Reverse Proxy package - transparent proxy issues.
-
Hello,
I installed the reverseproxy package recently, it appeared to be working for a few days but today after a long holiday, any attempt at accessing the internet without having a proxy defined produces an error page from squid (see below). if you configure the proxy, it works without error.
any idea what we should take a look at?
thanks,
greg**ERROR
The requested URL could not be retrievedWhile trying to process the request:
GET /imghp?hl=en&tab=wi HTTP/1.1
Host: www.google.ca
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://www.google.ca/
Cookie: PREF=ID=d718fb9830e7294d:U=7a33e03f16:FF=0:TM=1312337753:LM=1323366791:IG=4:S=3pldk33FfkkgEw; NID=56=SEDITsAyB_M1U7HM-oGXo–-EDIT---; PP_TOS_ACK=130The following error was encountered:
Invalid Request
Some aspect of the HTTP Request is invalid. Possible problems:
Missing or unknown request method
Missing URL
Missing HTTP Identifier (HTTP/1.0)
Request is too large
Content-Length missing for POST or PUT requests
Illegal character in hostname; underscores are not allowedYour cache administrator is admin@company.com.
Generated Tue, 21 Feb 2012 15:16:32 GMT by proxy-master (squid/2.7.STABLE9)** -
what reverse proxy did you installed?
It looks like you have setup a normal proxy(squid).
-
what reverse proxy did you installed?
It looks like you have setup a normal proxy(squid).it is the squid-reverse package, 2.7.9_2. This was a fresh install, the other package was never installed on this image. I chose it over the normal 3.0 squid package as it offered OWA centric bits.
While pondering what the issue might be on my way home lastnight… There are 2 pfs boxes, with CARP and VIPs. On the inside, I am binding the squid process to the VIP and the physical interface, rather than using a nat redirect as suggested to me by yourself in another post last week. I was going to try the NAT method today and see where that gets us. doesn't seem like it should matter, as the connection is making it to the squid, and its the process itself complaining...
thanks Marcello,
greg -
i tried to create the NAT forward rule, not sure if i did this correctly..
Firewall – NAT --Port Forward add a rule with these options:
interface = LAN
prot = TCP
source = my machines IP (for testing without affecting rest of network)
dest IP = any
dest port = 80
redirect target IP = 127.0.0.1
redirect target port = 80 (tried 3128 as well)sound correct for the NAT redirect?
when I set this up and have no proxy configured on client I see the below in logs, and the pages load direct.
access log:
1329929967.294 0 10.101.2.99 TCP_DENIED/400 2247 GET NONE:// - NONE/- text/html
1329930139.167 0 10.101.2.99 TCP_DENIED/400 2247 GET NONE:// - NONE/- text/htmland in cache.log:
2012/02/22 12:24:40| clientTryParseRequest: FD 68 (10.101.2.99:51735) Invalid Request
2012/02/22 12:24:40| clientTryParseRequest: FD 72 (10.101.2.99:51736) Invalid Request
2012/02/22 12:24:40| clientTryParseRequest: FD 21 (10.101.2.99:51737) Invalid Request
2012/02/22 12:24:40| clientTryParseRequest: FD 21 (10.101.2.99:51738) Invalid Requestthe above is from when i'm trying to load "whatismyip.com"
here is a sampling of the contents of my squid.conf, let me know if there are any others you may like to see.
**# This file is automatically generated by pfSense
Do not edit manually !
http_port 10.101.111.11:3128
http_port 127.0.0.1:3128
http_port 127.0.0.1:3128 transparent
icp_port 0Custom options
http_port 10.101.111.3:3128
Setup allowed acls
http_access allow allowed_subnets
Default block all to be sure
http_access deny all**
removing the NAT rule and enabling transparent proxy results in the same error as in my original post from the squid process.
I feel like changing the default rule on the internal network to point at the physical interface instead of the VIP for a test.. I have a feeling its related to the VIP usage somehow as this worked before I turned on CARP and added a redundant box to the setup. but i may of tweaked something else along the way…
======================
-
Please do NOT use NAT rules for reverse proxy mode, use FIREWALL rules instead, because the reverse proxy listens to the interface IP already…
use a firewall rule like: all:tcp:80 to wan-interface-address:tcp:80
this should work ;-)
-
sorry forgot to update this thread. it did work, and thank you very much. 8)
-g