Re: [squid-users] TCP_DENIED/400 error:invalid-request

So let me get this straight:

 * Squid listens on 192.168.1.1:3128
 * Apache listens on 192.168.1.1:80
 * When IE is _configured_ for startup to load http://192.168.1.1/wpad.dat
 * IE for a URI (any URI?!) it sends a request squid can't handle.

Next thing to check is that HTTP/1.1 is disabled in IE6 configuration.

If that fails too, we are stuck looking at cache.log at a
tcpdump/wireshark trace of the request to see WTF its doing.

Amos

> http://192.168.1.1/wpad.dat
>
> IE6
> -------------- Original message ----------------------
> From: "Amos Jeffries" <squid3@treenet.co.nz>
>> > Amos,
>> >
>> > While I appreciate the input on my config file, do you see anything
>> that
>> > would cause it to give me these errors?
>> >
>> > Here is my wpad.dat:
>> >
>> > function FindProxyForURL(url,host) {
>> > return "PROXY 192.168.1.1:3128";
>> > }
>>
>> Okay. That makes it a problem with the request the browser is sending.
>>
>> What are you typing into the address bar to get the error?
>> Which browser?
>>
>> Amos
>>
>> >
>> > Here is what I see in the logs:
>> >
>> > 1205192406.411 0 192.168.1.99 TCP_DENIED/400 1683 GET
>> > error:invalid-request - NONE/- text/html [] [HTTP/1.0 400 Bad
>> > Request\r\nServer: squid\r\nDate: Mon, 10 Mar 2008 23:40:06
>> > GMT\r\nContent-Type: text/html\r\nContent-Length: 1370\r\nExpires:
>> Mon, 10
>> > Mar 2008 23:40:06 GMT\r\nX-Squid-Error: ERR_INVALID_REQ 0\r\n\r]
>> > 1205192406.415 0 192.168.1.99 TCP_DENIED/400 1811 GET
>> > error:invalid-request - NONE/- text/html [] [HTTP/1.0 400 Bad
>> > Request\r\nServer: squid\r\nDate: Mon, 10 Mar 2008 23:40:06
>> > GMT\r\nContent-Type: text/html\r\nContent-Length: 1498\r\nExpires:
>> Mon, 10
>> > Mar 2008 23:40:06 GMT\r\nX-Squid-Error: ERR_INVALID_REQ 0\r\n\r]
>> >
>> > -------------- Original message ----------------------
>> > From: Amos Jeffries <squid3@treenet.co.nz>
>> >> ffredrixson@comcast.net wrote:
>> >> > I have squid 2.6stable18 on a debian sarge box in non-transparent
>> >> mode. I also
>> >> > have apache web server setup on this box and it works fine - when
>> the
>> >> browser
>> >> is
>> >> > pre-configured for the proxy.
>> >> >
>> >> > I have some people come in and use their laptops from time to time
>> so
>> >> I need a
>> >> > way to automatically direct them to the proxy server. I've read
>> about
>> >> wpad.dat
>> >> > and proxy.pac and tried setting that up but I always get the
>> >> TCP_DENIED/400
>> >> > error:invalid-request in the access.log.
>> >> >
>> >> > When I pre-configure the browser for the proxy, the wpad.dat page
>> >> shows me the
>> >> > javascript which from what I've read is what it's supposed to do
>> when
>> >> I put
>> >> the
>> >> > URL in the address bar: http://192.168.1.1/wpad.dat.
>> >> >
>> >> > When I configure the browser to use a automatic configuration
>> script
>> >> with that
>> >> > URL, I get the TCP_DENIED/400 errors again.
>> >> >
>> >> > I must be missing something, but I've read everything I could find.
>> Is
>> >> it an
>> >> acl
>> >> > that I'm missing?
>> >>
>> >> Probably a WPAD-DNS / WPAD-DHCP muckup or something in the .PAC
>> itself.
>> >>
>> >> >
>> >> > Can someone please help me out?
>> >> >
>> >> > Thank you in advance.
>> >> >
>> >> > Here is my squid.conf:
>> >> >
>> >> > memory_pools off
>> >> > httpd_suppress_version_string on
>> >> > cache_effective_user squid
>> >> > cache_effective_group squid
>> >>
>> >> Better leave the group voodoo to the kernel. Setup the user/group on
>> the
>> >> OS properly and its not needed in squid.conf. effective_user is okay
>> if
>> >> its not built properly by the package maintainer (But it should be!).
>> >>
>> >> > http_port 3128
>> >> >
>> >> > cache_access_log /usr/local/squid/var/logs/access.log
>> >>
>> >> Thats now: access_log ...
>> >>
>> >> > cache_log /usr/local/squid/var/logs/cache.log
>> >> > mime_table /usr/local/squid/etc/mime.conf
>> >> > log_mime_hdrs on
>> >> > useragent_log /usr/local/squid/var/logs/useragent.log
>> >> >
>> >> > url_rewrite_program /usr/local/squid/bin/ufdbgclient -l
>> >> > /usr/local/squid/var/logs
>> >> > url_rewrite_children 16
>> >> >
>> >> > #ACL's
>> >> > acl all src 0/0
>> >>
>> >> Make this: acl all src all
>> >>
>> >> > no_cache deny all
>> >>
>> >> Make this: cache deny all
>> >> (or if you want things cached and bandwidth savings, remove it)
>> >>
>> >> > acl internal_net src 192.168.1.0/24
>> >> >
>> >> > acl ok_downloads dstdomain "/var/domains.txt"
>> >> >
>> >> > acl SSL_ports port 443
>> >> > acl CONNECT method CONNECT
>> >> >
>> >> > http_access allow internal_net
>> >>
>> >> None of the other http_access will ever match after that line!
>> >>
>> >> > http_access allow ok_downloads internal_net !
>> >> >
>> >> > http_reply_access allow internal_net ok_downloads
>> >>
>> >> Why do this restrictive allow when the next line is a duplicate but
>> more
>> >> friendly one?
>> >> Better to just allow all replies. Remember Error pages and Access
>> Denied
>> >> etc are replies!
>> >>
>> >> > http_reply_access allow internal_net
>> >>
>> >> And ok. Good finish.
>> >>
>> >> > http_access deny all
>> >>
>> >> Amos
>> >> --
>> >> Please use Squid 2.6STABLE17+ or 3.0STABLE1+
>> >> There are serious security advisories out on all earlier releases.
>> >
>> >
>>
>>
>
>
Received on Mon Mar 10 2008 - 20:06:05 MDT