[squid-users] TCP-MISS 503 for wrong destination ip

Ahmad Alzaeem ahmed.zaeem at netstream.ps
Tue Nov 24 12:34:51 UTC 2015 

Well , what I have done is :

I configured squid http_port xx and http_port xxy intercept

And uses iptables to redirect http & https to squid ports

But it don’t work and I have logs :

1448121527.423      10.1.1.1 TCP_MISS/503 4183 GET http://cnn.com/ - ORIGINAL_DST/10.159.144.206 text/html
1448121554.217      10.1.1.1 TCP_MISS/503 4771 GET http://cnn.com/ - ORIGINAL_DST/10.159.144.206 text/html
1448121555.574      10.1.1.1 TCP_MISS/503 4685 GET http://cnn.com/favicon.ico - ORIGINAL_DST/10.159.144.206 text/html


As u see the ds tip is wrong and its spoofed with 10.159.144.206

So how to let squid bypass checking it ?


Is my way above wrong ?


U say we need proxy mode ?? 

How should I implement proxy mode since user will not put ip:port in his browser

Thanks a lot for helping

cheers
-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Antony Stone
Sent: Tuesday, November 24, 2015 3:18 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] TCP-MISS 503 for wrong destination ip

On Tuesday 24 November 2015 at 13:13:17, Ahmad Alzaeem wrote:

> Guys I understand that
> 
> The question is being asked , can squid fix this issue or not?

Yes, provided you use it in configured-proxy mode, instead of intercept mode.


Antony.

> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] 
> On Behalf Of Antony Stone Sent: Tuesday, November 24, 2015 2:42 PM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] TCP-MISS 503 for wrong destination ip
> 
> On Tuesday 24 November 2015 at 12:22:40, Ahmad Alzaeem wrote:
> > Hi Devs ,
> > 
> > I have a server that send to squid http/https with wrong destination 
> > ips
> 
> It has already been recommended that you fix your DNS so that it works 
> correctly / normally.
> 
> > So assume I want  to open google
> > 
> > The request hit the squid with https/http  packet with payload 
> > www.google.com <http://www.google.com>  with ds tip 10.0.0.1 not  
> > the real ds tip of google like 74.125.x.x
> 
> Is 10.0.0.1 the IP address of your Squid server?
> 
> > The question is being asked here is .
> > 
> > Is it possible to let squid to do another resolving again and chck 
> > the right dst ip (74.125.x.x) and reach it ?
> 
> Yes - turn off intercept mode, and point the client specifically at 
> Squid as a configured proxy.  The client will then not attempt a DNS 
> lookup for the destination server, but will simply send the entire 
> request to Squid for it to look up where to send the request.
> 
> 
> Regards,
> 
> 
> Antony.

--
BASIC is to computer languages what Roman numerals are to arithmetic.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list