A problen with iptables and proxy server

[Freelancer]

Iam using fedora 12 and I have installed squid through yum. I have configured ip tables so that all traffic to port 80 can be redirected to squid. I have enabled squid to run as a transparent proxy server by having a line http_port proxy_server_ip:3128 in squid.conf. Now the problem I have is that only https traffic pass through the proxy without any problem. http traffic can't pass. I do get the message invalid url returned by squid. I have searched in every forum I can't find the solution that solves my problem. Iam using broadband to connect to the internet. May be if you have encountered the same problem before and u got the solution pliz help. My squid version is 3.x...

 

[Kiranga]

Are you getting invalid certificate or invalid URL error? What is the exact error message?

Are you blocking plain http somewhere in squid/ firewall rules?

Did you configure port 80 as a safe port in your ACL ?

 

[Freelancer]

I'm getting invalid url from squid. Yes port 80 is among safe ports. In my iptables there is no pace where I have specified to allow only traffic from port 443 which is https. It is very strange. And many people are getting it in fedora. May be I should get sources for squid and compile them wioth transparent for my kernel

 

[Kiranga]

If many people are getting it check with the known bugs in Fedora just to make sure it is not a known bug, you don't wanna waste your time troubleshooting something that is a known bug.

Also, probably long shots, but in the spirit of leaving no stone unturened see the below links for any relevant info/patches (long shot) or directions (in the wiki).

SquidFaq/TroubleShooting - Squid Web Proxy Wiki

SecurityTracker.com Archives - Squid HTTP Request Processing Error Lets Remote Users Deny Service

 

[Freelancer]

It is not listed among fedora bugs. Any one has come accross this problem and he knows the solution pliz help

 

[Steve Dii]

It is not listed among fedora bugs. Any one has come accross this problem and he knows the solution pliz help

Dude, am no so familiar with Fedora core nor its configuration. But in the interest of trying to find a solution for the problem you presented here, I came across a site where settings for squid.conf is mentioned. Well, just in case your setting of the ports etc is incorrect, or indeed, you are yet to come across the site; here is the link: How To: Configure Squid Proxy Server | Fedora Linux.

Will paste below contents from the site, just in case the link become defunct.

# The port on which squid will listen for requests
http_port 8080
# If 'cgi-bin' or '?' is in query, squid should not check with neighbours'/parents' cache
# and should go to target web-server.
hierarchy_stoplist cgi-bin ?
# If url contains 'cgi-bin' or '?', then it must not be cached
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
# Absolute path to squid access log.
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
# Access control list to control every IP address
acl all src 0.0.0.0/0.0.0.0
# Access control list for source machine in LAN
acl lan_src src 192.168.0.0/16
# Access control list for destination machine in LAN
acl lan_dst dst 192.168.0.0/16
# Access control list to manage squid cache
acl manager proto cache_object
# Access control list to define IP address allowed for source localhost
acl localhost src 127.0.0.1/255.255.255.255
# Access control list to define IP addresses allowed for localhost as destination
acl to_localhost dst 127.0.0.0/8
# Access control list to define Safe ports that should be allowed by default
acl SSL_ports port 443 563 1863 5190 5222 5050 6667
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
# Allow cache management only from localhost
http_access allow manager localhost
# Deny cache management from remote hosts
http_access deny manager
# Deny http access via all the ports which are not listed as safe
http_access deny !Safe_ports
# Deny all connections via all ports which are not listed as safe
http_access deny CONNECT !SSL_ports
# Allow http access from localhost
http_access allow localhost
# Allow http access from machines on LAN
http_access allow lan_src
http_access deny all
http_reply_access allow all
icp_access allow all
# Deny caching for everyone so that there is not caching at all
cache deny all
coredump_dir /var/spool/squid
# Never allow direct connection to machines on the internet
prefer_direct off
never_direct allow all
# Allow direct connetion if the destination machine is on LAN
always_direct allow lan_dst
# Delete this line if you don't have /etc/hosts file
hosts_file /etc/hosts
# Allow AIM connections
# Delete the following 9 lines if you don't want people to connect to AIM
acl AIM_ports port 5190 9898 6667
acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com .freenode.net
acl AIM_domains dstdomain .messaging.aol.com .aim.com
acl AIM_hosts dstdomain login.oscar.aol.com login.glogin.messaging.aol.com toc.oscar.aol.com irc.freenode.net
acl AIM_nets dst 64.12.0.0/255.255.0.0
acl AIM_methods method CONNECT
http_access allow AIM_methods AIM_ports AIM_nets
http_access allow AIM_methods AIM_ports AIM_hosts
http_access allow AIM_methods AIM_ports AIM_domains
# Allow connections to Yahoo Messenger
# Delete the following 6 lines if you don't want people to connect to Yahoo Messenger
acl YIM_ports port 5050
acl YIM_domains dstdomain .yahoo.com .yahoo.co.jp
acl YIM_hosts dstdomain scs.msg.yahoo.com cs.yahoo.co.jp
acl YIM_methods method CONNECT
http_access allow YIM_methods YIM_ports YIM_hosts
http_access allow YIM_methods YIM_ports YIM_domains
# Allow connections to Google Talk
# Delete the following 6 lines if you don't want people to connect to Google Talk
acl GTALK_ports port 5222 5050
acl GTALK_domains dstdomain .google.com
acl GTALK_hosts dstdomain talk.google.com
acl GTALK_methods method CONNECT
http_access allow GTALK_methods GTALK_ports GTALK_hosts
http_access allow GTALK_methods GTALK_ports GTALK_domains
# Allow connections to MSN
# Delete the following 6 lines if you don't want people to connect to Google Talk
acl MSN_ports port 1863 443 1503
acl MSN_domains dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com
acl MSN_hosts dstdomain messenger.hotmail.com
acl MSN_nets dst 207.46.111.0/255.255.255.0
acl MSN_methods method CONNECT
http_access allow MSN_methods MSN_ports MSN_hosts