Hi,
We've got a peculiar problem which no matter what, I can't find any
solution to. I'm hoping that somebody out there has had a similar
experience and will be able to say "oh, that's easy!".
Our site is trying to access flash videos on website
http://www.healthtalkonline.org/Bones_joints/Rheumatoid_Arthritis/Topic/
2209/Interview/1499/Clip/9712.
Any PC sitting behind our firewall gets a connection error when trying
to play the videos.
As an experiment, I have taken a PC and put the PC in the DMZ along with
squid.
I'll call the squid server box A and the PC box B.
Experiment 1.
Setup: Browser on the box B talks to the correct port for squid on box
A; box B's IP address is NATed to be visible to the outside world.
Result: internet access to any URL is working; videos are playable on
box B
Conclusion: setup works fine when box B's private IP is made public
Experiment 2.
Setup: Browser on the box B talks to an incorrect port for squid box A;
box B's IP address is NATed to be visible to the outside world.
Result: no internet access is possible on box B.
Conclusion: by only changing the port number of the proxy, we can rule
out any "user" errors in messing up the proxy settings. Internet no
longer works therefore the browser is correctly enforcing port 80 to go
via squid.
Experiment 3.
Setup: Browser on the box B talks to the correct port for squid on box
A; NATing is removed such that box B's IP address is no longer visible
to the outside world.
Result: internet access to any URL is working; videos are no longer
playable on box B (connection error is the message in the flash player
window)
Conclusion: when box B's private IP is hidden, we can access any URL,
but once the flash movie starts, some additional routing appears to take
place from the flash server to the private IP of box B (which is no
longer visible).
I've done lots of searching and come up with various (potentially
misleading) scenarios as to why this isn't working.
My main theory is that this site is taking box B's private IP address
and attempting to talk back to this private IP address for Flash content
only on this particular website, and not the incoming NAT of the
firewall.
Looking around I've seen various references made to NAT-T especially
VOIP over NAT failing.
I've also found an article suggesting that squid doesn't handle HTTP 1.0
forms correctly (the header of the packets coming across contain the
words "HTTP 1.0 POST").
It could be that we're stumped; as this only affects one website that we
know of so far, I suspect that the squid developers (great bunch of
people!) won't have cause to experience this issue yet.
Any help appreciated.
Ps I've tried squid 2.5, 2.6 and 2.7 with different configs from default
to restrictive to allow everything through.
Jason Walton
This email and any files transmitted with it are confidential. If you are not the intended recipient, any reading, printing, storage, disclosure, copying or any other action taken in respect of this email is prohibited and may be unlawful.
If you are not the intended recipient, please notify the sender immediately by using the reply function and then permanently delete what you have received.Incoming and outgoing email messages are routinely monitored for compliance with the Department of Healths policy on the use of electronic communications.
For more information on the Department of Healths email policy, click http://www.dh.gov.uk/DHTermsAndConditions/fs/en?CONTENT_ID=4110945&chk=x1C3Zw
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless in partnership with MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
Received on Thu Oct 23 2008 - 08:38:46 MDT
This archive was generated by hypermail 2.2.0 : Thu Oct 23 2008 - 12:00:04 MDT