RE: [squid-users] clientTryParseRequest: FD 12 Invalid Request | TCP_DENIED/400 2079 GET NONE:// - NONE/- text/html | GET error:invalid-request
Hi Amos,
Thank you very much for your reply.
The source server is a gateway between the client and squid.
Original:
[Client] -- [Source Server] -- [WWW]
Desired:
[Client] -- [Source Server] -- [(TProxy) -- Squid -- Squid:3128] --
[WWW]
Do you have any suggestion how I can setup the [Source Server] to send
port 80 to TProxy without using NAT?
Kind Regards,
Sam
-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz]
Sent: 20 January 2012 01:49
To: squid-users@squid-cache.org
Subject: Re: [squid-users] clientTryParseRequest: FD 12 Invalid Request
| TCP_DENIED/400 2079 GET NONE:// - NONE/- text/html | GET
error:invalid-request
On 20/01/2012 6:02 a.m., Sam Beechey wrote:
Hi All,
I have been configuring a new Squid server today. The original
configuration (without TProxy) worked fine.. DNAT from port 80 to 3128
at squid server..
The source server is where end-users establish a connection, The Squid
server is (10.10.10.1) and The Client in question is (10.10.10.100
)
SOURCE SERVER:
iptables -t nat -N cache/dev/null 21 iptables -t nat -F cache
iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to
10.10.10.1:3128 iptables -t nat -N cache_users/dev/null 21 iptables
-t nat -F cache_users iptables -t nat -A PREROUTING -j cache_users
iptables -t nat -A cache_users -s 10.10.10.100 -j cache iptables -t
nat -L cache -nvx
Now I wanted to use TProxy (so that the client address is shown rather
than the squid server ip) - I made the following changes:
SQUID SERVER
Debian Squeeze 2.6.32-5-xen-amd64 + squid-2.7.STABLE9 +
squid-2.7s9-tproxy-4.patch
./configure --prefix=/usr --localstatedir=/var
--libexecdir=${prefix}/lib/squid --srcdir=.
--datadir=${prefix}/share/squid --sysconfdir=/etc/squid
--enable-linux-netfilter --enable-linux-tproxy
http_port 3128
http_port 3129 tproxy
echo 1 /proc/sys/net/ipv4/ip_forward echo 2
/proc/sys/net/ipv4/conf/default/rp_filter
echo 2 /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter
ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev eth0 table 100
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 0x01/0x01 iptables -t
mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m
socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
AND TO THE SOURCE SERVER:
FROM: iptables -t nat -I cache -p tcp -m tcp --dport
80 -j DNAT --to 10.10.10.1:3128
TO: iptables -t nat -I cache -p tcp -m tcp
--dport 80 -j DNAT --to 10.10.10.1:80
Now the redirection is working... But all the requests are producing
an error, invalid get request...
NAT and TPROXY are multually exclusive systems.
It is unclear whether this SOURCE SERVER is (a) the orign server
providing the responses, or (b) a gateway server between the client and
Squid.
If (a), then the NAT happening on S will be erasing the IP
addresses setup by TPROXY on the packets. Destroying your idea of
getting the client IP to show up anywhere and bouncing the packets back
to a Squid forward-proxy listening port which cannot handle origin
server (reverse-proxy) formatted HTTP traffic.
If (b), then the NAT is erasing the server IP address which packet
routing relies on to determine where the packet is going once it leaves
Squid. Making the packets go straight back to a Squid forward-proxy
listening port which cannot handle origin server (reverse-proxy)
formatted HTTP traffic.
Either way results in:
client -- ... --(TPROXY)-- Squid --Squid:3128
== /var/log/squid/cache.log==
2012/01/19 15:35:46| clientTryParseRequest: FD 12 (10.10.10.100:58640)
Invalid Request
== /var/log/squid/access.log==
1326987346.801 0 10.10.10.100 TCP_DENIED/400 2079 GET NONE:// -
NONE/- text/html
These NONE:// say that Squid received a GET request from client
10.10.10.100 and rejected it as invalid HTTP before even getting to
identify the URL fully.
