Squid/DG Transparent Filtering - FQDN truncated.



  • Hello to everyone,
    This really isn't completely pertaining to just pfSense but I was hoping someone on the forum might be trying to do something similiar and could give me some insight as to what's happening.
    First I think I should give a little background to the network topology.
    I have Network A (192.168.1/24) and Network B (192.168.0/24) with an IPSec tunnel established between them. On the router for Network A (running pfSense) I have the following NAT Redirection rule.
    rdr on dc0 inet proto tcp from any to any port = http -> 192.168.0.12 port 8080
    192.168.0.12 is the host running both squid and dansguardian (FreeBSD 6.1)

    If I tail the dansguardian.log on 192.168.0.12 I see the following.

    article/2006/10/21/AR2006102100487.html  GET 1289
    2006.10.21 22:32:09 - 192.168.1.37 http://www.washingtonpost.com/wp-dyn/content/

    At the same time I get the following in the squid access log.
    1161470040.990      7 192.168.0.12 TCP_DENIED/400 1659 GET /wp-dyn/content/article/2006/10/21/AR2006102100487.html - NONE/- text/html
    It looks like the FQDN is getting truncated from the URI when coming from DG->Squid.

    And Squid spits back the following error to my browser on host 192.168.1.37
    ERROR
    The requested URL could not be retrieved
    While trying to retrieve the URL: /wp-dyn/content/article/2006/10/20/AR2006102000174.html?nav=hcmodule
    The following error was encountered:
    • Invalid URL
    Some aspect of the requested URL is incorrect. Possible problems:
    • Missing or incorrect access protocol (should be `http://'' or similar)
    • Missing hostname
    • Illegal double-escape in the URL-Path
    • Illegal character in hostname; underscores are not allowed
    Your cache administrator is admin@example.com.


    Generated Sun, 22 Oct 2006 03:40:35 GMT by proxy-server.example.com (squid/2.5.STABLE14)

    Now an interesting thing to note is that if I open Internet Explorer and go to Tools -> Internet Options -> Connections -> Lan Settings -> and set the proxy server to 192.168.0.12:8080(or 3128 (Dansguardian/Squid respectively)) while mainting the already set NAT Redirection rule the proxy will work just fine, and also without the NAT RDR rule.
    Here are what the logs look like when I manually tell IE to use the DG/Squid proxy.

    Dansguardian.log
    2006.10.22 3:43:52 - 192.168.1.37 http://media3.washingtonpost.com/wp-srv/ad/ad_configurations_article_v2.js  GET 0
    2006.10.22 3:43:52 - 192.168.1.37 http://media3.washingtonpost.com/wp-srv/popjs/popupCampaignClasses.js  GET 0
    2006.10.22 3:43:52 - 192.168.1.37 http://media3.washingtonpost.com/wp-srv/css/global.css  GET 0
    2006.10.22 3:43:52 - 192.168.1.37 http://media3.washingtonpost.com/wp-srv/css/layout/oring970.css  GET 0

    Squid Access Log
    1161488632.513    100 192.168.0.12 TCP_MISS/304 224 GET http://media3.washingtonpost.com/wp-srv/ad/ad_configurations_article_v2.js - DIRECT/12.129.147.65 -
    1161488632.701    96 192.168.0.12 TCP_MISS/304 224 GET http://media3.washingtonpost.com/wp-srv/popjs/popupCampaignClasses.js - DIRECT/12.129.147.65 -
    1161488632.884    97 192.168.0.12 TCP_MISS/304 224 GET http://media3.washingtonpost.com/wp-srv/css/global.css - DIRECT/12.129.147.65 -
    1161488632.898    103 192.168.0.12 TCP_MISS/304 224 GET http://media3.washingtonpost.com/wp-srv/css/layout/oring970.css - DIRECT/12.129.147.65 -
    FQDN isn't truncated here anymore.

    Can anyone shed some light on this situation? Do the HTTP headers get fubar’d by the NAT RDR rule? If so why does it work when I set IE manually to use the 192.168.0.12:8080 proxy while keeping the NAT RDR rule? And also I want to mention that the proxy does work if IE is set to use the proxy but the NAT RDR rule is inexistent. I basically only want the NAT RDR rule for transparent filtering purposes.
    Thanks to those who can help and/or try to T



  • Browsers won't send userinformation if they have no proxy specified. That's also the reason why the squidpackage disables authentication settings when transparent mode is selected.



  • do you know what directives it uses to disable the authentication settings? As far as i know, squid on my freebsd (192.168.0.12) machine doesn't have authentication setup, and it has an ACL to allow access from 192.168/16.



  • fixed this issue by adding this to my squid.conf on host 192.168.0.12

    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on

    thanks hoba.


Log in to reply