Reverse Proxy package - transparent proxy issues.

gwhynott

Hello,

I installed the reverseproxy package recently,  it appeared to be working for a few days but today after a long holiday,  any attempt at accessing the internet without having a proxy defined produces an error page from squid (see below).  if you configure the proxy,  it works without error.

any idea what we should take a look at?

thanks,
greg

**ERROR
The requested URL could not be retrieved

While trying to process the request:

GET /imghp?hl=en&tab=wi HTTP/1.1
Host: www.google.ca
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://www.google.ca/
Cookie: PREF=ID=d718fb9830e7294d:U=7a33e03f16:FF=0:TM=1312337753:LM=1323366791:IG=4:S=3pldk33FfkkgEw; NID=56=SEDITsAyB_M1U7HM-oGXo–-EDIT---; PP_TOS_ACK=130

The following error was encountered:

Invalid Request

Some aspect of the HTTP Request is invalid. Possible problems:

Missing or unknown request method
    Missing URL
    Missing HTTP Identifier (HTTP/1.0)
    Request is too large
    Content-Length missing for POST or PUT requests
    Illegal character in hostname; underscores are not allowed

Your cache administrator is admin@company.com.
Generated Tue, 21 Feb 2012 15:16:32 GMT by proxy-master (squid/2.7.STABLE9)**

marcelloc

what reverse proxy did you installed?

It looks like you have setup a normal proxy(squid).

gwhynott

@marcelloc:

what reverse proxy did you installed?
It looks like you have setup a normal proxy(squid).

it is the squid-reverse package, 2.7.9_2.  This was a fresh install,  the other package was never installed on this image.  I chose it over the normal 3.0 squid package as it offered OWA centric bits.

While pondering what the issue might be on my way home lastnight…  There are 2 pfs boxes,  with CARP and VIPs.  On the inside,  I am binding the squid process to the VIP and the physical interface,  rather than using a nat redirect as suggested to me by yourself in another post last week.  I was going to try the NAT method today and see where that gets us.  doesn't seem like it should matter, as the connection is making it to the squid,  and its the process itself complaining...

thanks Marcello,
greg

gwhynott

i tried to create the NAT forward rule,  not sure if i did this correctly..

Firewall – NAT --Port Forward  add a rule with these options:

interface = LAN
prot = TCP
source = my machines IP (for testing without affecting rest of network)
dest IP = any
dest port = 80
redirect target IP = 127.0.0.1 
redirect target port = 80 (tried 3128 as well)

sound correct for the NAT redirect?

when I set this up and have no proxy configured on client I see the below in logs,  and the pages load direct.

access log:
1329929967.294      0 10.101.2.99 TCP_DENIED/400 2247 GET NONE:// - NONE/- text/html
1329930139.167      0 10.101.2.99 TCP_DENIED/400 2247 GET NONE:// - NONE/- text/html

and in cache.log:
2012/02/22 12:24:40| clientTryParseRequest: FD 68 (10.101.2.99:51735) Invalid Request
2012/02/22 12:24:40| clientTryParseRequest: FD 72 (10.101.2.99:51736) Invalid Request
2012/02/22 12:24:40| clientTryParseRequest: FD 21 (10.101.2.99:51737) Invalid Request
2012/02/22 12:24:40| clientTryParseRequest: FD 21 (10.101.2.99:51738) Invalid Request

the above is from when i'm trying to load "whatismyip.com"

here is a sampling of the contents of my squid.conf,  let me know if there are any others you may like to see.

**# This file is automatically generated by pfSense

Do not edit manually !

http_port 10.101.111.11:3128
http_port 127.0.0.1:3128
http_port 127.0.0.1:3128 transparent
icp_port 0

Custom options

http_port 10.101.111.3:3128

Setup allowed acls

http_access allow allowed_subnets

Default block all to be sure

http_access deny all**

removing the NAT rule and enabling transparent proxy results in the same error as in my original post from the squid process.

I feel like changing the default rule on the internal network to point at the physical interface instead of the VIP for a test..  I have a feeling its related to the VIP usage somehow as this worked before I turned on CARP and added a redundant box to the setup.  but i may of tweaked something else along the way…

======================

trendchiller

Please do NOT use NAT rules for reverse proxy mode, use FIREWALL rules instead, because the reverse proxy listens to the interface IP already…

use a firewall rule like: all:tcp:80 to wan-interface-address:tcp:80

this should work ;-)

gwhynott

sorry forgot to update this thread.  it did work, and thank you very much.  8)

-g