Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid/DG Transparent Filtering - FQDN truncated.

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xibalba
      last edited by

      Hello to everyone,
      This really isn't completely pertaining to just pfSense but I was hoping someone on the forum might be trying to do something similiar and could give me some insight as to what's happening.
      First I think I should give a little background to the network topology.
      I have Network A (192.168.1/24) and Network B (192.168.0/24) with an IPSec tunnel established between them. On the router for Network A (running pfSense) I have the following NAT Redirection rule.
      rdr on dc0 inet proto tcp from any to any port = http -> 192.168.0.12 port 8080
      192.168.0.12 is the host running both squid and dansguardian (FreeBSD 6.1)

      If I tail the dansguardian.log on 192.168.0.12 I see the following.

      article/2006/10/21/AR2006102100487.html  GET 1289
      2006.10.21 22:32:09 - 192.168.1.37 http://www.washingtonpost.com/wp-dyn/content/

      At the same time I get the following in the squid access log.
      1161470040.990      7 192.168.0.12 TCP_DENIED/400 1659 GET /wp-dyn/content/article/2006/10/21/AR2006102100487.html - NONE/- text/html
      It looks like the FQDN is getting truncated from the URI when coming from DG->Squid.

      And Squid spits back the following error to my browser on host 192.168.1.37
      ERROR
      The requested URL could not be retrieved
      While trying to retrieve the URL: /wp-dyn/content/article/2006/10/20/AR2006102000174.html?nav=hcmodule
      The following error was encountered:
      • Invalid URL
      Some aspect of the requested URL is incorrect. Possible problems:
      • Missing or incorrect access protocol (should be `http://'' or similar)
      • Missing hostname
      • Illegal double-escape in the URL-Path
      • Illegal character in hostname; underscores are not allowed
      Your cache administrator is admin@example.com.

      Generated Sun, 22 Oct 2006 03:40:35 GMT by proxy-server.example.com (squid/2.5.STABLE14)

      Now an interesting thing to note is that if I open Internet Explorer and go to Tools -> Internet Options -> Connections -> Lan Settings -> and set the proxy server to 192.168.0.12:8080(or 3128 (Dansguardian/Squid respectively)) while mainting the already set NAT Redirection rule the proxy will work just fine, and also without the NAT RDR rule.
      Here are what the logs look like when I manually tell IE to use the DG/Squid proxy.

      Dansguardian.log
      2006.10.22 3:43:52 - 192.168.1.37 http://media3.washingtonpost.com/wp-srv/ad/ad_configurations_article_v2.js  GET 0
      2006.10.22 3:43:52 - 192.168.1.37 http://media3.washingtonpost.com/wp-srv/popjs/popupCampaignClasses.js  GET 0
      2006.10.22 3:43:52 - 192.168.1.37 http://media3.washingtonpost.com/wp-srv/css/global.css  GET 0
      2006.10.22 3:43:52 - 192.168.1.37 http://media3.washingtonpost.com/wp-srv/css/layout/oring970.css  GET 0

      Squid Access Log
      1161488632.513    100 192.168.0.12 TCP_MISS/304 224 GET http://media3.washingtonpost.com/wp-srv/ad/ad_configurations_article_v2.js - DIRECT/12.129.147.65 -
      1161488632.701    96 192.168.0.12 TCP_MISS/304 224 GET http://media3.washingtonpost.com/wp-srv/popjs/popupCampaignClasses.js - DIRECT/12.129.147.65 -
      1161488632.884    97 192.168.0.12 TCP_MISS/304 224 GET http://media3.washingtonpost.com/wp-srv/css/global.css - DIRECT/12.129.147.65 -
      1161488632.898    103 192.168.0.12 TCP_MISS/304 224 GET http://media3.washingtonpost.com/wp-srv/css/layout/oring970.css - DIRECT/12.129.147.65 -
      FQDN isn't truncated here anymore.

      Can anyone shed some light on this situation? Do the HTTP headers get fubar’d by the NAT RDR rule? If so why does it work when I set IE manually to use the 192.168.0.12:8080 proxy while keeping the NAT RDR rule? And also I want to mention that the proxy does work if IE is set to use the proxy but the NAT RDR rule is inexistent. I basically only want the NAT RDR rule for transparent filtering purposes.
      Thanks to those who can help and/or try to T

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        Browsers won't send userinformation if they have no proxy specified. That's also the reason why the squidpackage disables authentication settings when transparent mode is selected.

        1 Reply Last reply Reply Quote 0
        • X
          xibalba
          last edited by

          do you know what directives it uses to disable the authentication settings? As far as i know, squid on my freebsd (192.168.0.12) machine doesn't have authentication setup, and it has an ACL to allow access from 192.168/16.

          1 Reply Last reply Reply Quote 0
          • X
            xibalba
            last edited by

            fixed this issue by adding this to my squid.conf on host 192.168.0.12

            httpd_accel_host virtual
            httpd_accel_port 80
            httpd_accel_with_proxy on
            httpd_accel_uses_host_header on

            thanks hoba.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.