[squid-users] IIS error with one website

Eliezer Croitoru eliezer at ngtech.co.il
Mon Feb 29 23:26:48 UTC 2016


Hey Ryan,

I noticed that you are using a windows version of squid and ontop of 
that a 2.X version.
Technically this version is not supported anymore by the squid-cache 
project and from the settings either you are running a very old machine 
or something else not really known to me.
It's hard to know what is the difference in the request that squid does 
compared to BlueCoat or other proxies without sniffing the network.
And since it's a HTTP connection it would not be very hard to find the 
culprit with couple wireshark dumps.
The options I can think about are:
- squid 2 uses http/1.0 instead of http/1.1 which the service requires
- squid 2 adds something to the request that breaks the connection
- the upstream proxy(proxy1.ap.webscanningservice.com) is doing 
something to the connection.
- the combination of both squid2 and the upstream complicates things and 
the web application doesn't like it.

If you do have any way to upgrade the service from 2.X to anything newer 
do that instead of something else.
Try to take a look at:
http://squid.diladele.com/

If you do have the option to run it on a Linux machine instead of a 
windows consider to do so.

If you want me to analyze the wireshark dumps from the proxy server send 
them privately.

Eliezer

On 01/03/2016 01:09, Ryan Slick wrote:
> Hi this is not an SSL site.
>
> Here is the config (I have stripped out the ACL's)
>
>
> #WELCOME TO SQUID 2
> #------------------
>
> # NETWORK OPTIONS
> #
> -----------------------------------------------------------------------------
>
>
> # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
> #
> -----------------------------------------------------------------------------
>
> #  TAG: cache_peer
>    cache_peer proxy1.ap.webscanningservice.com parent 3128 0000 default
> no-query no-digest
> # cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default
> no-query no-digest
> # cache_peer proxy1.us.webscanningservice.com parent 3128 0000 default
> no-query no-digest
> # cache_peer proxy1.hk.webscanningservice.com parent 3128 0000 default
> no-query no-digest
> # cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default
> no-query no-digest
>
>
> # disable local cache digest generation
> digest_generation off
>
> #  TAG: hierarchy_stoplist
> hierarchy_stoplist cgi-bin ?
>
> #define the all here as it will be used by the no_cache
> acl all src 0.0.0.0/0.0.0.0
> #  TAG: no_cache
> cache deny all
>
> # OPTIONS WHICH AFFECT THE CACHE SIZE
> #
> -----------------------------------------------------------------------------
>
>
> #  TAG: maximum_object_size(bytes)
> maximum_object_size 0 KB
>
> # LOGFILE PATHNAMES AND CACHE DIRECTORIES
> #
> -----------------------------------------------------------------------------
>
> log_uses_indirect_client on
>
> # Enable Log Rotation
>
> logfile_rotate 7
>
> #  TAG: emulate_httpd_logon|off
> emulate_httpd_log on
>
> #  TAG: debug_options
> debug_options ALL,1
> #debug_options ALL,9
>
> #  By default, the store and access log is disabled to avoid large size
> log files
> cache_store_log none
> access_log none
> useragent_log none
> #cache_log c:/ClientSiteProxy/var/logs/cache.log
> #access_log C:/ClientSiteProxy/var/logs/access.log
> cache_log D:/SquidDefinitions/logs/cache.log
> access_log D:/SquidDefinitions/logs/access.log
> #useragent_log c:/ClientSiteProxy/var/logs/useragent.log
>
> # IGNORE EXPECT 100 HTTP HEADER
> #
> -----------------------------------------------------------------------------
> ignore_expect_100 on
>
> # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
> #
> -----------------------------------------------------------------------------
>
> #  TAG: auth_param
> auth_param ntlm program c:/clientsiteproxy/libexec/mswin_ntlm_auth.exe
> auth_param ntlm children 80
> auth_param ntlm keep_alive on
>
