Squid/DG Transparent Filtering - FQDN truncated.
Hello to everyone,
This really isn't completely pertaining to just pfSense but I was hoping someone on the forum might be trying to do something similiar and could give me some insight as to what's happening.
First I think I should give a little background to the network topology.
I have Network A (192.168.1/24) and Network B (192.168.0/24) with an IPSec tunnel established between them. On the router for Network A (running pfSense) I have the following NAT Redirection rule.
rdr on dc0 inet proto tcp from any to any port = http -> 192.168.0.12 port 8080
192.168.0.12 is the host running both squid and dansguardian (FreeBSD 6.1)
If I tail the dansguardian.log on 192.168.0.12 I see the following.
article/2006/10/21/AR2006102100487.html GET 1289
2006.10.21 22:32:09 - 192.168.1.37 http://www.washingtonpost.com/wp-dyn/content/
At the same time I get the following in the squid access log.
1161470040.990 7 192.168.0.12 TCP_DENIED/400 1659 GET /wp-dyn/content/article/2006/10/21/AR2006102100487.html - NONE/- text/html
It looks like the FQDN is getting truncated from the URI when coming from DG->Squid.
And Squid spits back the following error to my browser on host 192.168.1.37
The requested URL could not be retrieved
While trying to retrieve the URL: /wp-dyn/content/article/2006/10/20/AR2006102000174.html?nav=hcmodule
The following error was encountered:
• Invalid URL
Some aspect of the requested URL is incorrect. Possible problems:
• Missing or incorrect access protocol (should be `http://'' or similar)
• Missing hostname
• Illegal double-escape in the URL-Path
• Illegal character in hostname; underscores are not allowed
Your cache administrator is email@example.com.
Generated Sun, 22 Oct 2006 03:40:35 GMT by proxy-server.example.com (squid/2.5.STABLE14)
Now an interesting thing to note is that if I open Internet Explorer and go to Tools -> Internet Options -> Connections -> Lan Settings -> and set the proxy server to 192.168.0.12:8080(or 3128 (Dansguardian/Squid respectively)) while mainting the already set NAT Redirection rule the proxy will work just fine, and also without the NAT RDR rule.
Here are what the logs look like when I manually tell IE to use the DG/Squid proxy.
2006.10.22 3:43:52 - 192.168.1.37 http://media3.washingtonpost.com/wp-srv/ad/ad_configurations_article_v2.js GET 0
2006.10.22 3:43:52 - 192.168.1.37 http://media3.washingtonpost.com/wp-srv/popjs/popupCampaignClasses.js GET 0
2006.10.22 3:43:52 - 192.168.1.37 http://media3.washingtonpost.com/wp-srv/css/global.css GET 0
2006.10.22 3:43:52 - 192.168.1.37 http://media3.washingtonpost.com/wp-srv/css/layout/oring970.css GET 0
Squid Access Log
1161488632.513 100 192.168.0.12 TCP_MISS/304 224 GET http://media3.washingtonpost.com/wp-srv/ad/ad_configurations_article_v2.js - DIRECT/18.104.22.168 -
1161488632.701 96 192.168.0.12 TCP_MISS/304 224 GET http://media3.washingtonpost.com/wp-srv/popjs/popupCampaignClasses.js - DIRECT/22.214.171.124 -
1161488632.884 97 192.168.0.12 TCP_MISS/304 224 GET http://media3.washingtonpost.com/wp-srv/css/global.css - DIRECT/126.96.36.199 -
1161488632.898 103 192.168.0.12 TCP_MISS/304 224 GET http://media3.washingtonpost.com/wp-srv/css/layout/oring970.css - DIRECT/188.8.131.52 -
FQDN isn't truncated here anymore.
Can anyone shed some light on this situation? Do the HTTP headers get fubar’d by the NAT RDR rule? If so why does it work when I set IE manually to use the 192.168.0.12:8080 proxy while keeping the NAT RDR rule? And also I want to mention that the proxy does work if IE is set to use the proxy but the NAT RDR rule is inexistent. I basically only want the NAT RDR rule for transparent filtering purposes.
Thanks to those who can help and/or try to T
hoba last edited by
Browsers won't send userinformation if they have no proxy specified. That's also the reason why the squidpackage disables authentication settings when transparent mode is selected.
do you know what directives it uses to disable the authentication settings? As far as i know, squid on my freebsd (192.168.0.12) machine doesn't have authentication setup, and it has an ACL to allow access from 192.168/16.
fixed this issue by adding this to my squid.conf on host 192.168.0.12