November 24, 2024, 07:24:23 PM

News : LinuxSolved.com Linux Help Community Forum..

 

« previous next »
Pages: [1]

Author Topic: Invalid URL error message during Transparent/NAT proxy setup  (Read 11630 times)

Offline keever

  • Linux Noob !
  • *
  • Posts: 14
Invalid URL error message during Transparent/NAT proxy setup
« on: November 22, 2005, 12:05:54 AM »
Using a policy based routing feature on a Cisco switch (just a route-map), I have directed all LAN traffic to my internal Squid proxy.  I had to activiate the NAT feature of iptables as described by Rickey's tutorial, and then I simply ran this command to re-direct all port 80 traffic to the Squid listening port of 3128:

 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

After that command was entered, every single once of my clients on our LAN received the below error message when trying to request a webpage out over our internet circuit:

ERROR
The requested URL could not be retrieved

--------------------------------------------------------------------------------

While trying to retrieve the URL: /

The following error was encountered:

Invalid URL
Some aspect of the requested URL is incorrect. Possible problems:

Missing or incorrect access protocol (should be `http://'' or similar)
Missing hostname
Illegal double-escape in the URL-Path
Illegal character in hostname; underscores are not allowed

Why in the hell is Squid interpeting the destination hostname of my LAN web traffic as "/" ?  What setting would do this?
Logged

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
Invalid URL error message during Transparent/NAT proxy setup
« Reply #1 on: November 22, 2005, 11:45:09 AM »
What exactly you are typing addressess ?
Also can give me last 10 lines of access.log and cache.log ?
Logged

Offline keever

  • Linux Noob !
  • *
  • Posts: 14
added information
« Reply #2 on: November 23, 2005, 01:26:44 AM »
I have a more observations.

Above, you'll notice that it has an error message saying that I was trying to access an "Invalid URL", displaying a "/" as what the request was.  I just tried entering a URL where there was an extended path that was more than just the www.domain.com.  This is what SQUID returned:

Quote
ERROR
The requested URL could not be retrieved

--------------------------------------------------------------------------------

While trying to retrieve the URL: /forums/posting.php?mode=reply&t=1647

The following error was encountered:

Invalid URL
Some aspect of the requested URL is incorrect. Possible problems:

Missing or incorrect access protocol (should be `http://'' or similar)
Missing hostname
Illegal double-escape in the URL-Path
Illegal character in hostname; underscores are not allowed


So basically SQUID is stripping the domain from the redirected packets and trying to load all the characters after it.

Here is the access.log

Quote
1132707035.518      5 172.16.3.66 TCP_DENIED/400 1551 GET /forums/posting.php?mode=reply&t=1647 - NONE/- text/html
1132708054.061      2 172.16.3.66 TCP_DENIED/400 2081 GET /search?client=navclient-auto&googleip=F;216.239.57.103;31&&freshness_check=4yy2QOHWKu7x_r_lNxaYw&iqrn=HE5B&orig=03kRi&ie=UTF-8&oe=UTF-8&features=Rank:&q=info:http%3A%2F%2Fwww%2Ecrudpot%2Enet%2Fmultimedia%2Fpictures%2Ftuberide%5F1%5F11%2E18%2E05%2Ejpg&ch=72150798474 - NONE/- text/html
1132708054.076     91 172.16.3.51 TCP_MISS/200 542 GET http://sportsmed.starwave.com/i/spacer.gif? - DIRECT/199.181.132.79 image/gif
1132708059.892   5810 172.16.3.51 TCP_HIT/200 950771 GET http://motionslow.espn.go.com/motion_flash_flv/hu_051121reid1v.FLV_575K.motion_flv.flv - NONE/- text/plain
1132708060.274 179553 172.16.3.51 TCP_MISS/504 1476 GET http://motionslow.espn.go.com/motion_flash_flv/ad_051118gmc.flv - NONE/- text/html
1132708060.325      3 172.16.3.66 TCP_DENIED/400 1557 GET /multimedia/pictures/tuberide_1_11.18.05.jpg - NONE/- text/html
1132708061.276      0 172.16.3.156 TCP_MISS/503 1526 POST http://update.rcprograms.com/request.asp - NONE/- text/html
1132708061.785      1 172.16.3.66 TCP_DENIED/400 1585 GET /motion_flash_flv/hu_051122fischer.FLV_575K.motion_flv.flv - NONE/- text/html
1132708062.917      3 172.16.3.66 TCP_DENIED/400 1557 GET /multimedia/pictures/tuberide_1_11.18.05.jpg - NONE/- text/html
[/b]

