no response from the proxy squid parent

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

no response from the proxy squid parent

yannick.rousseau
Hi, 

I'm using squid (4.6) on my server (debianedu buster LTSP), and I'm trying to configure a parent proxy.

At first, when I configure the client's firefox (manual proxy configuration) with the ip and port of the parent proxy, it's ok, I can surf on the internet. 

But I would like to configure my server's Squid Proxy to forward to a parent proxy (172.16.103.254:3128)
-> So I add these two lines at the end of squid.conf:
cache_peer 172.16.103.254 parent 3128 0 no-query no-digest
never_direct allow all

-> And restart squid. It seems to be ok:
# cat /var/log/squid/cache.log
(.....)
2020/06/23 09:51:12 kid1| Configuring Parent 172.16.103.254/3128/0
(....)

-> Then I configure firefox to use system proxy settings, but when I try to google something or visit debian-fr.org, it doesn't work (no reponse from the proxy). But my squid's configuration seems to be ok:
# cat /var/log/squid/access.log
(....)
1592921221.753    138 10.0.2.2 TCP_TUNNEL/403 361 CONNECT www.google.com:443 - FIRSTUP_PARENT/172.16.103.254 -
1592921275.641    521 10.0.2.2 TCP_MISS/403 4289 GET http://www.debian-fr.org/ - FIRSTUP_PARENT/172.16.103.254 text/html
1592921275.692      0 10.0.2.2 TCP_HIT/200 13072 GET
(...)

Is it possible that the squid parent refuse to have "a child" ?

Thanks a lot for your help.




--
Envoi sécurisé avec Tutanota. Obtenez votre propre adresse email chiffrée :
https://tutanota.com

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: no response from the proxy squid parent

Amos Jeffries
Administrator
On 24/06/20 7:27 am, [hidden email] wrote:

> Hi, 
>
> I'm using squid (4.6) on my server (debianedu buster LTSP), and I'm
> trying to configure a parent proxy.
>
> At first, when I configure the client's firefox (manual proxy
> configuration) with the ip and port of the parent proxy, it's ok, I can
> surf on the internet. 
>
> But I would like to configure my server's Squid Proxy to forward to a
> parent proxy (172.16.103.254:3128)
> -> So I add these two lines at the end of squid.conf:
> cache_peer 172.16.103.254 parent 3128 0 no-query no-digest
> never_direct allow all
>
> -> And restart squid. It seems to be ok:
> # cat /var/log/squid/cache.log
> (.....)
> 2020/06/23 09:51:12 kid1| Configuring Parent 172.16.103.254/3128/0
> (....)
>
> -> Then I configure firefox to use system proxy settings, but when I try
> to google something or visit debian-fr.org, it doesn't work (no reponse
> from the proxy).

That is odd. The log shows a 403 response being delivered by the parent
proxy and delivered to Firefox.

Browsers refuse to display proxy responses on CONNECT requests. So the
first is expected. But the second one using http:// should be shown.


> But my squid's configuration seems to be ok:
> # cat /var/log/squid/access.log
> (....)
> 1592921221.753    138 10.0.2.2 TCP_TUNNEL/403 361
> CONNECT www.google.com:443 <http://www.google.com:443/> -
> FIRSTUP_PARENT/172.16.103.254 -
> 1592921275.641    521 10.0.2.2 TCP_MISS/403 4289
> GET http://www.debian-fr.org/ - FIRSTUP_PARENT/172.16.103.254 text/html
> 1592921275.692      0 10.0.2.2 TCP_HIT/200 13072 GET
> (...)
>
> Is it possible that the squid parent refuse to have "a child" ?

Maybe. You will need to know the parent proxy configuration to tell
that. All that is visible from the detail you have shown is that parent
proxy has forbidden the requests it is receiving.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: no response from the proxy squid parent

yannick.rousseau
Hi,

Here's one more clue (thank's wireshark):

-> When I try to surf on the Net with client's firefox configued (manual proxy configuration) with the ip and port of the parent proxy, it's ok :
58 5.940721294 172.16.103.101 172.16.103.254 HTTP 255 CONNECT www.google.com:443 HTTP/1.1
62 6.046854511 172.16.103.254 172.16.103.101 HTTP 75 HTTP/1.1 200 Connection established

-> When I configure firefox to use system proxy settings , it doesn't work:
35 4.798844976 172.16.103.101 172.16.103.254 HTTP 265 GET http://172.16.103.254:3128/squid-internal-dynamic/netdb HTTP/1.1
47 4.800699191 172.16.103.254 172.16.103.101 HTTP 890 HTTP/1.1 403 Forbidden  (text/html)

I think I'm going to disable  netdb by adding  no-netdb-exchange in my conf.
And by the way, what's the difference between CONNECT and GET ?

