Collectives™ on Stack Overflow
Find centralized, trusted content and collaborate around the technologies you use most.
Learn more about Collectives
Teams
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Learn more about Teams
I'm having a device which needs to connect to an internet service on tcp:80 but the network has no direct internet access. So I'm using a squid proxy to solve this.
The device allows me to enter proxyserver, port, username and password.
I figured out, that the device uses http CONNECT instead of http GET (which is working fine with my browser).
When the device tries to connect, it gets an http error 400.
The squid access.log gives me only this:
1338885433.033 0 172.22.140.129 TCP_DENIED/400 1728 CONNECT :0 - NONE/- text/html
So I captured the packets to really see whats going on:
Request from device:
CONNECT mydomain.com:0 HTTP/1.0
User-agent: Sequencer/5.5.0.5539
Answer from squid:
HTTP/1.0 400 Bad Request
squid/2.7.STABLE9
X-Squid-Error: ERR_INVALID_URL 0
close
My squid.conf:
auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl checkpw proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access allow CONNECT
http_access allow localnet
http_access allow localhost
http_access allow checkpw all
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
debug_options ALL,1 33,2 28,9
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
forwarded_for off
coredump_dir /var/spool/squid
Is there any solution to get rid of the ERR_INVALID_URL? Did I missunderstood the concept of the squid proxy or is the request from the device invalid?
Please let me know if any other information is needed.
Thank you in advance,
Christian.
–
–
I resolved the same error by commenting out from the default squid.conf:
# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports
By default Squid is set up to not allow CONNECT to non-SSL ports. If you want to test without SSL you can disable this by commenting out the line above.
I had the non SSL ports connection allowed as mentioned above but forgot to open the acl from the network I was trying to access. Opening that fixed the issue:
acl localnet src 1.1.0.0/24 # <- My Internal network I am accessing from
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
–
For me it was the opposite of @peaxol: I had the acl defined but not the http_access allow rule. I had to add them:
acl vpn src xx.xx.xx.xx/xx
http_access allow vpn
–
I have solved it with the product support of the device.
They showed me a way to enable a more detailed debug view of the proxy connection process.
There was a line in the logfile "unable to connect to relay 0.0.0.0"
So I checked the dns server settings of the device, a there was a typo. Thats it.
Old question and partially replied already but wanted to clarify before people start poking the configuration. TCP_DENIED means that the connection was blocked (of course) by squid, after the TCP_DENIED you get the HTTP error code.
400 Means Bad Request. This mainly means that the protocol/port/specific server or URL is being blocked. That means that probably SSL ports are denied, or non standard ssl ports, etc.
403 Means that the IP/User is blocked. So if you get TCP_DENIED/403 means that probably you are accessing from a subnet that is not added in ACL, or you have auth enabled but client is not authenticating or user/password is wrong (or user has no access). In this case you should check the ACL for the IP/Subnet, if is not there, add it. Or check the user/password
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
