shoaibi
February 24th, 2009, 02:14 AM
I have a firewall machine which itself has squid. I want to enable transparent proxy.
Now if I set it in my browser proxy settings, squid works fine, but if I use firewall(shorewall) to give a transparent proxy to all web traffic from my ip, I get:
Firefox page shows:
#
ERROR
#
The requested URL could not be retrieved
#
#
While trying to process the request:
#
#
GET /2007/11/14/hosting-git-repositories-the-easy-and-secure-way HTTP/1.1
#
Host: scie.nti.st
#
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009020911 Ubuntu/8.10 (intrepid) Firefox/2.0.0.12;MEGAUPLOAD 1.0
#
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
#
Accept-Language: en-us
#
Accept-Encoding: gzip,deflate
#
Accept-Charset: UTF-8,*
#
Keep-Alive: 300
#
Connection: keep-alive
#
If-Modified-Since: Mon, 23 Feb 2009 15:11:51 GMT
#
If-None-Match: "-1225905936"
#
#
#
#
The following error was encountered:
#
#
* Invalid Request
#
#
Some aspect of the HTTP Request is invalid. Possible problems:
#
#
* Missing or unknown request method
#
* Missing URL
#
* Missing HTTP Identifier (HTTP/1.0)
#
* Request is too large
#
* Content-Length missing for POST or PUT requests
#
* Illegal character in hostname; underscores are not allowed
#
#
Your cache administrator is root@cosp.org.pk.
#
Generated Tue, 24 Feb 2009 04:00:06 GMT by cosp.org.pk (squid/2.6.STABLE18)
squid/access.log's tail:
#
1235448006.259 0 172.20.0.101 TCP_DENIED/400 2063 GET error:invalid-request - NONE/- text/html
#
1235448007.078 0 172.20.0.101 TCP_DENIED/400 2567 GET error:invalid-request - NONE/- text/html
#
1235448011.381 0 172.20.0.101 TCP_DENIED/400 1637 GET error:invalid-request - NONE/- text/html
#
1235448036.737 1 172.20.0.101 TCP_DENIED/400 1919 GET error:invalid-request - NONE/- text/html
#
1235448036.946 0 172.20.0.101 TCP_DENIED/400 2513 GET error:invalid-request - NONE/- text/html
#
1235448036.983 0 172.20.0.101 TCP_DENIED/400 1900 GET error:invalid-request - NONE/- text/html
#
1235448040.903 0 172.20.0.101 TCP_DENIED/400 1930 GET error:invalid-request - NONE/- text/html
#
Firewall(shorewall) rule:
REDIRECT loc:172.20.0.101 3128 tcp www - !202.147.161.xx
Squid.conf without comments
#
acl all src 0.0.0.0/0.0.0.0
#
acl manager proto cache_object
#
acl localhost src 127.0.0.1/255.255.255.255
#
acl to_localhost dst 127.0.0.0/8
#
acl SSL_ports port 443 # https
#
acl SSL_ports port 563 # snews
#
acl SSL_ports port 873 # rsync
#
acl Safe_ports port 80 # http
#
acl Safe_ports port 21 # ftp
#
acl Safe_ports port 443 # https
#
acl Safe_ports port 70 # gopher
#
acl Safe_ports port 210 # wais
#
acl Safe_ports port 1025-65535 # unregistered ports
#
acl Safe_ports port 280 # http-mgmt
#
acl Safe_ports port 488 # gss-http
#
acl Safe_ports port 591 # filemaker
#
acl Safe_ports port 777 # multiling http
#
acl Safe_ports port 631 # cups
#
acl Safe_ports port 873 # rsync
#
acl Safe_ports port 901 # SWAT
#
acl purge method PURGE
#
acl CONNECT method CONNECT
#
#
http_access allow manager localhost
#
http_access deny manager
#
http_access allow purge localhost
#
http_access deny purge
#
http_access deny !Safe_ports
#
http_access deny CONNECT !SSL_ports
#
#
#
acl home_networks src 172.20.0.0/24
#
http_access allow home_networks
#
http_access allow localhost
#
http_access deny all
#
#
#
#
icp_access allow all
#
http_port 3128
#
hierarchy_stoplist cgi-bin ?
#
access_log /var/log/squid/access.log squid
#
#
acl QUERY urlpath_regex cgi-bin \?
#
cache deny QUERY
#
#
refresh_pattern ^ftp: 1440 20% 10080
#
refresh_pattern ^gopher: 1440 0% 1440
#
refresh_pattern . 0 20% 4320
#
#
#
#
acl apache rep_header Server ^Apache
#
broken_vary_encoding allow apache
#
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
#
#
cache_mgr root@cosp.org.pk
#
visible_hostname cosp.org.pk
#
hostname_aliases ns1.cosp.hq nextcube.doesntexist.org cosp.dontexist.org cosp.doesntexist.org nextcube.cosp.hq
#
#
#
hosts_file /etc/hosts
#
coredump_dir /var/spool/squid
any ideas?