Yannick


--
Envoi sécurisé avec Tutanota. Obtenez votre propre adresse email chiffrée :
https://tutanota.com


26 juin 2020 à 07:11 de [hidden email]:
On 24/06/20 7:27 am, [hidden email] wrote:
Hi, 

I'm using squid (4.6) on my server (debianedu buster LTSP), and I'm
trying to configure a parent proxy.

At first, when I configure the client's firefox (manual proxy
configuration) with the ip and port of the parent proxy, it's ok, I can
surf on the internet. 

But I would like to configure my server's Squid Proxy to forward to a
parent proxy (172.16.103.254:3128)
-> So I add these two lines at the end of squid.conf:
cache_peer 172.16.103.254 parent 3128 0 no-query no-digest
never_direct allow all

-> And restart squid. It seems to be ok:
# cat /var/log/squid/cache.log
(.....)
2020/06/23 09:51:12 kid1| Configuring Parent 172.16.103.254/3128/0
(....)

-> Then I configure firefox to use system proxy settings, but when I try
to google something or visit debian-fr.org, it doesn't work (no reponse
from the proxy).

That is odd. The log shows a 403 response being delivered by the parent
proxy and delivered to Firefox.

Browsers refuse to display proxy responses on CONNECT requests. So the
first is expected. But the second one using http:// should be shown.

But my squid's configuration seems to be ok:
# cat /var/log/squid/access.log
(....)
1592921221.753    138 10.0.2.2 TCP_TUNNEL/403 361
CONNECT www.google.com:443 <http://www.google.com:443/> -
FIRSTUP_PARENT/172.16.103.254 -
1592921275.641    521 10.0.2.2 TCP_MISS/403 4289
GET http://www.debian-fr.org/ - FIRSTUP_PARENT/172.16.103.254 text/html
1592921275.692      0 10.0.2.2 TCP_HIT/200 13072 GET
(...)

Is it possible that the squid parent refuse to have "a child" ?

Maybe. You will need to know the parent proxy configuration to tell
that. All that is visible from the detail you have shown is that parent
proxy has forbidden the requests it is receiving.


Amos
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: no response from the proxy squid parent

yannick.rousseau
In reply to this post by Amos Jeffries
Hi,
I've noticed one more difference between the CONNECT packets (it appears in the HTTP layer):

--> client's firefox configured with the ip and port of the parent proxy (172.16.103.254:3128), surf on the Net ok:

Frame 58: 255 bytes on wire (2040 bits), 255 bytes captured (2040 bits) on interface eth1, id 0
Ethernet II, Src: D-LinkIn_79:24:ed (ac:f1:df:79:24:ed), Dst: VMware_92:8a:f2 (00:0c:29:92:8a:f2)
Internet Protocol Version 4, Src: 172.16.103.101, Dst: 172.16.103.254
Transmission Control Protocol, Src Port: 35604, Dst Port: 3128, Seq: 1, Ack: 1, Len: 201
Hypertext Transfer Protocol
    CONNECT www.google.com:443 HTTP/1.1\r\n
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0\r\n
    Proxy-Connection: keep-alive\r\n
    Connection: keep-alive\r\n
    Host: <a href="http://www.google.com:443\r\n" rel="noopener noreferrer" target="_blank">www.google.com:443\r\n
    \r\n
    [Full request URI: www.google.com:443]
    [HTTP request 1/1]
    [Response in frame: 62]


--> client's firefox configured to use system proxy settings (can't surf on the Net):

