[ILUG] DNAT with iptables problem

Jerry Walsh jerry at aardvark.ie
Thu Aug 9 10:30:27 IST 2001 

Now I see what's going on... are you trying to do transparent proxying?

The problem you're having is because SQUID isn't sending the HTTP 1.1 HOST 
header
so sites which host name based virtual hosts don't actually know which site 
you wish
to look at (because multiple sites exist on the same ip)

My guess is you need to configure squid for use with transparent proxying 
support
there's a switch you may also need to pass to configure when you compile squid
to get it to work too..

Some googling should help you out a bit, and also check this directive from
squid's configuration file:

#  TAG: httpd_accel_uses_host_header    on|off
#       HTTP/1.1 requests include a Host: header which is basically the
#       hostname from the URL.  Squid can be an accelerator for
#       different HTTP servers by looking at this header.  However,
#       Squid does NOT check the value of the Host header, so it opens
#       a big security hole.  We recommend that this option remain
#       disabled unless you are sure of what you are doing.
#
#       However, you will need to enable this option if you run Squid
#       as a transparent proxy.  Otherwise, virtual servers which
#       require the Host: header will not be properly cached.
#httpd_accel_uses_host_header off

AFAIK There's one or two other directives need a bit of fiddling about
too to get it to work - but as i said google should sort it out! :)

If you're still having problems mail me offlist and i'll mail you on
my config file - I run transparent proxying at home and it works great!

Regards,

Jerry.

At 10:12 09/08/01 +0100, Dave Airlie wrote:
> > following output:
> >
> > matrix/home/john>telnet [trons external address] 80
> > Trying [trons external address]...
> > Connected to [tron external address].
> > Escape character is '^]'.
> > get index.html
> > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> > <HTML><HEAD>
> > <TITLE>400 Bad Request</TITLE>
> > </HEAD><BODY>
> > <H1>Bad Request</H1>
> > Your browser sent a request that this server could not understand.<P>
> > Invalid URI in request get index.html<P>
> > <HR>
> > <ADDRESS>Apache/1.3.20 Server at 10.10.13.2 Port 80</ADDRESS>
> > </BODY></HTML>
> > Connection closed by foreign host.
> >

Sorry


>if this works the firewall is not causing the problem, perhaps the
>webserver is trying to do DNS and failing? point the web server at a DNS
>or remove DNS lookups... only other  thing I can think off and this
>affected squid on me ages ago... is that you've blocked localhost from
>itself on the firewall and this is causing problms and rules to allow
>forwarding from 127.0.0.1 to itself...
>
>send me on your firewall rules if you want (santitised remove any IPs you
>don't trust me with :-) and I'll take a looksee.. but I'd check DNS and
>stuff first..
>
>
>Dave.
> >
> >
>
>--
>David Airlie, Software Engineer
>http://www.skynet.ie/~airlied / airlied at skynet.ie
>pam_smb / Linux DecStation / Linux VAX / ILUG person
>
>
>
>
>--
>Irish Linux Users' Group: ilug at linux.ie
>http://www.linux.ie/mailman/listinfo/ilug for (un)subscription information.
>List maintainer: listmaster at linux.ie

More information about the ILUG mailing list