Now if I set it in my browser proxy settings, squid works fine, but if I use firewall(shorewall) to give a transparent proxy to all web traffic from my ip, I get:
Firefox page shows:
#
ERROR
#
The requested URL could not be retrieved
#
#
While trying to process the request:
#
#
GET /2007/11/14/hosting-git-repositories-the-easy-and-secure-way HTTP/1.1
#
Host: scie.nti.st
#
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009020911 Ubuntu/8.10 (intrepid) Firefox/2.0.0.12;MEGAUPLOAD 1.0
#
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
#
Accept-Language: en-us
#
Accept-Encoding: gzip,deflate
#
Accept-Charset: UTF-8,*
#
Keep-Alive: 300
#
Connection: keep-alive
#
If-Modified-Since: Mon, 23 Feb 2009 15:11:51 GMT
#
If-None-Match: "-1225905936"
#
#
#
#
The following error was encountered:
#
#
* Invalid Request
#
#
Some aspect of the HTTP Request is invalid. Possible problems:
#
#
* Missing or unknown request method
#
* Missing URL
#
* Missing HTTP Identifier (HTTP/1.0)
#
* Request is too large
#
* Content-Length missing for POST or PUT requests
#
* Illegal character in hostname; underscores are not allowed
#
#
Your cache administrator is root@cosp.org.pk.
#
Generated Tue, 24 Feb 2009 04:00:06 GMT by cosp.org.pk (squid/2.6.STABLE18)
squid/access.log's tail:
#
1235448006.259 0 172.20.0.101 TCP_DENIED/400 2063 GET error:invalid-request - NONE/- text/html
#
1235448007.078 0 172.20.0.101 TCP_DENIED/400 2567 GET error:invalid-request - NONE/- text/html
#
1235448011.381 0 172.20.0.101 TCP_DENIED/400 1637 GET error:invalid-request - NONE/- text/html
#
1235448036.737 1 172.20.0.101 TCP_DENIED/400 1919 GET error:invalid-request - NONE/- text/html
#
1235448036.946 0 172.20.0.101 TCP_DENIED/400 2513 GET error:invalid-request - NONE/- text/html
#
1235448036.983 0 172.20.0.101 TCP_DENIED/400 1900 GET error:invalid-request - NONE/- text/html
#
1235448040.903 0 172.20.0.101 TCP_DENIED/400 1930 GET error:invalid-request - NONE/- text/html
#
Firewall(shorewall) rule:
REDIRECT loc:172.20.0.101 3128 tcp www - !202.147.161.xx
Squid.conf without comments
#
acl all src 0.0.0.0/0.0.0.0
#
acl manager proto cache_object
#
acl localhost src 127.0.0.1/255.255.255.255
#
acl to_localhost dst 127.0.0.0/8
#
acl SSL_ports port 443 # https
#
acl SSL_ports port 563 # snews
#
acl SSL_ports port 873 # rsync
#
acl Safe_ports port 80 # http
#
acl Safe_ports port 21 # ftp
#
acl Safe_ports port 443 # https
#
acl Safe_ports port 70 # gopher
#
acl Safe_ports port 210 # wais
#
acl Safe_ports port 1025-65535 # unregistered ports
#
acl Safe_ports port 280 # http-mgmt
#
acl Safe_ports port 488 # gss-http
#
acl Safe_ports port 591 # filemaker
#
acl Safe_ports port 777 # multiling http
#
acl Safe_ports port 631 # cups
#
acl Safe_ports port 873 # rsync
#
acl Safe_ports port 901 # SWAT
#
acl purge method PURGE
#
acl CONNECT method CONNECT
#
#
http_access allow manager localhost
#
http_access deny manager
#
http_access allow purge localhost
#
http_access deny purge
#
http_access deny !Safe_ports
#
http_access deny CONNECT !SSL_ports
#
#
#
acl home_networks src 172.20.0.0/24
#
http_access allow home_networks
#
http_access allow localhost
#
http_access deny all
#
#
#
#
icp_access allow all
#
http_port 3128
#
hierarchy_stoplist cgi-bin ?
#
access_log /var/log/squid/access.log squid
#
#
acl QUERY urlpath_regex cgi-bin \?
#
cache deny QUERY
#
#
refresh_pattern ^ftp: 1440 20% 10080
#
refresh_pattern ^gopher: 1440 0% 1440
#
refresh_pattern . 0 20% 4320
#
#
#
#
acl apache rep_header Server ^Apache
#
broken_vary_encoding allow apache
#
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
#
#
cache_mgr root@cosp.org.pk
#
visible_hostname cosp.org.pk
#
hostname_aliases ns1.cosp.hq nextcube.doesntexist.org cosp.dontexist.org cosp.doesntexist.org nextcube.cosp.hq
#
#
#
hosts_file /etc/hosts
#
coredump_dir /var/spool/squid
any ideas?