13
votes

I'm having a device which needs to connect to an internet service on tcp:80 but the network has no direct internet access. So I'm using a squid proxy to solve this.

The device allows me to enter proxyserver, port, username and password.

I figured out, that the device uses http CONNECT instead of http GET (which is working fine with my browser).

When the device tries to connect, it gets an http error 400. The squid access.log gives me only this:

1338885433.033      0 172.22.140.129 TCP_DENIED/400 1728 CONNECT :0 - NONE/- text/html

So I captured the packets to really see whats going on:

Request from device:

CONNECT mydomain.com:0 HTTP/1.0
User-agent: Sequencer/5.5.0.5539

Answer from squid:

HTTP/1.0 400 Bad Request
squid/2.7.STABLE9
X-Squid-Error: ERR_INVALID_URL 0
close

My squid.conf:

auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443          # https
acl SSL_ports port 563          # snews
acl SSL_ports port 873          # rsync

acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT

acl purge method PURGE
acl CONNECT method CONNECT
acl checkpw proxy_auth REQUIRED

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access allow CONNECT
http_access allow localnet
http_access allow localhost
http_access allow checkpw all
http_access deny all

icp_access allow localnet
icp_access deny all

http_port 3128

hierarchy_stoplist cgi-bin ?

access_log /var/log/squid/access.log squid

debug_options ALL,1 33,2 28,9

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$       0       20%     2880
refresh_pattern .               0       20%     4320

acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]

upgrade_http0.9 deny shoutcast

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

extension_methods REPORT MERGE MKACTIVITY CHECKOUT

hosts_file /etc/hosts

forwarded_for off

coredump_dir /var/spool/squid

Is there any solution to get rid of the ERR_INVALID_URL? Did I missunderstood the concept of the squid proxy or is the request from the device invalid?

Please let me know if any other information is needed.

Thank you in advance, Christian.

4
There are two options, or the application has a bug and it's sending port 0 or you have replaced the port to hide information and you have chosen the invalid port :)Diego Woitasen
In case of problems with squid configuration - search the whole config for the word deny. You may have missed something. And then, it seems, no further acls can override that.Tomasz Gandor

4 Answers

23
votes

I resolved the same error by commenting out from the default squid.conf:

# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports

By default Squid is set up to not allow CONNECT to non-SSL ports. If you want to test without SSL you can disable this by commenting out the line above.

3
votes

I had the non SSL ports connection allowed as mentioned above but forgot to open the acl from the network I was trying to access. Opening that fixed the issue:

acl localnet src 1.1.0.0/24     # <- My Internal network I am accessing from
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
1
votes

For me it was the opposite of @peaxol: I had the acl defined but not the http_access allow rule. I had to add them:

acl vpn src xx.xx.xx.xx/xx
...
http_access allow vpn
0
votes

I have solved it with the product support of the device.

They showed me a way to enable a more detailed debug view of the proxy connection process.

There was a line in the logfile "unable to connect to relay 0.0.0.0"

So I checked the dns server settings of the device, a there was a typo. Thats it.