cache.log (i'm not sure how relavent this is since i've turned off all cacheing):

Quote
2005/11/22 12:43:58| sslReadServer: FD 26: read failure: (104) Connection reset by peer
2005/11/22 12:43:58| sslReadServer: FD 40: read failure: (104) Connection reset by peer
2005/11/22 13:01:41| sslReadServer: FD 40: read failure: (104) Connection reset by peer
2005/11/22 13:01:41| sslReadServer: FD 18: read failure: (104) Connection reset by peer
2005/11/22 13:16:17| sslReadServer: FD 26: read failure: (104) Connection reset by peer
2005/11/22 13:25:44| sslReadServer: FD 36: read failure: (104) Connection reset by peer
2005/11/22 13:25:46| sslReadServer: FD 34: read failure: (104) Connection reset by peer
2005/11/22 13:25:46| sslReadServer: FD 47: read failure: (104) Connection reset by peer
2005/11/22 13:53:19| sslReadServer: FD 25: read failure: (104) Connection reset by peer
2005/11/22 14:25:30| sslReadServer: FD 19: read failure: (104) Connection reset by peer
2005/11/22 15:24:44| sslReadServer: FD 24: read failure: (104) Connection reset by peer
2005/11/22 16:11:55| sslReadServer: FD 23: read failure: (104) Connection reset by peer
[/b]


And here is my squid.conf for good measure:

Quote
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 7200 # NF Reuters http
acl CONNECT method CONNECT
acl Irvine_Network src 172.16.3.0/255.255.255.0 192.10.30.0/255.255.255.0 192.168.218.0/255.255.255.0 192.168.3.0/255.255.255.0
acl Email dstdomain "/usr/local/squid/acls/email"
acl Exceptions src 172.16.3.66/255.255.255.255
acl NF dst 192.168.3.0/24

no_cache deny QUERY all localhost SSL_ports Safe_ports Irvine_Network NF

http_access allow Exceptions
http_access allow localhost
http_access deny Email
http_access allow Irvine_Network
http_access deny all
http_access deny to_localhost
miss_access allow all

http_reply_access allow all
icp_access allow all
[/b]
Logged

Offline keever

  • Linux Noob !
  • *
  • Posts: 14
Invalid URL error message during Transparent/NAT proxy setup
« Reply #3 on: December 01, 2005, 04:02:22 PM »
Any thoughts out there?  I thought squid would be a good replacement for the overly expensive websense product, especially since we are only doing web-filtering and not other protocols, but it seems to be one headache after another.  I haven't been able to figure out why squid rejects my attempt to connect to webmin when I have my browser using squid as a proxy.  That issues seems to be the same root cause that results Squid returning a "(13) Permission denied" error when LAN users try to access an internal web server.  It doesn't seem to be a acl issue, but a permissions issue regarding squid interacting with the os.  There is no clear solution on any squid faqs on their website, and none of the most popular linux forums (linuxsolved and linuxquestions) have been able to figure this out.  Where can I find a solution to this?  Can anyone suggest a company that offer support contracts for commonly used linux wares as squid?
Logged

taraj

  • Guest
Invalid URL error message during Transparent/NAT proxy setup
« Reply #4 on: December 07, 2005, 04:26:38 AM »
keevar.. you will sure get the solution (if it is out there) .
Logged
Pages: [1]
« previous next »