no explicit transparent proxy support enabled

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

no explicit transparent proxy support enabled

Tek Bahadur Limbu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear All,

I am getting the following in my freebsd-6.1 transparent squid server cache log:


2007/05/22 14:42:56| NOTICE: no explicit transparent proxy support enabled. Assuming getsockname() works on intercepted connections

Squid compilation:

Squid Cache: Version 2.6.STABLE12
configure options: '--bindir=/usr/local/sbin' '--sysconfdir=/usr/local/etc/squid' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/usr/local/squid' '--enable-removal-policies=heap,lru' '--enable-async-io' '--enable-storeio=coss,diskd,aufs,ufs,null' '--enable-time-hack' '--enable-snmp' '--enable-underscores' '--enable-useragent-log' '--enable-kqueue' '--prefix=/usr/local' '--disable-ident-lookups' '--enable-cache-digests'

Does this error indicate some kind of problem with my Squid installation. Or is this just a harmless message?

Any suggestions are appreciated.

Thanking you...


- --


With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFGUrjNVrOl+eVhOvYRAogHAKCruYzi4QYIEUgeHK+l92AIl9YRmACgnyzu
wkQVRw4+KRgfZGwGz9LvuY0=
=DUwH
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: no explicit transparent proxy support enabled

Odhiambo WASHINGTON
* On 22/05/07 15:18 +0545, Tek Bahadur Limbu wrote:
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| Dear All,
|
| I am getting the following in my freebsd-6.1 transparent squid server cache log:
|
|
| 2007/05/22 14:42:56| NOTICE: no explicit transparent proxy support enabled. Assuming getsockname() works on intercepted connections
|
| Squid compilation:
|
| Squid Cache: Version 2.6.STABLE12
| configure options: '--bindir=/usr/local/sbin' '--sysconfdir=/usr/local/etc/squid' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/usr/local/squid' '--enable-removal-policies=heap,lru' '--enable-async-io' '--enable-storeio=coss,diskd,aufs,ufs,null' '--enable-time-hack' '--enable-snmp' '--enable-underscores' '--enable-useragent-log' '--enable-kqueue' '--prefix=/usr/local' '--disable-ident-lookups' '--enable-cache-digests'
|
| Does this error indicate some kind of problem with my Squid installation. Or is this just a harmless message?

Depends. Does your squid work as you expect?

cd /usr/ports/www/squid
make config
# At this point, select the options you want.

You need certain directives in squid.conf for transparent proxying.
You will find them in squid.conf.default, which is by far the best
starting point.
Google is also there :-)


-Wash

http://www.netmeister.org/news/learn2quote.html

DISCLAIMER: See http://www.wananchi.com/bms/terms.php

--
+======================================================================+
    |\      _,,,---,,_     | Odhiambo Washington    <[hidden email]>
Zzz /,`.-'`'    -.  ;-;;,_ | Wananchi Online Ltd.   www.wananchi.com
   |,4-  ) )-,_. ,\ (  `'-'| Tel: +254 20 313985-9  +254 20 313922
  '---''(_/--'  `-'\_)     | GSM: +254 722 743223   +254 733 744121
+======================================================================+

        WARNING TO ALL PERSONNEL:

Firings will continue until morale improves.

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: no explicit transparent proxy support enabled

Tek Bahadur Limbu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 22 May 2007 13:27:56 +0300
Odhiambo WASHINGTON <[hidden email]> wrote:

> * On 22/05/07 15:18 +0545, Tek Bahadur Limbu wrote:
> | -----BEGIN PGP SIGNED MESSAGE-----
> | Hash: SHA1
> |
> | Dear All,
> |
> | I am getting the following in my freebsd-6.1 transparent squid server cache log:
> |
> |
> | 2007/05/22 14:42:56| NOTICE: no explicit transparent proxy support enabled. Assuming getsockname() works on intercepted connections
> |
> | Squid compilation:
> |
> | Squid Cache: Version 2.6.STABLE12
> | configure options: '--bindir=/usr/local/sbin' '--sysconfdir=/usr/local/etc/squid' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/usr/local/squid' '--enable-removal-policies=heap,lru' '--enable-async-io' '--enable-storeio=coss,diskd,aufs,ufs,null' '--enable-time-hack' '--enable-snmp' '--enable-underscores' '--enable-useragent-log' '--enable-kqueue' '--prefix=/usr/local' '--disable-ident-lookups' '--enable-cache-digests'
> |
> | Does this error indicate some kind of problem with my Squid installation. Or is this just a harmless message?
>
> Depends. Does your squid work as you expect?