Frame 620: 295 bytes on wire (2360 bits), 295 bytes captured (2360 bits) on interface eth1, id 0
Ethernet II, Src: D-LinkIn_79:24:ed (ac:f1:df:79:24:ed), Dst: VMware_92:8a:f2 (00:0c:29:92:8a:f2)
Internet Protocol Version 4, Src: 172.16.103.101, Dst: 172.16.103.254
Transmission Control Protocol, Src Port: 35528, Dst Port: 3128, Seq: 1, Ack: 1, Len: 241
Hypertext Transfer Protocol
    CONNECT www.google.com:443 HTTP/1.1\r\n
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0\r\n
    Host: <a href="http://www.google.com:443\r\n" rel="noopener noreferrer" target="_blank">www.google.com:443\r\n
    Via: 1.1 tjener.intern (squid/4.6)\r\n
    X-Forwarded-For: 10.0.2.2\r\n      -> request field introduit par squid
    Cache-Control: max-age=259200\r\n  -> si on vire le cache dans la config, tjs là ?
    \r\n
    [Full request URI: www.google.com:443]
    [HTTP request 1/1]
    [Response in frame: 624]


Remarks: tjener.inter is my server with squid (172.16.103.101) and 172.16.103.254:3128 is the parent.
                  10.0.2.2 is the IP of the client.

If you have any idea to help me to fix this ....

Thanks for your answer.

Yannick
--
Securely sent with Tutanota. Get your own encrypted, ad-free mailbox:
https://tutanota.com


Jun 26, 2020, 07:11 by [hidden email]:
On 24/06/20 7:27 am, [hidden email] wrote:
Hi, 

I'm using squid (4.6) on my server (debianedu buster LTSP), and I'm
trying to configure a parent proxy.

At first, when I configure the client's firefox (manual proxy
configuration) with the ip and port of the parent proxy, it's ok, I can
surf on the internet. 

But I would like to configure my server's Squid Proxy to forward to a
parent proxy (172.16.103.254:3128)
-> So I add these two lines at the end of squid.conf:
cache_peer 172.16.103.254 parent 3128 0 no-query no-digest
never_direct allow all

-> And restart squid. It seems to be ok:
# cat /var/log/squid/cache.log
(.....)
2020/06/23 09:51:12 kid1| Configuring Parent 172.16.103.254/3128/0
(....)

-> Then I configure firefox to use system proxy settings, but when I try
to google something or visit debian-fr.org, it doesn't work (no reponse
from the proxy).

That is odd. The log shows a 403 response being delivered by the parent
proxy and delivered to Firefox.

Browsers refuse to display proxy responses on CONNECT requests. So the
first is expected. But the second one using http:// should be shown.

But my squid's configuration seems to be ok:
# cat /var/log/squid/access.log
(....)
1592921221.753    138 10.0.2.2 TCP_TUNNEL/403 361
CONNECT www.google.com:443 <http://www.google.com:443/> -
FIRSTUP_PARENT/172.16.103.254 -
1592921275.641    521 10.0.2.2 TCP_MISS/403 4289
GET http://www.debian-fr.org/ - FIRSTUP_PARENT/172.16.103.254 text/html
1592921275.692      0 10.0.2.2 TCP_HIT/200 13072 GET
(...)

Is it possible that the squid parent refuse to have "a child" ?

Maybe. You will need to know the parent proxy configuration to tell
that. All that is visible from the detail you have shown is that parent
proxy has forbidden the requests it is receiving.


Amos
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: no response from the proxy squid parent

Amos Jeffries
Administrator
On 28/06/20 3:09 am, [hidden email] wrote:
> Hi,
> I've noticed one more difference between the CONNECT packets (it appears
> in the HTTP layer):
>
...
>
> If you have any idea to help me to fix this ....
>

You can try adding this to squid.conf:

 forwarded_for transparent


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: no response from the proxy squid parent

yannick.rousseau
Thanks a lot: it works fine now !
The line forwarded_for transparent was the solution.

Thanks again.

Yannick

--
Envoi sécurisé avec Tutanota. Obtenez votre propre adresse email chiffrée :
https://tutanota.com


27 juin 2020 à 11:49 de [hidden email]:
On 28/06/20 3:09 am, [hidden email] wrote:
Hi,
I've noticed one more difference between the CONNECT packets (it appears
in the HTTP layer):
...

If you have any idea to help me to fix this ....

You can try adding this to squid.conf:

forwarded_for transparent


Amos
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users