Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid getting RST ACK from monoprice.com

    Scheduled Pinned Locked Moved pfSense Packages
    6 Posts 4 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wheelz
      last edited by

      I have squid/dansguardian but I tried going directly to squid with the same result.  If I go through squid (explicit proxy/NTLM auth) to go to http://www.monoprice.com, I get:

      ERROR

      The requested URL could not be retrieved

      –------------------------------------------------------------------------------

      The following error was encountered while trying to retrieve the URL: http://www.monoprice.com/?

      Read Error

      The system returned: (54) Connection reset by peer

      An error condition occurred while reading data from the network. Please retry your request.

      If I go direct, I can bring it up fine.  This happens in both Firefox and IE.  I did a network capture of direct vs going through squid and the web site server sends a RST, ACK after the HTTP GET.

      Is anyone else having this problem with squid?  The only difference I see in the HTTP header going through squid just before the reset is "Pragma: no-cache", "Cache-Control: max-age=259200", and "X-Forwarded-For: <internal ip="">, unkown".

      Anyone have any ideas?</internal>

      1 Reply Last reply Reply Quote 0
      • W
        wheelz
        last edited by

        I found that adding this to the squid custom options:

        request_header_access X-Forwarded-For deny all

        enables the website to work properly.  Does anyone know what kind of impact this will have on Dansguardian?  I know that the:

        follow_x_forwarded_for allow localhost

        option is needed for the user names to show up in the dansguardian log.  So far it looks like the user names are still showing up.  I just want to make sure I'm not breaking something else.

        Also it sounds like this may be because of bad website code… if that's correct, then what would I tell the website operator so they can fix it?

        1 Reply Last reply Reply Quote 0
        • S
          stompro
          last edited by

          I noticed the same problem with Squid & Monoprice.com.

          I'm not running squid on pfsense though, so I don't think this is any way specific to pfSense and squid.

          When I turn off the X-Forwarded-For header then monoprice works fine.  I sent a message to Monoprice asking them about this issue, I'll report back if I hear anything.

          I would guess that it has something to do with their traffic balancers, they might be trying to parse that header to make sure particular sessions gets directed to the same backend server, but maybe their balancer is not handling it correctly.

          Josh

          Hardware used: Alix 2D13 X 10, APU2D4 X 10, SG-2200 X 10, SG-2440 X 4

          1 Reply Last reply Reply Quote 0
          • D
            dgcom
            last edited by

            I would suggest to always disable X-Forwarded-For header from being sent externally - it is not really good to leak your internal IPs/Hostnames from security POV.

            DG

            1 Reply Last reply Reply Quote 0
            • S
              stompro
              last edited by

              Yep, the header that was causing monoprice to fail was actually "X-Forwarded-For: Unknown".  I wasn't allowing IP leakage, but I was trying to get dansguardian to pass the orig ip to squid.  Squid was setting it to Unknown before making requests.

              I'm using dansguardian & squid together, so if you want squid to be able to use traffic buckets to limit per IP you have to pass through the information somehow.  Or if you want any other Squid ACL's to work.  http://dansguardian.org/?page=faq#c1

              Hardware used: Alix 2D13 X 10, APU2D4 X 10, SG-2200 X 10, SG-2440 X 4

              1 Reply Last reply Reply Quote 0
              • shichengS
                shicheng Banned
                last edited by

                This post is deleted!
                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.