RE: [squid-users] clientTryParseRequest: FD 12 Invalid Request | TCP_DENIED/400 2079 GET NONE:// - NONE/- text/html | GET error:invalid-request
Hi Amos, Thank you very much for your reply. The source server is a gateway between the client and squid. Original: [Client] -- [Source Server] -- [WWW] Desired: [Client] -- [Source Server] -- [(TProxy) -- Squid -- Squid:3128] -- [WWW] Do you have any suggestion how I can setup the [Source Server] to send port 80 to TProxy without using NAT? Kind Regards, Sam -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: 20 January 2012 01:49 To: squid-users@squid-cache.org Subject: Re: [squid-users] clientTryParseRequest: FD 12 Invalid Request | TCP_DENIED/400 2079 GET NONE:// - NONE/- text/html | GET error:invalid-request On 20/01/2012 6:02 a.m., Sam Beechey wrote: Hi All, I have been configuring a new Squid server today. The original configuration (without TProxy) worked fine.. DNAT from port 80 to 3128 at squid server.. The source server is where end-users establish a connection, The Squid server is (10.10.10.1) and The Client in question is (10.10.10.100 ) SOURCE SERVER: iptables -t nat -N cache/dev/null 21 iptables -t nat -F cache iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:3128 iptables -t nat -N cache_users/dev/null 21 iptables -t nat -F cache_users iptables -t nat -A PREROUTING -j cache_users iptables -t nat -A cache_users -s 10.10.10.100 -j cache iptables -t nat -L cache -nvx Now I wanted to use TProxy (so that the client address is shown rather than the squid server ip) - I made the following changes: SQUID SERVER Debian Squeeze 2.6.32-5-xen-amd64 + squid-2.7.STABLE9 + squid-2.7s9-tproxy-4.patch ./configure --prefix=/usr --localstatedir=/var --libexecdir=${prefix}/lib/squid --srcdir=. --datadir=${prefix}/share/squid --sysconfdir=/etc/squid --enable-linux-netfilter --enable-linux-tproxy http_port 3128 http_port 3129 tproxy echo 1 /proc/sys/net/ipv4/ip_forward echo 2 /proc/sys/net/ipv4/conf/default/rp_filter echo 2 /proc/sys/net/ipv4/conf/all/rp_filter echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter ip rule add fwmark 1 lookup 100 ip -f inet route add local 0.0.0.0/0 dev eth0 table 100 iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 0x01/0x01 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 AND TO THE SOURCE SERVER: FROM: iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:3128 TO: iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:80 Now the redirection is working... But all the requests are producing an error, invalid get request... NAT and TPROXY are multually exclusive systems. It is unclear whether this SOURCE SERVER is (a) the orign server providing the responses, or (b) a gateway server between the client and Squid. If (a), then the NAT happening on S will be erasing the IP addresses setup by TPROXY on the packets. Destroying your idea of getting the client IP to show up anywhere and bouncing the packets back to a Squid forward-proxy listening port which cannot handle origin server (reverse-proxy) formatted HTTP traffic. If (b), then the NAT is erasing the server IP address which packet routing relies on to determine where the packet is going once it leaves Squid. Making the packets go straight back to a Squid forward-proxy listening port which cannot handle origin server (reverse-proxy) formatted HTTP traffic. Either way results in: client -- ... --(TPROXY)-- Squid --Squid:3128 == /var/log/squid/cache.log== 2012/01/19 15:35:46| clientTryParseRequest: FD 12 (10.10.10.100:58640) Invalid Request == /var/log/squid/access.log== 1326987346.801 0 10.10.10.100 TCP_DENIED/400 2079 GET NONE:// - NONE/- text/html These NONE:// say that Squid received a GET request from client 10.10.10.100 and rejected it as invalid HTTP before even getting to identify the URL fully. == /var/log/squid/store.log== 1326987346.801 RELEASE -1 45B97B27006C6BC283B7EC45B6A1A89C 400 1326987346-1-1 text/html 1820/1820 GET error:invalid-request Error displayed in browser: ERROR The requested URL could not be retrieved While trying to process the request: GET / HTTP/1.1 The URL / is a origin server format relative URL, not valid forward proxy absolute URL required by proxies. Squid cannot handle this arriving on port 3128. Amos
