Reverse Proxy package - transparent proxy issues.



  • Hello,

    I installed the reverseproxy package recently,  it appeared to be working for a few days but today after a long holiday,  any attempt at accessing the internet without having a proxy defined produces an error page from squid (see below).  if you configure the proxy,  it works without error.

    any idea what we should take a look at?

    thanks,
    greg

    **ERROR
    The requested URL could not be retrieved

    While trying to process the request:

    GET /imghp?hl=en&tab=wi HTTP/1.1
    Host: www.google.ca
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Referer: http://www.google.ca/
    Cookie: PREF=ID=d718fb9830e7294d:U=7a33e03f16:FF=0:TM=1312337753:LM=1323366791:IG=4:S=3pldk33FfkkgEw; NID=56=SEDITsAyB_M1U7HM-oGXo–-EDIT---; PP_TOS_ACK=130

    The following error was encountered:

    Invalid Request

    Some aspect of the HTTP Request is invalid. Possible problems:

    Missing or unknown request method
        Missing URL
        Missing HTTP Identifier (HTTP/1.0)
        Request is too large
        Content-Length missing for POST or PUT requests
        Illegal character in hostname; underscores are not allowed

    Your cache administrator is admin@company.com.
    Generated Tue, 21 Feb 2012 15:16:32 GMT by proxy-master (squid/2.7.STABLE9)**



  • what reverse proxy did you installed?

    It looks like you have setup a normal proxy(squid).



  • @marcelloc:

    what reverse proxy did you installed?
    It looks like you have setup a normal proxy(squid).

    it is the squid-reverse package, 2.7.9_2.  This was a fresh install,  the other package was never installed on this image.  I chose it over the normal 3.0 squid package as it offered OWA centric bits.

    While pondering what the issue might be on my way home lastnight…  There are 2 pfs boxes,  with CARP and VIPs.  On the inside,  I am binding the squid process to the VIP and the physical interface,  rather than using a nat redirect as suggested to me by yourself in another post last week.  I was going to try the NAT method today and see where that gets us.  doesn't seem like it should matter, as the connection is making it to the squid,  and its the process itself complaining...

    thanks Marcello,
    greg



  • i tried to create the NAT forward rule,  not sure if i did this correctly..

    Firewall – NAT --Port Forward  add a rule with these options:

    interface = LAN
    prot = TCP
    source = my machines IP (for testing without affecting rest of network)
    dest IP = any
    dest port = 80
    redirect target IP = 127.0.0.1 
    redirect target port = 80 (tried 3128 as well)

    sound correct for the NAT redirect?

    when I set this up and have no proxy configured on client I see the below in logs,  and the pages load direct.

    access log:
    1329929967.294      0 10.101.2.99 TCP_DENIED/400 2247 GET NONE:// - NONE/- text/html
    1329930139.167      0 10.101.2.99 TCP_DENIED/400 2247 GET NONE:// - NONE/- text/html

    and in cache.log:
    2012/02/22 12:24:40| clientTryParseRequest: FD 68 (10.101.2.99:51735) Invalid Request
    2012/02/22 12:24:40| clientTryParseRequest: FD 72 (10.101.2.99:51736) Invalid Request
    2012/02/22 12:24:40| clientTryParseRequest: FD 21 (10.101.2.99:51737) Invalid Request
    2012/02/22 12:24:40| clientTryParseRequest: FD 21 (10.101.2.99:51738) Invalid Request

    the above is from when i'm trying to load "whatismyip.com"

    here is a sampling of the contents of my squid.conf,  let me know if there are any others you may like to see.

    **# This file is automatically generated by pfSense

    Do not edit manually !

    http_port 10.101.111.11:3128
    http_port 127.0.0.1:3128
    http_port 127.0.0.1:3128 transparent
    icp_port 0

    Custom options

    http_port 10.101.111.3:3128

    Setup allowed acls

    http_access allow allowed_subnets

    Default block all to be sure

    http_access deny all**

    removing the NAT rule and enabling transparent proxy results in the same error as in my original post from the squid process.

    I feel like changing the default rule on the internal network to point at the physical interface instead of the VIP for a test..  I have a feeling its related to the VIP usage somehow as this worked before I turned on CARP and added a redundant box to the setup.  but i may of tweaked something else along the way…

    ======================



  • Please do NOT use NAT rules for reverse proxy mode, use FIREWALL rules instead, because the reverse proxy listens to the interface IP already…

    use a firewall rule like: all:tcp:80 to wan-interface-address:tcp:80

    this should work ;-)



  • sorry forgot to update this thread.  it did work, and thank you very much.  8)

    -g


Log in to reply