny all

Amos

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.