> # auth_param negotiate program
> c:/clientsiteproxy/libexec/mswin_negotiate_auth.exe
> auth_param negotiate children 80
>
> auth_param basic program c:/clientsiteproxy/libexec/ncsa_auth.exe
> C:/clientsiteproxy/etc/passwd.txt
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> #  Use this tag to specify how long the IP authentication credentials
> will be cached
> #  If multiple users connect from a single IP (ie: terminal services)
> comment out the
> #  following line and uncomment the next.
> #authenticate_ip_shortcircuit_ttl 30 seconds
> authenticate_ip_shortcircuit_access none
>
> # OPTIONS FOR TUNING THE CACHE
> #
> -----------------------------------------------------------------------------
>
> #  TAG: refresh_pattern
> refresh_pattern ^ftp:144020%10080
> refresh_pattern ^gopher:14400%1440
> refresh_pattern .020%4320
>
> # TIMEOUTS
> #
> -----------------------------------------------------------------------------
>
> read_timeout 15 minutes
>
> # X-Saucer
> #
> ------------------------------------------------------------------------------
>
> # TAG: fqdn_xsaucer
> # Turn this on if you wish to use fully qualified domain names instead of
> # user names in X-Saucer. To do this Squid does a DNS lookup of all
> # IP's connecting to it. This can (in some situations) increase
> # latency, which makes your cache seem slower for interactive
> # browsing. By default, it is off.
> # The FQDN will be prepended with a backslash and converted to lower
> case since
> # ClientNet only accepts custom user name with backslash. If log_fqdn is
> # also enabled, the FQDN will be logged in access.log.
> # For example, an FQDN of www.XYz.com in access.log will require specifying
> # a custom user "\www.xyz.com" (no quotes) in ClientNet.
> #
> # fqdn_xsaucer off
>
>
> # TAG: hash_username_xsaucer
> #Turn this on if you wish to apply hex representative of hashed(SHA-1)
> #to domain name\user name (before encryption) in X-Saucer instead.
> #
> # hash_username_xsaucer off
>
>
> # ACCESS CONTROLS
> #
> -----------------------------------------------------------------------------
>
> #  TAG: acl
> # TAG: disable password on conf file
> #cachemgr_passwd none config
> acl SSL_ports port 443 563 5443
> acl Safe_ports port 80# http
> acl Safe_ports port 21# ftp
> acl Safe_ports port 443 563 5443# https, snews, medicare
> acl Safe_ports port 70# gopher
> acl Safe_ports port 210# wais
> acl Safe_ports port 1025-65535# unregistered ports
> acl Safe_ports port 280# http-mgmt
> acl Safe_ports port 488# gss-http
> acl Safe_ports port 591# filemaker
> acl Safe_ports port 777# multiling http
>
> acl_uses_indirect_client on
> acl CONNECT method CONNECT
> acl authproxy proxy_auth REQUIRED
> # the IP list of "acl our_networks src" may potentially be long while
> the maximum number of characters supported by squid is around 500.
> # therefore, you should try to splite long ip list to multiple lines for
> readabilty and maintenability, see the following lines as an example:
> # acl our_networks src x.x.x.x/z x.x.x.x/x x.x.x.x/z ....
> # acl our_networks src y.y.y.y/z y.y.y.y/y y.y.y.y/z ....
> acl our_networks src 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16
>
>
>
> # __________________________________________________________________________
> acl HEAD method HEAD
> follow_x_forwarded_for allow f5lb_prxy
> #  TAG: http_access
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> # __________________________________________________________________________
> #http_access allow CONNECT SSL_ports
> # __________________________________________________________________________
> http_access deny CONNECT !SSL_ports
> #Allow the header as IE does not process the Head authentication
> http_access allow HEAD
> http_access deny !our_networks
> http_access allow Smartconnect
> # __________________________________________________________________________
>
>
>
> # __________________________________________________________________________
