Re: [squid-users] TCP_DENIED/400 error:invalid-request

Amos,

While I appreciate the input on my config file, do you see anything that would cause it to give me these errors?

Here is my wpad.dat:

function FindProxyForURL(url,host) {
          return "PROXY 192.168.1.1:3128";
}

Here is what I see in the logs:

1205192406.411 0 192.168.1.99 TCP_DENIED/400 1683 GET error:invalid-request - NONE/- text/html [] [HTTP/1.0 400 Bad Request\r\nServer: squid\r\nDate: Mon, 10 Mar 2008 23:40:06 GMT\r\nContent-Type: text/html\r\nContent-Length: 1370\r\nExpires: Mon, 10 Mar 2008 23:40:06 GMT\r\nX-Squid-Error: ERR_INVALID_REQ 0\r\n\r]
1205192406.415 0 192.168.1.99 TCP_DENIED/400 1811 GET error:invalid-request - NONE/- text/html [] [HTTP/1.0 400 Bad Request\r\nServer: squid\r\nDate: Mon, 10 Mar 2008 23:40:06 GMT\r\nContent-Type: text/html\r\nContent-Length: 1498\r\nExpires: Mon, 10 Mar 2008 23:40:06 GMT\r\nX-Squid-Error: ERR_INVALID_REQ 0\r\n\r]

 -------------- Original message ----------------------
From: Amos Jeffries <squid3@treenet.co.nz>
> ffredrixson@comcast.net wrote:
> > I have squid 2.6stable18 on a debian sarge box in non-transparent mode. I also
> > have apache web server setup on this box and it works fine - when the browser
> is
> > pre-configured for the proxy.
> >
> > I have some people come in and use their laptops from time to time so I need a
> > way to automatically direct them to the proxy server. I've read about wpad.dat
> > and proxy.pac and tried setting that up but I always get the TCP_DENIED/400
> > error:invalid-request in the access.log.
> >
> > When I pre-configure the browser for the proxy, the wpad.dat page shows me the
> > javascript which from what I've read is what it's supposed to do when I put
> the
> > URL in the address bar: http://192.168.1.1/wpad.dat.
> >
> > When I configure the browser to use a automatic configuration script with that
> > URL, I get the TCP_DENIED/400 errors again.
> >
> > I must be missing something, but I've read everything I could find. Is it an
> acl
> > that I'm missing?
>
> Probably a WPAD-DNS / WPAD-DHCP muckup or something in the .PAC itself.
>
> >
> > Can someone please help me out?
> >
> > Thank you in advance.
> >
> > Here is my squid.conf:
> >
> > memory_pools off
> > httpd_suppress_version_string on
> > cache_effective_user squid
> > cache_effective_group squid
>
> Better leave the group voodoo to the kernel. Setup the user/group on the
> OS properly and its not needed in squid.conf. effective_user is okay if
> its not built properly by the package maintainer (But it should be!).
>
> > http_port 3128
> >
> > cache_access_log /usr/local/squid/var/logs/access.log
>
> Thats now: access_log ...
>
> > cache_log /usr/local/squid/var/logs/cache.log
> > mime_table /usr/local/squid/etc/mime.conf
> > log_mime_hdrs on
> > useragent_log /usr/local/squid/var/logs/useragent.log
> >
> > url_rewrite_program /usr/local/squid/bin/ufdbgclient -l
> > /usr/local/squid/var/logs
> > url_rewrite_children 16
> >
> > #ACL's
> > acl all src 0/0
>
> Make this: acl all src all
>
> > no_cache deny all
>
> Make this: cache deny all
> (or if you want things cached and bandwidth savings, remove it)
>
> > acl internal_net src 192.168.1.0/24
> >
> > acl ok_downloads dstdomain "/var/domains.txt"
> >
> > acl SSL_ports port 443
> > acl CONNECT method CONNECT
> >
> > http_access allow internal_net
>
> None of the other http_access will ever match after that line!
>
> > http_access allow ok_downloads internal_net !
> >
> > http_reply_access allow internal_net ok_downloads
>
> Why do this restrictive allow when the next line is a duplicate but more
> friendly one?
> Better to just allow all replies. Remember Error pages and Access Denied
> etc are replies!
>
> > http_reply_access allow internal_net
>
> And ok. Good finish.
>
> > http_access deny all
>
> Amos
> --
> Please use Squid 2.6STABLE17+ or 3.0STABLE1+
> There are serious security advisories out on all earlier releases.
Received on Mon Mar 10 2008 - 17:36:03 MDT