Hi Wash,

Yes my squid proxy works as expected. For some reasons, I am seeing above mentioned messages in my cache.log.

>
> cd /usr/ports/www/squid
> make config
> # At this point, select the options you want.

By the way, I did not install Squid from FreeBSD ports. I just installed it from source.

>
> You need certain directives in squid.conf for transparent proxying.
> You will find them in squid.conf.default, which is by far the best
> starting point.

Currently, my freebsd proxy is simply functioning as a transparent forward proxy.

In my squid.conf, I have the following:

http_port 3128 transparent

Isn't the above directive enough? Do you recommend any other options and tweaks in squid.conf for transparent proxying?



> Google is also there :-)

Yes, I am googling too:)
Thanks for your suggestions and feedback.


>
>
> -Wash
>
> http://www.netmeister.org/news/learn2quote.html
>
> DISCLAIMER: See http://www.wananchi.com/bms/terms.php
>
> --
> +======================================================================+
>     |\      _,,,---,,_     | Odhiambo Washington    <[hidden email]>
> Zzz /,`.-'`'    -.  ;-;;,_ | Wananchi Online Ltd.   www.wananchi.com
>    |,4-  ) )-,_. ,\ (  `'-'| Tel: +254 20 313985-9  +254 20 313922
>   '---''(_/--'  `-'\_)     | GSM: +254 722 743223   +254 733 744121
> +======================================================================+
>
> WARNING TO ALL PERSONNEL:
>
> Firings will continue until morale improves.
>


- --


With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFGUtAQVrOl+eVhOvYRAsHQAKCEwS8Zc1Ua/svlwj4LK5Ko5zmqvACffYQk
K+lVkCaoMxCG8UkI7lIRMSI=
=Pu1C
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: no explicit transparent proxy support enabled

Henrik Nordström
In reply to this post by Tek Bahadur Limbu
tis 2007-05-22 klockan 15:18 +0545 skrev Tek Bahadur Limbu:

> I am getting the following in my freebsd-6.1 transparent squid server cache log:

> 2007/05/22 14:42:56| NOTICE: no explicit transparent proxy support enabled. Assuming getsockname() works on intercepted connections

Depends on the OS and interception method if this is fine or not. The
message is there because Squid is not sure.

Simple test:

telnet squid-cache.org 80
GET /

If you get back the (old) squid-cache.org homepage and "GET
http://12.160.37.9/" is logged in access.log then it's fine. If you get
an error from Squid then you need an configure option enabling support
for your method of interception.

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: no explicit transparent proxy support enabled

Tek Bahadur Limbu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 22 May 2007 19:25:22 +0200
Henrik Nordstrom <[hidden email]> wrote:

> tis 2007-05-22 klockan 15:18 +0545 skrev Tek Bahadur Limbu:
>
> > I am getting the following in my freebsd-6.1 transparent squid server cache log:
>
> > 2007/05/22 14:42:56| NOTICE: no explicit transparent proxy support enabled. Assuming getsockname() works on intercepted connections
>
> Depends on the OS and interception method if this is fine or not. The
> message is there because Squid is not sure.
>
> Simple test:
>
> telnet squid-cache.org 80
> GET /
>
> If you get back the (old) squid-cache.org homepage and "GET
> http://12.160.37.9/" is logged in access.log then it's fine. If you get
> an error from Squid then you need an configure option enabling support
> for your method of interception.
>

Hi Hendrik,

I do get back the (old) squid-cache.org homepage from the proxy server itself. But I get an error from Squid if I telnet from my PC. Is this normal?