[squid-users] clientTryParseRequest: FD 12 Invalid Request | TCP_DENIED/400 2079 GET NONE:// - NONE/- text/html | GET error:invalid-request
Hi All, I have been configuring a new Squid server today. The original configuration (without TProxy) worked fine.. DNAT from port 80 to 3128 at squid server.. The source server is where end-users establish a connection, The Squid server is (10.10.10.1) and The Client in question is (10.10.10.100) SOURCE SERVER: iptables -t nat -N cache /dev/null 21 iptables -t nat -F cache iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:3128 iptables -t nat -N cache_users /dev/null 21 iptables -t nat -F cache_users iptables -t nat -A PREROUTING -j cache_users iptables -t nat -A cache_users -s 10.10.10.100 -j cache iptables -t nat -L cache -nvx Now I wanted to use TProxy (so that the client address is shown rather than the squid server ip) - I made the following changes: SQUID SERVER Debian Squeeze 2.6.32-5-xen-amd64 + squid-2.7.STABLE9 + squid-2.7s9-tproxy-4.patch ./configure --prefix=/usr --localstatedir=/var --libexecdir=${prefix}/lib/squid --srcdir=. --datadir=${prefix}/share/squid --sysconfdir=/etc/squid --enable-linux-netfilter --enable-linux-tproxy http_port 3128 http_port 3129 tproxy echo 1 /proc/sys/net/ipv4/ip_forward echo 2 /proc/sys/net/ipv4/conf/default/rp_filter echo 2 /proc/sys/net/ipv4/conf/all/rp_filter echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter ip rule add fwmark 1 lookup 100 ip -f inet route add local 0.0.0.0/0 dev eth0 table 100 iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 0x01/0x01 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 AND TO THE SOURCE SERVER: FROM: iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:3128 TO: iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:80 Now the redirection is working... But all the requests are producing an error, invalid get request... == /var/log/squid/cache.log == 2012/01/19 15:35:46| clientTryParseRequest: FD 12 (10.10.10.100:58640) Invalid Request == /var/log/squid/access.log == 1326987346.801 0 10.10.10.100 TCP_DENIED/400 2079 GET NONE:// - NONE/- text/html == /var/log/squid/store.log == 1326987346.801 RELEASE -1 45B97B27006C6BC283B7EC45B6A1A89C 400 1326987346 -1 -1 text/html 1820/1820 GET error:invalid-request Error displayed in browser: ERROR The requested URL could not be retrieved While trying to process the request: GET / HTTP/1.1 User-Agent: Opera/9.80 (Windows NT 6.1; U; Edition United States Local; en) Presto/2.10.229 Version/11.60 Host: google.co.uk Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: en-GB,en;q=0.9 Accept-Encoding: gzip, deflate Cookie: NID=55=nLRCbUnrM3C7dIaU0ZMwmU4sN89GspazHRw8hQfw8aPn-DoDA4HgTfiLubioA26TMXvjxdNRQqjNwtMsgy0PykVn1F0AqVEl5VQTuB-UNrT1Od9FNHefLUFn62bKTxDd; PREF=ID=2bc21a6253c0a51e:U=121832e3827d293d:FF=0:TM=1326808544:LM=1326808546:S=BIrQ44EQPGOaCNys Connection: Keep-Alive The following error was encountered: Invalid Request Some aspect of the HTTP Request is invalid. Possible problems: Missing or unknown request method Missing URL Missing HTTP Identifier (HTTP/1.0) Request is too large Content-Length missing for POST or PUT requests Illegal character in hostname; underscores are not allowed Your cache administrator is webmaster. Generated Thu, 19 Jan 2012 15:33:48 GMT by cache (squid/2.7.STABLE9) Any input would be greatly appreciated. Kind Regards, Sam