RE: [squid-users] Strange issues with accessing facebook and other php driven sites via proxy

From: Kelly, Jack <Jack.Kelly_at_wsdevelopment.com>
Date: Thu, 8 Oct 2009 14:29:27 -0400

Erg, I should've mentioned: I'm running Squid 3.0. I've poured over a
lot of documentation and I haven't been able to decipher whether 3.0
natively supports 1.1, or has no support whatsoever because of the
differences in code between 2.7 and 3.1.

Regardless, I went back and added incoming and outgoing headers to my
access.log format to see what the deal is. Headers from facebook are
coming in as HTTP 1.0.

Is it still possible that my problem lies in needing to find a way to
enable 1.1?

-----Original Message-----
From: Chudy Fernandez [mailto:chudy_fernandez_at_yahoo.com]
Sent: Thursday, October 08, 2009 1:04 PM
To: Kelly, Jack; squid-users_at_squid-cache.org
Subject: Re: [squid-users] Strange issues with accessing facebook and
other php driven sites via proxy

server_http11 on will do the trick

----- Original Message ----
> From: "Kelly, Jack" <Jack.Kelly_at_wsdevelopment.com>
> To: squid-users_at_squid-cache.org
> Sent: Fri, October 9, 2009 12:10:02 AM
> Subject: [squid-users] Strange issues with accessing facebook and
> other php driven sites via proxy
>
> Hi everyone,
> At my office I've implemented a Squid server which uses LDAP
> credentials to give certain users access to certain websites.
> Basically, everyone belongs to a base 'Filtered' group, and individual

> users can be added to a 'FacebookAccess' group for access to facebook.

> This is mainly because some departments (read: marketing) need access
> to facebook while others do not.
>
> I've only been working on in Squid for about a month and although I've

> gotten pretty proficient at getting it to do what I want, I've
> encountered what's seeming to be a higher-level problem.
>
> Here's the relevant section of my conf file:
>
> acl Unfiltered external InetGroup Unfiltered acl FacebookAccess
> external InetGroup FacebookAccess acl Filtered external InetGroup
> Filtered
>
> acl blocksites url_regex "/etc/squid3/block.acl"
> acl whitelist url_regex "/etc/squid3/whitelist.acl"
> acl facebook url_regex .facebook.
> acl fbcdn url_regex .fbcdn.
>
> #Note: these two lines were added to troubleshoot always_direct allow
> fbcdn always_direct allow facebook
>
> http_access allow Unfiltered
> http_access allow Filtered whitelist
> http_access allow FacebookAccess facebook http_access allow
> FacebookAccess whitelist http_access deny Filtered blocksites
> http_access deny FacebookAccess blocksites http_access allow
> FacebookAccess http_access allow Filtered
>
> And here's the problem:
> Users in the FacebookAccess group can get to www.facebook.com
> without a problem, and users who are only in the Filtered group
> cannot. So that's great. However, when they log in and reach
> www.facebook.com/home.php?, they just get a white screen - sometimes.
> Occasionally it works and occasionally it doesnt; there appears to be
> no rhyme or reason to it. I've added ".fbcdn." to my whitelist.acl
> file, because I saw that content from that domain was getting denied
> when facebook loads... but even after that, no go.
>
> When I visit the site and log in, the access.log just shows:
>
> jackk 08/Oct/2009 11:54:30 TCP_MISS/200 GET http://www.facebook.com/
> jackk 08/Oct/2009 11:54:36 TCP_MISS/200 CONNECT login.facebook.com:443

> jackk 08/Oct/2009 11:54:36 TCP_MISS/200 GET
> http://www.facebook.com/home.php?
>
> And to troubleshoot I tried accessing facebook from a member of the
> 'Unfiltered' group, to which no restrictive acl policies apply. Same
> problem. Meanwhile obviously a direct, proxy-free connection to
> facebook from my office works just fine.
>
> I'm very, very stuck. Any advice on what to try next would be hugely
> appreciated.
>
> Thanks!
>
> Jack Kelly
> Network Services Administrator
> W/S Development Associates, LLC
> Chestnut Hill, MA
>
> --------------------------------------------------------
>
> This message (and any associated files) is the property of S. R.
> Weiner and Associates Inc. and W/S Development Associates LLC and is
> intended only for the use of the individual or entity to which it is
> addressed and may contain information that is confidential, subject to

> copyright or constitutes a trade secret. If you are not the intended
> recipient you are hereby notified that any dissemination, copying or
> distribution of this message, or files associated with this message,
> is strictly prohibited. If you have received this message in error,
> please notify us immediately by calling our corporate office at
> 617-232-8900 and deleting this message from your computer.
>
> Internet communications cannot be guaranteed to be secure or
> error-free as information could be intercepted, corrupted, lost,
> destroyed, arrive late or incomplete, or contain viruses. Therefore,
> S. R. Weiner and Associates, Inc. and W/S Development Associates LLC
> do not accept responsibility for any errors or omissions that are
> present in this message, or any attachment, that have arisen as a
> result of e-mail transmission. If verification is required, please
> request a hard-copy version of this message.
>
> Any views or opinions presented in this message are solely those of
> the author and do not necessarily represent those of the company.

      
Received on Thu Oct 08 2009 - 18:30:08 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 09 2009 - 12:00:02 MDT