Re: [squid-users] Frustrating "Invalid Request" Reply

Hi, Sorry for the late reply,

2011/2/25 Amos Jeffries <squid3_at_treenet.co.nz>:
> On 25/02/11 22:53, Ümit Kablan wrote:
>>
>> 2011/2/24 Amos Jeffries<squid3_at_treenet.co.nz>:
>>>
>>> On Wed, 23 Feb 2011 12:32:56 +0200, Ümit Kablan wrote:
>>>>
>>>>
>>>> 2011/2/22 Amos Jeffries :
>>>>>
>>>>> On Tue, 22 Feb 2011 17:24:39 +0200, Ümit Kablan wrote:
>>>>>>
>>>>>> 2011/2/21 Amos Jeffries wrote:
>>>>>>>
>>>>>>> On Mon, 21 Feb 2011 16:19:53 +0200, Ümit Kablan wrote:
>>>>>>>>
>>>>>>>> -------
>>>>>>>> GET
>>>>>>>>
>>>>>>>> /search?hl=tr&source=hp&biw=1276&bih=823&q=eee+ktu&aq=0&aqi=g10&aql=&oq=eee&fp=64d53dfd7a69225a&tch=3&ech=1ψ=6UBOTbHmCtah_Aa2haXRDw12969740590425&wrapid=tlif129697480915821&safe=active
>>>>>>>> HTTP/1.1
>>>>>>>
>>>>>>> Note the missing http://domain details in the URL. This is not a
>>>>>>> browser->proxy HTTP request. It is a browsers->origin request.
>>>>>>>
>>>>>>> IIRC interception of this type of request does not work in Windows,
>>>>>>> since
>>>>>>> the kernel NAT details are not available without proprietary
>>>>>>> third-party
>>>>>>> network drivers. Look at WPAD configuration of the localnet browsers
>>>>>>> instead, that way they will send browser->proxy requests nicely.
>>>>>>
>>>>>> Exactly! The working requests are all starting with http://domain/ as
>>>>>> you mentioned. (I must say I couldn't capture loopback network packets
>>>>>> ...
>>>>>
>>>>> Squid needs to be configured via the http_port to know what mode/type
>>>>> of
>>>>> traffic it is going to receive. The browsers need to be sending the
>>>>> right
>>>>> type as well.
>>>>
>>>> I have
>>>> -----
>>>> http_port 3128
>>>> -----
>>>> in my configuration. Do I miss something?
>>>
>>> Yes. But you keep omitting the details of *how* browsers are getting to
>>> squid, so we can't tell if you are attempting to run a transparent proxy
>>> or
>>> a reverse proxy. Two very different configurations both in Squid and in
>>> the
>>> network underneath.
>>>
>>> Please confirm your network layout and traffic flows including software
>>> which is involved on each related machine.
>>>
>>
>> My network has 20+ machines all connecting to internet individually
>> through ONE adsl modem in my network (those are connected to each
>> other with a switch). My browsers are configured to use the squid
>> proxy explicitly (so I think it has nothing to to with transparency)
>>
>
> Okay. Then it is VERY weird that they would be behaving as if the proxy were
> an origin server and not a proxy. None of the major browsers or thousands of
> other agents out there display that type of confusion.
>
>>>
>>> You say this Squid is on Windows where interception type of transparent
>>> proxy is not possible for free, but keep mentioning the public website
>>> google as working.
>>
>> Actually I was trying to stress on the weird problem I encountered to
>> help shed some light on the problem.
>>
>>>
>>> I suspect you are trying to perform NAT interception on a separate box to
>>> Squid. Which is highly dangerous.
>>>
>>
>> I think NAT inspection you mentioned is not executed on the XP machine
>> where squid is running, yes. But I am not sharing my internet
>> connection through that windows machine. I just want clients (those
>> browsers configured to use proxy) use the internal proxy.
>
> If the NAT anywhere is forwarding packets to Squid it would display like
> this inside Squid.
>
>
> Check for NAT (sometimes called port forwarding) rules on that box
> mentioning the Squid box. Remove any found.
>
> As an experiment you can also add an full firewall block of HTTP traffic
> coming out of the network form anywhere except the Squid box. If the
> browsers are correctly configured and going
> browser->squid->firewall->Internet then the client will not even notice the
> firewall block.

Amos, I couldn't make that experiment you defined but I installed
wireshark on that client machine (192.168.1.120) to sniff the network
conversation with the proxy (192.168.1.10). Here is what I got:

Enter the search engine: [192.168.1.10 -> 192.168.1.120]

GET http://www.google.com/ HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224
Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.3
Cookie: NID=44=gkt-jx_qa_J60q_7Kh4Js1k6NWv6AiHLRZ9CS-rvoyYOmqzicK-QCaJ0G6i0NEWMU_ZMLkbmSi3SM1lY87Wa-4xbeSbMW587mgMopt52Ft63oWkorPWy1qT2lT7yOkh_;
PREF=ID=35a4f1ae7230beb1:U=b17222c86da2e9a2:FF=0:TM=1298386458:LM=1298903279:S=lsWVEGvnUbx5O1tO

Start typing a phase and it tries to autocomplete: [192.168.1.10 ->
192.168.1.120]

GET http://clients1.google.com.tr/complete/search?hl=tr&client=hp&q=ert&cp=3
HTTP/1.1
Host: clients1.google.com.tr
Proxy-Connection: keep-alive
Referer: http://www.google.com.tr/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224
Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.3
Cookie: NID=44=WDrVJT3IHROI8LLhYljiGzpNonvug9envnNeEoo6qdVxw1B1eHwarlfgZgODzoTsj7i7QGza5luXEqgQuFx7eWduz3Pcc-8IFrLp8tTyIaJC9VgyXEyQAv0qBQD3Dxm9;
PREF=ID=e5ce72ddfd5e542a:U=0163fee991eaa35b:FF=0:TM=1298386459:LM=1298903279:S=6Sakp_hgUHZXMW1W

Enter the full phrase and hit enter: [192.168.1.10 -> 192.168.1.120]

GET /search?hl=tr&source=hp&biw=1280&bih=897&q=ertex&aq=2&aqi=g10&aql=&oq=ert&fp=3405898bc8895081&tch=1&ech=1&psi=_LBrTd6iFM-o8QPm5P3tDA12989033090755&safe=active
HTTP/1.1
Host: www.google.com.tr
Proxy-Connection: keep-alive
Referer: http://www.google.com.tr/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224
Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.3
Cookie: NID=44=WDrVJT3IHROI8LLhYljiGzpNonvug9envnNeEoo6qdVxw1B1eHwarlfgZgODzoTsj7i7QGza5luXEqgQuFx7eWduz3Pcc-8IFrLp8tTyIaJC9VgyXEyQAv0qBQD3Dxm9;
PREF=ID=e5ce72ddfd5e542a:U=0163fee991eaa35b:FF=0:TM=1298386459:LM=1298903279:S=6Sakp_hgUHZXMW1W

[192.168.1.120 -> 192.168.1.10]

HTTP/1.0 400 Bad Request
Server: squid/2.7.STABLE8
Date: Mon, 28 Feb 2011 14:30:43 GMT
Content-Type: text/html
Content-Length: 2044
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from kiemserver
X-Cache-Lookup: NONE from kiemserver:3128
Via: 1.0 kiemserver:3128 (squid/2.7.STABLE8)
Connection: close

Last is the weird part. It crops the full url and it thinks it is
talking directly to the origin as you already said. Or I am skipping
something obvious.

>
> Amos
> --

Regards,

-- 
Ümit