On 20/03/2012 01:40, Vijay S wrote:
> Hi Eliezer
>
> I did access your url and it gave me the output as
>
> Your IP address is : 122.166.1.184
>
> I also tried doing
> request_header_access X-Forwarded-For deny Safe_ports
>
> Still no luck, log is as follows
> 1332199742.075 2 192.168.1.117 TCP_DENIED/403 3481 CONNECT
> feeds.example.com:80 - NONE/- text/html
> 1332199746.551 1 192.168.1.117 TCP_DENIED/403 3481 CONNECT
> feeds.example.com:80 - NONE/- text/html
can you access my site using the proxy?
just notice you'r proxy config is wrong and must give you this 403 denied.
the logs are saying you are denied to use the proxy.
try to add the following to the proxy squid.conf settings.
at :
after> acl all src all
add> acl localnet 192.168.10/24
after> acl CONNECT method CONNECT
add> http_access allow localnet Safe_ports
and i'm trying to understand...
is this a php script?
just to understand another thing:
you are using the proxy on a gateway machine and this other machine is
accessing from the lan to the internet?
as far i understand from the log you are trying to use SSL over port 80?
if so then you must specify a rule at the http_access to allow it such as:
http_access allow localnet CONNECT Safe_ports
but to add the rules i wrote you before should give you the right response.
Regards,
Eliezer
>
> this is what i did
>
> $filePath = 'http://feeds.example.com/newsfeeds.xml';
> $s = curl_init($filePath);
> curl_setopt($s,CURLOPT_RETURNTRANSFER,1);
> curl_setopt($s, CURLOPT_HEADER, false);
>
> curl_setopt($s, CURLOPT_HTTPPROXYTUNNEL, TRUE);
> curl_setopt($s, CURLOPT_PROXY, "http://192.168.1.117:3128");
> curl_setopt($s, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
> curl_setopt($s, CURLOPT_URL, $filePath);
>
> // Make the request
> $xml = '';
> $xml = curl_exec($s);
> $xml = trim($xml);
> curl_close($s);
>
>
>
>
> On Tue, Mar 20, 2012 at 5:00 AM, Eliezer Croitoru<eliezer_at_ngtech.co.il> wrote:
>> On 20/03/2012 00:36, Vijay S wrote:
>>>
>>> Sorry i cannot share the url and hence im replacing the feed as
>>> http://feeds.example.com/newsfeeds.xml
>>>
>>> On Tue, Mar 20, 2012 at 1:37 AM, Eliezer Croitoru<eliezer_at_ngtech.co.il>
>>> wrote:
>>>>
>>>> On 19/03/2012 18:58, Vijay S wrote:
>>>>>
>>>>>
>>>>> Hi
>>>>>
>>>>> I have a my server box hosting apache and squid on centos machine.
>>>>> When I send my request for clients feeds it works as they have
>>>>> whitelisted my IP address, and when I make the call via squid its give
>>>>> me invalid IP. I checked the access log for more information and found
>>>>> out instead of sending my IP address its sending the localhost IP
>>>>> address (127.0.0.1).
>>>>
>>>>
>>>> i'm still trying to understand your network infrastructure.
>>>> you have one apache server that also hosts squid?
>>>
>>> Yes
>>>
>>>> can you give the logs output?
>>>
>>> 1332194292.909 1 192.168.1.10 TCP_DENIED/403 3480 CONNECT
>>> feeds.example.com:80 - NONE/- text/html
>>> 1332194335.536 1 192.168.1.10 TCP_DENIED/403 3480 CONNECT
>>> feeds.example.com:80 - NONE/- text/html
>>> 1332194399.852 1 192.168.1.10 TCP_DENIED/403 3480 CONNECT
>>> feeds.example.com:80 - NONE/- text/html
>>>
>>>
>>>> what is the /etc/hosts content?
>>>
>>> 122.166.1.184 localhost
>>> 122.166.1.184 reactmedia.com
>>> 122.166.1.184 rm117
>>>
>>>
>>>> by clients you mean you clients of squid?
