Re: [squid-users] Squid, Symantec LiveUpdate, and HTTP 1.1 versus HTTP 1.0

Hi,

iptables can match a DNS name so you can use that and just restart the
firewall if they mess it up.

If you do something like

iptables -t nat -a dst not liveupdate.s.com -j REDIRECT

it should work - it will make multiple rules and add them the the chain.

Not sure on the real command line but email me if you are stuck.

Cheers,

Pieter

----- Original Message -----
From: "Wong" <wongbali_at_telkom.net>
To: "Marcus Kool" <marcus.kool_at_urlfilterdb.com>
Cc: "Squid-users" <squid-users_at_squid-cache.org>
Sent: Friday, March 27, 2009 7:40 PM
Subject: Re: [squid-users] Squid, Symantec LiveUpdate, and HTTP 1.1 versus
HTTP 1.0

> Dear all,
>
> I found that Symantec LU has round robin DNS. And they can change DNS A
> record at anytime.
>
> Isn't it better if Squid can bypass the domain name in squid.conf?
> Is it possible?
>
> Wong
>
> ===snip===
>
> [root_at_squid root]# nslookup liveupdate.symantec.com
> Server: 192.168.1.1
> Address: 192.168.1.1#53
>
> Non-authoritative answer:
> liveupdate.symantec.com canonical name = liveupdate.symantec.d4p.net.
> liveupdate.symantec.d4p.net canonical name =
> symantec.georedirector.akadns.net.
> symantec.georedirector.akadns.net canonical name =
> a568.d.akamai.net.
> Name: a568.d.akamai.net
> Address: 60.254.140.170
> Name: a568.d.akamai.net
> Address: 60.254.140.177
> Name: a568.d.akamai.net
> Address: 60.254.140.179
> Name: a568.d.akamai.net
> Address: 60.254.140.160
> Name: a568.d.akamai.net
> Address: 60.254.140.171
> Name: a568.d.akamai.net
> Address: 60.254.140.161
>
> ----- Original Message -----
> From: "Marcus Kool" <marcus.kool_at_urlfilterdb.com>
> To: "Nathan Eady" <galionlibrary_at_gmail.com>
> Cc: <squid-users_at_squid-cache.org>
> Sent: Thursday, March 26, 2009 04:09
> Subject: Re: [squid-users] Squid, Symantec LiveUpdate, and HTTP 1.1 versus
> HTTP 1.0
>
>
>> The story about Squid and HTTP 1.1 is long...
>>
>> To get your LiveUpdate working ASAP you might want to
>> fiddle with the firewall rules and to NOT redirect
>> port 80 traffic of Symantec servers to Squid, but
>> simply let the traffic pass.
>>
>> Nathan Eady wrote:
>>> Okay, we've got port 80 traffic going transparently to a Squid proxy
>>> here, and I need to make a small configuration change, and I can't
>>> seem to find, either in the man pages nor on the web, the
>>> documentation on how to do it. It's probably one little line in
>>> squid.conf, but I can't find it.
>>>
>>> Here's the deal:
>>> When I access a site (I tested with Google as well as our own offsite
>>> web server) from a computer that is NOT behind the transparent squid
>>> proxy, issuing an HTTP/1.1 request, I get the normal expected HTTP/1.1
>>> response:
>>>
>>> nathan_at_externalbox$ telnet www.galionlibrary.org 80
>>> Trying 209.143.16.23...
>>> Connected to galionlibrary.org.
>>> Escape character is '^]'.
>>> GET / HTTP/1.1
>>> Host: www.galionlibrary.org
>>>
>>> HTTP/1.1 200 OK
>>> [snip the rest]
>>>
>>> However, when I do the same thing from a system that IS behind the
>>> proxy, I get an HTTP/1.0 response back:
>>> nathan_at_donalbain:~$ telnet www.galionlibrary.org 80
>>> Trying 209.143.16.23...
>>> Connected to galionlibrary.org.
>>> Escape character is '^]'.
>>> GET / HTTP/1.1
>>> Host: www.galionlibrary.org
>>>
>>> HTTP/1.0 200 OK
>>> [snip the rest]
>>>
>>> Until recently I never even noticed this, but now Symantec LiveUpdate
>>> is failing on all the systems behind the proxy. I posted about that
>>> on the Norton Community forum, umm, here:
>>> http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=42361
>>>
>>> The long and short of that thread is that recent updates to LU have
>>> caused it to no longer support HTTP 1.0. The LU servers are all HTTP
>>> 1.1, and now the client requires this. Our setup is not the only
>>> thing breaking as a result (apparently, the built-in "firewalls" on
>>> some home routers also have problems with it), but now that I'm aware
>>> Squid is doing this, it ought to be easy to make some small change in
>>> the configuration and get it to return HTTP 1.1 responses, at least
>>> when the server does -- right?
>>>
>>> But I'm coming up blank on how.
>>>
>>> One other note: the version of Squid we have, for reasons that aren't
>>> worth going into here, is I believe somewhat outdated (-v says
>>> 2.5.STABLE13). But HTTP 1.1 is certifiably older than dirt, so I'd be
>>> extremely amazed if the Squid that we have doesn't support it...
>>> We're going to update it hopefully pretty soon, but getting LiveUpdate
>>> working again is significantly more urgent (and, hopefully, easier;
>>> updating Squid in our case probably means a fresh OS install...)
>>>
>>> So where and how do I configure what Squid does with HTTP versions?
>>> Where is this documented?
>>>
>>> TIA,
>>>
>>> Nathan Eady
>>> Technology Coordinator
>>> Galion Public Library
>>>
>>
>
>
>
Received on Fri Mar 27 2009 - 06:53:57 MDT