Squid getting RST ACK from monoprice.com



  • I have squid/dansguardian but I tried going directly to squid with the same result.  If I go through squid (explicit proxy/NTLM auth) to go to http://www.monoprice.com, I get:

    ERROR

    The requested URL could not be retrieved

    –------------------------------------------------------------------------------

    The following error was encountered while trying to retrieve the URL: http://www.monoprice.com/?

    Read Error

    The system returned: (54) Connection reset by peer

    An error condition occurred while reading data from the network. Please retry your request.

    If I go direct, I can bring it up fine.  This happens in both Firefox and IE.  I did a network capture of direct vs going through squid and the web site server sends a RST, ACK after the HTTP GET.

    Is anyone else having this problem with squid?  The only difference I see in the HTTP header going through squid just before the reset is "Pragma: no-cache", "Cache-Control: max-age=259200", and "X-Forwarded-For: <internal ip="">, unkown".

    Anyone have any ideas?</internal>



  • I found that adding this to the squid custom options:

    request_header_access X-Forwarded-For deny all

    enables the website to work properly.  Does anyone know what kind of impact this will have on Dansguardian?  I know that the:

    follow_x_forwarded_for allow localhost

    option is needed for the user names to show up in the dansguardian log.  So far it looks like the user names are still showing up.  I just want to make sure I'm not breaking something else.

    Also it sounds like this may be because of bad website code… if that's correct, then what would I tell the website operator so they can fix it?



  • I noticed the same problem with Squid & Monoprice.com.

    I'm not running squid on pfsense though, so I don't think this is any way specific to pfSense and squid.

    When I turn off the X-Forwarded-For header then monoprice works fine.  I sent a message to Monoprice asking them about this issue, I'll report back if I hear anything.

    I would guess that it has something to do with their traffic balancers, they might be trying to parse that header to make sure particular sessions gets directed to the same backend server, but maybe their balancer is not handling it correctly.

    Josh



  • I would suggest to always disable X-Forwarded-For header from being sent externally - it is not really good to leak your internal IPs/Hostnames from security POV.



  • Yep, the header that was causing monoprice to fail was actually "X-Forwarded-For: Unknown".  I wasn't allowing IP leakage, but I was trying to get dansguardian to pass the orig ip to squid.  Squid was setting it to Unknown before making requests.

    I'm using dansguardian & squid together, so if you want squid to be able to use traffic buckets to limit per IP you have to pass through the information somehow.  Or if you want any other Squid ACL's to work.  http://dansguardian.org/?page=faq#c1