> # NTLM bypasses and specific domain bypass come after this comment block.
> # http_access = NTLM bypass. always_direct = bypasses the MessageLabs proxy
> # and sends the connection directly. The first sample below creates a
> bypass
> # named 'uniqueBypass1' which bypasses NTLM and sends the connection
> directly
> # for sample.com. The second sample will bypass NTLM authentication for
> # connections to sample.com.
> # Begin Sample 1:
> #acl uniqueBypass1 dstdomain sample.com
> # http_access allow uniqueBypass1
> # always_direct allow uniqueBypass1
> # Begin Sample 2:
> #acl NTLMBypass dstdomain sample.com
> #http_access allow NTLMBypass
>
> http_access allow authproxy
> http_access deny all
>
>
> #  TAG: icp_access
> icp_access allow all
>
> #  TAG: httpd_suppress_version_stringon|off
> #Suppress Squid version string info in HTTP headers and HTML error pages.
> #
> httpd_suppress_version_string on
>
>
> # ADMINISTRATIVE PARAMETERS
> #
> -----------------------------------------------------------------------------
>
> #  TAG: visible_hostname
> visible_hostname ClientSiteProxy
>
> # OPTIONS FOR THE CACHE REGISTRATION SERVICE
> #
> -----------------------------------------------------------------------------
>
>
> # HTTPD-ACCELERATOR OPTIONS
> #
> -----------------------------------------------------------------------------
>
>
> # MISCELLANEOUS
> #
> -----------------------------------------------------------------------------
>
> # Forwarding proxy client IP addresses in X-Forwarded-For header.
> # Disabled to prevent leakage of internal network configuration details.
> forwarded_for truncate
>
> # Do not reveal CSP version in "Via" HTTP header
> header_access Via deny all
>
> #  TAG: never_direct
> never_direct allow all
>
> # DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
> #
> -----------------------------------------------------------------------------
>
> #  TAG: coredump_dir
> #  completely disable checks for cache consistency (and/or garbage
> collection) and
> #  there will be no need to initialize cache dirs which amount to be
> over 2000 dir.
> cache_dir null c:/ClientSiteProxy
> coredump_dir c:/clientsiteproxy/var/cache
>
> http_port 80
> http_port 8080
>
>
>
> On Tuesday, 1 March 2016 11:49 AM, Eliezer Croitoru
> <eliezer at ngtech.co.il> wrote:
>
>
> Can you send me or the list your squid.conf?
> Also are you using SSl-BUMP? is this a https site?
>
> Eliezer
>
> On 01/03/2016 00:36, Ryan Slick wrote:
>  > Hi Guys,
>  >
>  > So here is an issue I am having,
>  >
>  > there is a external website some of our users need to access. When
>  > accessing via the Squid proxy, the site throws this error on the page:
>  >
>  > iisnode encountered an error when processing the request.
>  > HRESULT: 0xb
>  > HTTP status: 500
>  > HTTP reason: Internal Server Error
>  > You are receiving this HTTP 200 response because
>  > system.webServer/iisnode/@devErrorsEnabled
>  > <mailto:system.webServer/iisnode/@devErrorsEnabled> configuration
>  > setting is 'true'.
>  >
>  > We configured on a pc that goes directly to the internet the page loads
>  > fine, when going via a bluecoat proxy on a different network it loads
>  > fine, When I put in a direct access rule on squid the error is still
> thrown.
>  >
>  > I am convinced the issue is on the external webserver, however it would
>  > appear squid is not playing nice with it, is there anything I can do to
>  > attempt to fix it? Now the users have tested on their remote devices and
>  > from home they are convinced the issue lies on the proxy.
>  >
>  > regards
>  >
>  >
>  >
>  >
>  >
>  > _______________________________________________
>  > squid-users mailing list
>  > squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
>  > http://lists.squid-cache.org/listinfo/squid-users
>
>  >
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users
>
>



More information about the squid-users mailing list