On 1/12/2011 9:58 p.m., David Touzeau wrote:
> Le mercredi 30 novembre 2011 à 11:14 +1300, Amos Jeffries a écrit :
>> On Tue, 29 Nov 2011 22:48:39 +0100, David Touzeau wrote:
>>> Dear
>>>
>>> I'm trying to make Squid Cache: Version 3.2.0.13-20111127-r11436 on
>>> transparent mode
>>>
>>> But squid refuse to access to some websites
>>> for example google.* is ok
>>>
>>> but microsoft is impossible.
>>>
>>> How to fix this issue ?
>> Track down the client software which is producing the requests.
>>
>>> On event :
>>>
>>
>> ... missing log line...
>>
>>> Nov 29 22:18:57 squid2 squid[11257]: SECURITY ALERT: By user agent:
>>> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
>>> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
>>> 3.0.4506.2152; .NET CLR 3.5.30729)
>>> Nov 29 22:18:57 squid2 squid[11257]: SECURITY ALERT: on URL:
>>> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
>> ... missing log line...
>>
>>> Nov 29 22:18:59 squid2 squid[11257]: SECURITY ALERT: By user agent:
>>> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
>>> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
>>> 3.0.4506.2152; .NET CLR 3.5.30729)
>>> Nov 29 22:18:59 squid2 squid[11257]: SECURITY ALERT: on URL:
>>> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
>>
>> Which brings us back to the question of where the key log line has
>> disappeared to.
>>
>> The log line which says "Host header forgery from $C ($A does not match
>> $B)"
>>
>> What those $ values are is important to how to fix it. $C is the
>> connection details needed to isolate the machine to investigate. $A and
>> $B the details which it is getting wrong.
>>
>> Amos
>>
>
> I have made others tests
>
> HEre it is the dump.
>
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb00.s-msn.com/i/42/72A83D0D39814D13CA15F184E71D2.jpg
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
Hmm, same as the last lot. Lets take another approach.
Start with checking the actual cache.log (usually
/var/logs/squid/cache.log or /var/log/squid/cache.log). syslog is only a
copy and an unreliable one it appears.
If you dont have a cache.log you will need to configure one to be written.
If you are still getting useless data out of the cache.log you can try
setting "debug_options 11,2" for a short period. This dumps the entire
HTTP headers in both directions coming AND going from Squid. Which can
be a lot of data if you have a high level of traffic. What we look for
in that load is the "HTTP Client Request" and TCP details with same URL
and User-Agent that are showing up in your alerts.
Amos
Received on Thu Dec 01 2011 - 12:12:48 MST
This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 12:00:03 MST
