Menu
▾
▴
#486 HTTP 1.1 Support in Proxy
I am having trouble with several web sites that use
HTTP 1.0 and fail in weird ways with the Squid Proxy
turned on. Using IE 6.0 on Windows 2000 or XP with
HTTP1.1 turned on (as default) loading the
http://www.archlou.org website fails 90% of the time
and is very slow if it does load.
In talking with the site owners, they mentioned that my
proxy is probably not HTTP1.1 compliant and that I
should set IE to use HTTP 1.0. I did that and it
seemed to work. If I turn off the Proxy server, it
works with either HTTP 1.0 or HTTP 1.1 setting.
What's the problem here? Or more importantly, what's
the solution? I don't think turning off HTTP 1.1 in IE
is a valid solution. I also would like to continue
using the Proxy server as I think it really helps speed
things up. However, this issue along with another
problem we are having with IIS authentication, is
giving IPCop a bad name with my client. What can I do
to resolve this?
Thanx!
Richard
Logged In: YES
user_id=1364702
By default 'Use HTTP 1.1 through proxy connections' is
unchecked so that won't cause any problems if IE has been
told about the proxy, so will work 100%. At work I have about
3000 machines configured for a proxy and don't get any of
these problems.
If you are using a transparent proxy then you may well have
problems and have to turn 'Use HTTP 1.1' off for it to work.
Transparent proxies are nasty and break the rules - don't use
them if at all possible.
Although Squid does support some HTTP/1.1 features it
doesn't support them all so does not advertise itself as HTTP/
1.1.
Set all the machines to 'Automatically detect settings' and
then set up wpad.yourdomain.com and put wpad.dat up there
to configure your browsers - you'll find lots of documentation
on this and it really is much more flexible than hard-coding the
proxy settings and shouldn't involve a trip to each machine as
by default this should be enabled.
The IIS authentication problem you are most likely seeing is
the NTLM problem. Microsoft developed an authentication
protocol that made a huge assumtion - one connection, one
client. That was wrong - when using a proxy the first person
would authenticate and any others going to the same site
would get access without having to authenticate!
You may want to check out:
http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.14
Microsoft admit that it is flawed and state that it is only
designed for use on a private network and not over the Internet.
Squid knows about this and refuses to pass the
authentication through. You need to suggest to the web host
that they need to switch to Basic authentication and then use
https to secure it.
I don't think any of this is a problem with IPCop or Squid.
HTH,
Neil.
Logged In: YES
user_id=1349103
Ah, that makes sense. Thanx!
The one sticking point is that this is an Elementary School
and they are required to have filtering. So, I have added
Dans Guardian (via Cop+) to the mix to block undesirable
content. If I provide a WPAD file doesn't that mean that
they (the Students) will be able to work their way around
the DG content filter?
Is there any way to set something up in IPCop that will
allow calls to a specific web site to go around the proxy?
I should be able to do this with IP chains, correct? I have
no idea how, but that's never stopped me before. :)
However, any hints anyone wishes to give me as to the format
of said rules and where to place them so they don't get
overwritten by IPCop updates would be most appreciated. :)
Thanx!
Richard
Logged In: YES
user_id=1364702
What you really need to do is allow only the proxy to go out
and fetch web pages (port 80, 443, 8080 and any others you
want). Deny all other machines from direct access. That way
they have to use the proxy.
Using a wpad file makes it easy for IE users and the same file
can be used by other browsers.
How you do this in IPCop I don't know as Green automatically
has access to Red. I'm not currently using IPCop so can try
anything.
HTH,
Neil.
Logged In: YES
user_id=1349103
Ok, so I have played around a little bit and found out that
if I execute the following in a root shell my problem goes
away. If I enter this into the "start" section of
rc.firewall.local will this work properly? If so, how can I
put multiple addresses in this statement so that I don't end
up with 10-15 iptables commands? Do I have to put anything
in the "stop" or "reload" sections?
/sbin/iptables -t nat -I PREROUTING -i eth0 -p tcp --dport
80 -d 65.202.94.185 -j ACCEPT
Thanx!
Richard
Logged In: YES
user_id=691649
I don't think adding a rule for every web server you want
is the right way.
I remember from the old day I start with DG add-on that DG
force usage of the proxy only. It should be the same with
Cop+ but I have not tested.
When the proxy is tranparent, in case of error, you can't
control if it is the error from squid or from IE wich is
displayed. With filtering, it look better to use a
customised error page for refused access.
Logged In: YES
user_id=1041094
Hello,
Install 'block out trafic' addon to control GREEN->RED flow.
Use any method you want to inform IE/Firefox that there is a
proxy.
Google on "proxy.pac wpad" and use DHCP server to
distribute this.
Turn off transparent proxy.
Bye