[squid-users] flickr.com redirect error
Eliezer Croitoru
eliezer at ngtech.co.il
Tue Jun 28 10:58:45 UTC 2016
Hey,
Can you test if the details at bug 4253:
http://bugs.squid-cache.org/show_bug.cgi?id=4253#c13
Helps you to resolve the issue?
Eliezer
----
<http://ngtech.co.il/lmgtfy/> Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Ozgur Batur
Sent: Monday, June 27, 2016 6:02 PM
To: Amos Jeffries
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] flickr.com redirect error
Browser i used to test runs on same machine with squid, i changed it to explicit mode(no intercept - I set proxy ip in browser) during my attempts for ssl interception. Sorry I forgot to mention that in my last post of logs. So xff localhost is normal I guess. Here is the request log with port info:
----------
2016/06/27 15:49:40.909 kid1| 11,2| http.cc(2234) sendRequest: HTTP Server local=10.100.136.56:47772 <http://10.100.136.56:47772/> remote=188.125.93.100:443 <http://188.125.93.100:443/> FD 47 flags=1
2016/06/27 15:49:40.909 kid1| 11,2| http.cc(2235) sendRequest: HTTP Server REQUEST:
---------
GET / HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/50.0.2661.102 Chrome/50.0.2661.102 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: tr,en-US;q=0.8,en;q=0.6
..
Host: www.flickr.com <http://www.flickr.com/>
Via: 1.1 ubuntuozgen (squid/3.5.19)
Surrogate-Capability: ubuntuozgen="Surrogate/1.0 ESI/1.0"
X-Forwarded-For: ::1
Cache-Control: max-age=259200
Connection: keep-alive
On Mon, Jun 27, 2016 at 2:27 PM, Amos Jeffries <squid3 at treenet.co.nz <mailto:squid3 at treenet.co.nz> > wrote:
On 27/06/2016 11:01 p.m., Ozgur Batur wrote:
> Yes that is much easier, thank you.
>
> Rafaels line is response header, I received the same. Here is the related
> cachelog:
>
What is the content of the line above this one. With the IP:port details ?
> 2016/06/27 13:52:49.194 kid1| 11,2| http.cc(2235) sendRequest: HTTP Server
> REQUEST:
> GET / HTTP/1.1
> Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> Upgrade-Insecure-Requests: 1
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
> Gecko) Ubuntu Chromium/50.0.2661.102 Chrome/50.0.2661.102 Safari/537.36
> Accept-Encoding: gzip, deflate, sdch
> Accept-Language: tr,en-US;q=0.8,en;q=0.6
> ...
> Host: www.flickr.com <http://www.flickr.com>
> Via: 1.1 ubuntuozgen (squid/3.5.19)
> Surrogate-Capability: ubuntuozgen="Surrogate/1.0 ESI/1.0"
> X-Forwarded-For: ::1
You said this was using interception. But Squid XFF is telling Yahoo
that its receiving localhost traffic.
Try "forwarded_for transparent" in your squid.conf, and find out why
that ::1 is happening on an intercepted proxy. There may be a bug in
your NAT or routing configuration.
> Cache-Control: max-age=0
> Connection: keep-alive
>
> ..
> 2016/06/27 13:52:49.477 kid1| 11,2| http.cc(751) processReplyHeader: HTTP
> Server REPLY:
> ---------
> HTTP/1.1 301 Moved Permanently
> X-Frame-Options: SAMEORIGIN
> X-Content-Type-Options: nosniff
> X-XSS-Protection: 1; mode=block
> X-Served-By: pprd1-node552-lh1.manhattan.bf1.yahoo.com <http://pprd1-node552-lh1.manhattan.bf1.yahoo.com>
> X-Instance: flickr.v1.production.manhattan.bf1.yahoo.com <http://flickr.v1.production.manhattan.bf1.yahoo.com>
> Cache-Control: no-cache, max-age=0, must-revalidate, no-store
> Pragma: no-cache
> X-Request-Id: 36e709a2
> Location: https://www.flickr.com/
> Vary: Accept
> Content-Type: text/html; charset=utf-8
> Content-Length: 102
> Server: ATS
> Date: Mon, 27 Jun 2016 10:52:40 GMT
> Age: 0
> Via: http/1.1 fts111.flickr.bf1.yahoo.com <http://fts111.flickr.bf1.yahoo.com> (ApacheTrafficServer [cMs f ]),
> http/1.1 r11.ycpi.dea.yahoo.net <http://r11.ycpi.dea.yahoo.net> (ApacheTrafficServer [cMs f ])
> Connection: keep-alive
> ..
>
> And this repeats on and on. As I understand disabling Via header is an
> acceptable solution. If I could disable the header only for problematic
> domains that would be better of course.
Okay. Unfortunately not possible. If that forwarded_for change works it
would be better than disabling Via.
Amos
--
H Özgür Batur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160628/db7a535c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 11295 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160628/db7a535c/attachment-0001.png>
More information about the squid-users
mailing list