== /var/log/squid/store.log==
1326987346.801 RELEASE -1 45B97B27006C6BC283B7EC45B6A1A89C
400 1326987346-1-1 text/html 1820/1820 GET
error:invalid-request
Error displayed in browser:
ERROR
The requested URL could not be retrieved
While trying to process the request:
GET / HTTP/1.1
The URL / is a origin server format relative URL, not valid forward
proxy absolute URL required by proxies. Squid cannot handle this
arriving on port 3128.
Amos
[squid-users] clientTryParseRequest: FD 12 Invalid Request | TCP_DENIED/400 2079 GET NONE:// - NONE/- text/html | GET error:invalid-request
Hi All,
I have been configuring a new Squid server today. The original configuration
(without TProxy) worked fine.. DNAT from port 80 to 3128 at squid server..
The source server is where end-users establish a connection, The Squid server
is (10.10.10.1) and The Client in question is (10.10.10.100)
SOURCE SERVER:
iptables -t nat -N cache /dev/null 21
iptables -t nat -F cache
iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:3128
iptables -t nat -N cache_users /dev/null 21
iptables -t nat -F cache_users
iptables -t nat -A PREROUTING -j cache_users
iptables -t nat -A cache_users -s 10.10.10.100 -j cache
iptables -t nat -L cache -nvx
Now I wanted to use TProxy (so that the client address is shown rather than the
squid server ip) - I made the following changes:
SQUID SERVER
Debian Squeeze 2.6.32-5-xen-amd64 + squid-2.7.STABLE9 +
squid-2.7s9-tproxy-4.patch
./configure --prefix=/usr --localstatedir=/var --libexecdir=${prefix}/lib/squid
--srcdir=. --datadir=${prefix}/share/squid --sysconfdir=/etc/squid
--enable-linux-netfilter --enable-linux-tproxy
http_port 3128
http_port 3129 tproxy
echo 1 /proc/sys/net/ipv4/ip_forward
echo 2 /proc/sys/net/ipv4/conf/default/rp_filter
echo 2 /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter
ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev eth0 table 100
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 0x01/0x01
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3129
AND TO THE SOURCE SERVER:
FROM: iptables -t nat -I cache -p tcp -m tcp --dport 80 -j
DNAT --to 10.10.10.1:3128
TO: iptables -t nat -I cache -p tcp -m tcp --dport 80
-j DNAT --to 10.10.10.1:80
Now the redirection is working... But all the requests are producing an error,
invalid get request...
== /var/log/squid/cache.log ==
2012/01/19 15:35:46| clientTryParseRequest: FD 12 (10.10.10.100:58640) Invalid
Request
== /var/log/squid/access.log ==
1326987346.801 0 10.10.10.100 TCP_DENIED/400 2079 GET NONE:// - NONE/-
text/html
== /var/log/squid/store.log ==
1326987346.801 RELEASE -1 45B97B27006C6BC283B7EC45B6A1A89C 400
1326987346 -1 -1 text/html 1820/1820 GET error:invalid-request
Error displayed in browser:
ERROR
The requested URL could not be retrieved
While trying to process the request:
GET / HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; U; Edition United States Local; en)
Presto/2.10.229 Version/11.60
Host: google.co.uk
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png,
image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate
Cookie:
NID=55=nLRCbUnrM3C7dIaU0ZMwmU4sN89GspazHRw8hQfw8aPn-DoDA4HgTfiLubioA26TMXvjxdNRQqjNwtMsgy0PykVn1F0AqVEl5VQTuB-UNrT1Od9FNHefLUFn62bKTxDd;
PREF=ID=2bc21a6253c0a51e:U=121832e3827d293d:FF=0:TM=1326808544:LM=1326808546:S=BIrQ44EQPGOaCNys
Connection: Keep-Alive
The following error was encountered:
Invalid Request
Some aspect of the HTTP Request is invalid. Possible problems:
Missing or unknown request method
Missing URL
Missing HTTP Identifier (HTTP/1.0)
Request is too large
Content-Length missing for POST or PUT requests
Illegal character in hostname; underscores are not allowed
Your cache administrator is webmaster.
Generated Thu, 19 Jan 2012 15:33:48 GMT by cache (squid/2.7.STABLE9)
Any input would be greatly appreciated.
Kind Regards,
Sam