>>>
>>> there is no squid im accessing a feeds URL
>>> http://feeds.example.com/newsfeeds.xml
>>>
>>>> what do you mean by whitelisted your ip address?
>>>
>>> request from my ip only can access this feeds. which they have
>>> configured. it opens when i access from browser but when i called from
>>> squid using php curl. it doesnot works
>>>
>>>> is the apache server is listening on port 80?
>>>
>>> Yes
>>
>>
>> this part made me understand the problem.
>> if you do want to understand the problem try get into this address:
>> http://www1.ngtech.co.il/myip.php
>> i think the problem is that the proxy is forwarding a "x_forward" header on
>> the http request what's making the problem.
>> if your proxy is using "the x_forward" you will see it in the page.
>>
>> in order to disable this header you can add to your squid.conf this
>> directive:
>> request_header_access X-Forwarded-For deny Safe_ports
>>
>> if it is indeed what caused the problem you should be ok.
>>
>> Regards,
>> Eliezer
>>
>>
>>>
>>>> can you access it directly by ip + port 80? (no proxy)
>>>
>>> yes
>>>
>>>> when with proxy its not working?
>>>
>>> True
>>>
>>>> if its so then try to change the hosts file with the hostname in it to
>>>> external_ip www.hostname.domain
>>>
>>> its not the domain to ip mapping issue, when my request is sent its
>>> sent as 192.168.1.10 instead 122.166.1.184. and hence the client url
>>> is blocking me considering as the ip is not listed in there
>>> whitelisted IP's opend for me to access.
>>>
>>>
>>>>
>>>> Regards,
>>>> Eliezer
>>>>
>>>>
>>>>> I googled a little and found that using tcp_outgoing_address directive
>>>>> I can control the outgoing IP address and to my bad luck this didn’t
>>>>> work
>>>>>
>>>>> My configuration file is as follows
>>>>>
>>>>> acl all src all
>>>>> acl manager proto cache_object
>>>>> acl localhost src 127.0.0.1/255.255.255.255
>>>>> acl to_localhost dst 127.0.0.0/32
>>>>> acl SSL_ports port 443
>>>>> acl Safe_ports port 80 # http
>>>>> acl Safe_ports port 21 # ftp
>>>>> acl Safe_ports port 443 # https
>>>>> acl Safe_ports port 70 # gopher
>>>>> acl Safe_ports port 210 # wais
>>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>>> acl Safe_ports port 280 # http-mgmt
>>>>> acl Safe_ports port 488 # gss-http
>>>>> acl Safe_ports port 591 # filemaker
>>>>> acl Safe_ports port 777 # multiling http
>>>>> acl CONNECT method CONNECT
>>>>>
>>>>> http_access allow manager localhost
>>>>> http_access deny manager
>>>>> http_access deny !Safe_ports
>>>>> http_access deny CONNECT !SSL_ports
>>>>>
>>>>> http_access allow localhost
>>>>> http_access deny all
>>>>>
>>>>> icp_access allow all
>>>>>
>>>>> http_port 3128
>>>>>
>>>>> visible_hostname loclahost
>>>>> debug_options ALL,1 33,2 28,9
>>>>> tcp_outgoing_address 122.166.1.184
>>>>>
>>>>> Can somebody help me with configuration for the my servers. It will be
>>>>> of great help.
>>>>>
>>>>> Thanks& Regards
>>>>> Vijay
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Eliezer Croitoru
>>>> https://www1.ngtech.co.il
>>>> IT consulting for Nonprofit organizations
>>>> elilezer<at> ngtech.co.il
>>>>
>>
>>
>> --
>> Eliezer Croitoru
>> https://www1.ngtech.co.il
>> IT consulting for Nonprofit organizations
>> elilezer<at> ngtech.co.il
-- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations elilezer <at> ngtech.co.ilReceived on Tue Mar 20 2012 - 00:32:05 MDT
This archive was generated by hypermail 2.2.0 : Tue Mar 20 2012 - 12:00:04 MDT