> Regards
> Henrik
>


- --


With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFGU89+VrOl+eVhOvYRAp8FAKCcHVaYdzoL3HopCMxTflIe1Ho8lQCeJXsl
cISRZEF21FmOgqkS+OCxpmw=
=CQDO
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: no explicit transparent proxy support enabled

Adrian Chadd
On Wed, May 23, 2007, Tek Bahadur Limbu wrote:

> I do get back the (old) squid-cache.org homepage from the proxy server itself. But I get an error from Squid if I telnet from my PC. Is this normal?

Nope.

I've "fixed" transparent support for FreeBSD IPFW in Squid-3 only last
week. I could be coaxed into doing it for Squid-2 and squid-2.6 over
this weekend..



Adrian

Reply | Threaded
Open this post in threaded view
|

Re: no explicit transparent proxy support enabled

Henrik Nordström
In reply to this post by Tek Bahadur Limbu
ons 2007-05-23 klockan 11:07 +0545 skrev Tek Bahadur Limbu:

> Hi Hendrik,
>
> I do get back the (old) squid-cache.org homepage from the proxy server itself. But I get an error from Squid if I telnet from my PC. Is this normal?

No, not normal. The test is only valid from your PC, not from the proxy
server itself. It's a test that the traffic is properly intercepted, not
a test that the proxy has connectivity.

What do access.log say?

Anything in cache.log?

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: no explicit transparent proxy support enabled

Henrik Nordström
In reply to this post by Adrian Chadd
ons 2007-05-23 klockan 13:34 +0800 skrev Adrian Chadd:

> I've "fixed" transparent support for FreeBSD IPFW in Squid-3 only last
> week. I could be coaxed into doing it for Squid-2 and squid-2.6 over
> this weekend..

Squid-2.6 supports getsockname() since 2.6.STABLE2 (Bug #1671).

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: no explicit transparent proxy support enabled

Tek Bahadur Limbu
In reply to this post by Henrik Nordström
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 23 May 2007 09:20:34 +0200
Henrik Nordstrom <[hidden email]> wrote:

> ons 2007-05-23 klockan 11:07 +0545 skrev Tek Bahadur Limbu:
>
> > Hi Hendrik,
> >
> > I do get back the (old) squid-cache.org homepage from the proxy server itself. But I get an error from Squid if I telnet from my PC. Is this normal?
>
> No, not normal. The test is only valid from your PC, not from the proxy
> server itself. It's a test that the traffic is properly intercepted, not
> a test that the proxy has connectivity.

>
> What do access.log say?

202.x.x.x - - [23/May/2007:15:05:59 +0545] "GET error:invalid-request HTTP/0.0" 400 1208 TCP_DENIED:NONE
202.x.x.x - - [23/May/2007:15:06:43 +0545] "GET error:invalid-request HTTP/0.0" 400 1208 TCP_DENIED:NONE


> Anything in cache.log?

2007/05/23 15:06:43| clientReadRequest: FD 1511 (202.x.x.x:45510) Invalid Request
2007/05/23 15:08:12| clientReadRequest: FD 2467 (202.x.x.x:40301) Invalid Request

where 202.x.x.x is the IP address of my PC.

Thanks for your help and feedback.


> Regards
> Henrik
>


- --


With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFGVAjLVrOl+eVhOvYRApBZAKCGaNHDE0Ghfd7aScNmuEqqq28z/gCfelaq
MxCtcTZTGfBQAwr86p0CaoY=
=dWlh
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: no explicit transparent proxy support enabled

Tek Bahadur Limbu
In reply to this post by Adrian Chadd
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 23 May 2007 13:34:08 +0800
Adrian Chadd <[hidden email]> wrote:

> On Wed, May 23, 2007, Tek Bahadur Limbu wrote:
>
> > I do get back the (old) squid-cache.org homepage from the proxy server itself. But I get an error from Squid if I telnet from my PC. Is this normal?
>
> Nope.
>
> I've "fixed" transparent support for FreeBSD IPFW in Squid-3 only last
> week. I could be coaxed into doing it for Squid-2 and squid-2.6 over
> this weekend..

Hi Adrian,

Can you shed further light into this?

