Re: [squid-users] TCP_DENIED/400 error:invalid-request

> Amos,
>
> While I appreciate the input on my config file, do you see anything that
> would cause it to give me these errors?
>
> Here is my wpad.dat:
>
> function FindProxyForURL(url,host) {
> return "PROXY 192.168.1.1:3128";
> }

Okay. That makes it a problem with the request the browser is sending.

What are you typing into the address bar to get the error?
Which browser?

Amos

>
> Here is what I see in the logs:
>
> 1205192406.411 0 192.168.1.99 TCP_DENIED/400 1683 GET
> error:invalid-request - NONE/- text/html [] [HTTP/1.0 400 Bad
> Request\r\nServer: squid\r\nDate: Mon, 10 Mar 2008 23:40:06
> GMT\r\nContent-Type: text/html\r\nContent-Length: 1370\r\nExpires: Mon, 10
> Mar 2008 23:40:06 GMT\r\nX-Squid-Error: ERR_INVALID_REQ 0\r\n\r]
> 1205192406.415 0 192.168.1.99 TCP_DENIED/400 1811 GET
> error:invalid-request - NONE/- text/html [] [HTTP/1.0 400 Bad
> Request\r\nServer: squid\r\nDate: Mon, 10 Mar 2008 23:40:06
> GMT\r\nContent-Type: text/html\r\nContent-Length: 1498\r\nExpires: Mon, 10
> Mar 2008 23:40:06 GMT\r\nX-Squid-Error: ERR_INVALID_REQ 0\r\n\r]
>
> -------------- Original message ----------------------
> From: Amos Jeffries <squid3@treenet.co.nz>
>> ffredrixson@comcast.net wrote:
>> > I have squid 2.6stable18 on a debian sarge box in non-transparent
>> mode. I also
>> > have apache web server setup on this box and it works fine - when the
>> browser
>> is
>> > pre-configured for the proxy.
>> >
>> > I have some people come in and use their laptops from time to time so
>> I need a
>> > way to automatically direct them to the proxy server. I've read about
>> wpad.dat
>> > and proxy.pac and tried setting that up but I always get the
>> TCP_DENIED/400
>> > error:invalid-request in the access.log.
>> >
>> > When I pre-configure the browser for the proxy, the wpad.dat page
>> shows me the
>> > javascript which from what I've read is what it's supposed to do when
>> I put
>> the
>> > URL in the address bar: http://192.168.1.1/wpad.dat.
>> >
>> > When I configure the browser to use a automatic configuration script
>> with that
>> > URL, I get the TCP_DENIED/400 errors again.
>> >
>> > I must be missing something, but I've read everything I could find. Is
>> it an
>> acl
>> > that I'm missing?
>>
>> Probably a WPAD-DNS / WPAD-DHCP muckup or something in the .PAC itself.
>>
>> >
>> > Can someone please help me out?
>> >
>> > Thank you in advance.
>> >
>> > Here is my squid.conf:
>> >
>> > memory_pools off
>> > httpd_suppress_version_string on
>> > cache_effective_user squid
>> > cache_effective_group squid
>>
>> Better leave the group voodoo to the kernel. Setup the user/group on the
>> OS properly and its not needed in squid.conf. effective_user is okay if
>> its not built properly by the package maintainer (But it should be!).
>>
>> > http_port 3128
>> >
>> > cache_access_log /usr/local/squid/var/logs/access.log
>>
>> Thats now: access_log ...
>>
>> > cache_log /usr/local/squid/var/logs/cache.log
>> > mime_table /usr/local/squid/etc/mime.conf
>> > log_mime_hdrs on
>> > useragent_log /usr/local/squid/var/logs/useragent.log
>> >
>> > url_rewrite_program /usr/local/squid/bin/ufdbgclient -l
>> > /usr/local/squid/var/logs
>> > url_rewrite_children 16
>> >
>> > #ACL's
>> > acl all src 0/0
>>
>> Make this: acl all src all
>>
>> > no_cache deny all
>>
>> Make this: cache deny all
>> (or if you want things cached and bandwidth savings, remove it)
>>
>> > acl internal_net src 192.168.1.0/24
>> >
>> > acl ok_downloads dstdomain "/var/domains.txt"
>> >
>> > acl SSL_ports port 443
>> > acl CONNECT method CONNECT
>> >
>> > http_access allow internal_net
>>
>> None of the other http_access will ever match after that line!
>>
>> > http_access allow ok_downloads internal_net !
>> >
>> > http_reply_access allow internal_net ok_downloads
>>
>> Why do this restrictive allow when the next line is a duplicate but more
>> friendly one?
>> Better to just allow all replies. Remember Error pages and Access Denied
>> etc are replies!
>>
>> > http_reply_access allow internal_net
>>
>> And ok. Good finish.
>>
>> > http_access deny all
>>
>> Amos
>> --
>> Please use Squid 2.6STABLE17+ or 3.0STABLE1+
>> There are serious security advisories out on all earlier releases.
>
>
Received on Mon Mar 10 2008 - 19:30:11 MDT