I am using IPFW with the following relevant entries:

$IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 in
$IPFW add allow tcp  from 202.x.x.x/19 to any  3128 in via bge0

>
>
>
> Adrian
>
>


- --


With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFGVAmCVrOl+eVhOvYRAkefAJ986OzvcluCakpKHcSGkJPdIXK8wgCdELcQ
UuzryMbc3tza+eoQrWH+Bds=
=jMyB
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: no explicit transparent proxy support enabled

Henrik Nordström
In reply to this post by Tek Bahadur Limbu
ons 2007-05-23 klockan 15:11 +0545 skrev Tek Bahadur Limbu:

> > What do access.log say?
>
> 202.x.x.x - - [23/May/2007:15:05:59 +0545] "GET error:invalid-request HTTP/0.0" 400 1208 TCP_DENIED:NONE

Ok. Try

GET / HTTP/1.0
[blank line]

instead..

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: no explicit transparent proxy support enabled

Tek Bahadur Limbu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 23 May 2007 11:58:17 +0200
Henrik Nordstrom <[hidden email]> wrote:

> ons 2007-05-23 klockan 15:11 +0545 skrev Tek Bahadur Limbu:
>
> > > What do access.log say?
> >
> > 202.x.x.x - - [23/May/2007:15:05:59 +0545] "GET error:invalid-request HTTP/0.0" 400 1208 TCP_DENIED:NONE
>
> Ok. Try
>
> GET / HTTP/1.0
> [blank line]
>
> instead..

I will get the same error from the squid.

access.log says:

202.x.x.x - - [23/May/2007:16:13:22 +0545] "GET error:invalid-request HTTP/0.0" 400 1218 TCP_DENIED:NONE
202.x.x.x - - [23/May/2007:16:13:35 +0545] "GET error:invalid-request HTTP/0.0" 400 1218 TCP_DENIED:NONE

cache.log says:

2007/05/23 16:17:51| clientReadRequest: FD 121 (202.x.x.x:47688) Invalid Request
2007/05/23 16:18:31| clientReadRequest: FD 580 (202.x.x.x:41972) Invalid Request

When I telnet to www.google.com, I get the following:

202.x.x.x - - [23/May/2007:16:25:38 +0545] "GET http://72.14.253.104/ HTTP/1.0" 200 3403 TCP_MISS:DIRECT

202.x.x.x - - [23/May/2007:16:38:11 +0545] "GET http://72.14.253.103/ HTTP/1.0" 200 3403 TCP_MISS:DIRECT


By the way, most of the sites I telnet to shows error from Squid. Could this mean that my transproxy setup is not working as expected.

We have a alteon load balancer in front of squid.

 
>
> Regards
> Henrik
>


- --


With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFGVCPnVrOl+eVhOvYRApngAJ0a2tvvucji0oWjMjF9kEtNDHLIrACeNLKp
HA4PQQk7ahvB0OXW929HKkI=
=oK7f
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: no explicit transparent proxy support enabled

Henrik Nordström
ons 2007-05-23 klockan 17:07 +0545 skrev Tek Bahadur Limbu:

> I will get the same error from the squid.
>
> access.log says:
>
> 202.x.x.x - - [23/May/2007:16:13:22 +0545] "GET error:invalid-request HTTP/0.0" 400 1218 TCP_DENIED:NONE

Odd..

> When I telnet to www.google.com, I get the following:
>
> 202.x.x.x - - [23/May/2007:16:25:38 +0545] "GET http://72.14.253.104/ HTTP/1.0" 200 3403 TCP_MISS:DIRECT

Looks fine, so you should be OK.

But the fact that they differ is even very odd.. You are absolutely sure
you enter the exact same request in both cases?

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: no explicit transparent proxy support enabled

Tek Bahadur Limbu
Henrik Nordstrom wrote:

> ons 2007-05-23 klockan 17:07 +0545 skrev Tek Bahadur Limbu:
>
>> I will get the same error from the squid.
>>
>> access.log says:
>>
>> 202.x.x.x - - [23/May/2007:16:13:22 +0545] "GET error:invalid-request HTTP/0.0" 400 1218 TCP_DENIED:NONE
>
> Odd..
>
>> When I telnet to www.google.com, I get the following:
>>
>> 202.x.x.x - - [23/May/2007:16:25:38 +0545] "GET http://72.14.253.104/ HTTP/1.0" 200 3403 TCP_MISS:DIRECT
>
> Looks fine, so you should be OK.
>
> But the fact that they differ is even very odd.. You are absolutely sure
> you enter the exact same request in both cases?

Hi Hendrik,

I am absolutely sure that I did not make any typing mistake:)


I do see the following in my access.log from a telnet session from my
home network:

202.x.x.x - - [23/May/2007:22:58:56 +0545] "GET http://12.160.37.9/ 
HTTP/0.9" 200 4670 TCP_MEM_HIT:NONE

I think that the problem arose from my office network layout. I think
that web traffic seems to be having some problems with squid
transparency in my office network.

Anyway, I will further investigate tomorrow. I would like to thank you
and all others for your help and suggestions.

Thanking you...

>
> Regards
> Henrik

Reply | Threaded
Open this post in threaded view
|

Re: no explicit transparent proxy support enabled

Tek Bahadur Limbu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 23 May 2007 23:15:55 +0545
Tek Bahadur Limbu <[hidden email]> wrote:

> Henrik Nordstrom wrote:
> > ons 2007-05-23 klockan 17:07 +0545 skrev Tek Bahadur Limbu:
> >
> >> I will get the same error from the squid.
> >>
> >> access.log says:
> >>
> >> 202.x.x.x - - [23/May/2007:16:13:22 +0545] "GET error:invalid-request HTTP/0.0" 400 1218 TCP_DENIED:NONE
> >
> > Odd..
> >
> >> When I telnet to www.google.com, I get the following:
> >>
> >> 202.x.x.x - - [23/May/2007:16:25:38 +0545] "GET http://72.14.253.104/ HTTP/1.0" 200 3403 TCP_MISS:DIRECT
> >
> > Looks fine, so you should be OK.
> >
> > But the fact that they differ is even very odd.. You are absolutely sure
> > you enter the exact same request in both cases?
>
> Hi Hendrik,
>
> I am absolutely sure that I did not make any typing mistake:)
>
>
> I do see the following in my access.log from a telnet session from my
> home network:
>
> 202.x.x.x - - [23/May/2007:22:58:56 +0545] "GET http://12.160.37.9/ 
> HTTP/0.9" 200 4670 TCP_MEM_HIT:NONE
>
> I think that the problem arose from my office network layout. I think
> that web traffic seems to be having some problems with squid
> transparency in my office network.
>
> Anyway, I will further investigate tomorrow. I would like to thank you
> and all others for your help and suggestions.
>
> Thanking you...

Hi Hendrik,

- From my observation since the last few days, it seems that enabling the 2 compilation options below:
  --enable-ipf-transparent
  --enable-pf-transparent

were causing the squid transparency using IPFW to fail. I had thought about using either PF or IPF to make squid transparent. However due to some constraints, I am still using IPFW.

After compiling Squid without the 2 above options, Squid is working as expected. I would like to thank you and all others involved for your great help and support.


Thanking you...



>
> >
> > Regards
> > Henrik
>
>


- --


With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFGWWmgVrOl+eVhOvYRAg16AJ9OWIV87VsjKWHS0UOOIbJi5eO+JACfSTjb
T1TZGnwfMd72IFrAso5W0EM=
=I9oC
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: no explicit transparent proxy support enabled

Henrik Nordström
sön 2007-05-27 klockan 17:06 +0545 skrev Tek Bahadur Limbu:

> - From my observation since the last few days, it seems that enabling the 2 compilation options below:
>   --enable-ipf-transparent
>   --enable-pf-transparent
>
> were causing the squid transparency using IPFW to fail.

Yes. Squid supports only one interception method at a time. If you use
one of the configure options you must also use the same interception
method.

It's not supported to specify more than one of these configure options,
only one of them will be active.

Regards
Henrik

signature.asc (316 bytes) Download Attachment