[squid-users] Downloads not going through parent proxy, going DIRECT

From: Geoff Varney <[email protected]>
Date: Mon, 27 Nov 2006 12:29:06 -0800

Hi,
I have been using Squid 2.6 with DansGuardian 2.9 for a while now and
it's been working well, blocking downloads of various file types, etc.
However, I'm just seeing today (not sure how long this has been going
on!) that *some* sites are allowing exes to come through. What I'm
seeing in the Squid access.log is like this (I tested from download.com
with a normal account not allowed to download)

TCP_MISS/200 185021 GET
http://software-files.download.com/sd/g33i94D6JAAXtGO-PPSk_XhSmDf4MVuRC4
CEP8QJjHfCg4aBx59AvP9DditCgw90rjIIHWsyB3P5NLlDhNcQeboRWRI19e-Z/software/
10607469/10279647/3/Scorched3D-40.1d.exe?lop=link&ptype=3000&ontid=7486&
siteId=4&edId=3&pid=10607469&psid=10279647 test DIRECT/216.239.112.15
application/octet-stream

Is there something in the way this URL is written that sends this
request out DIRECT instead of through the parent (DG) proxy?

If I go to a different (I just picked this one off of Google) with a
link like this:

http://admin.u15194059.onlinehome-server.com/cgi-bin/mysql/dl.pl?dbname=
FH&table=Desktop&ID=2707

it denies like it should (gives link of
http://www.ezytools.com/magikfortune/downloads/magikfortunesetup.exe if
it doesn't start automatically.)

I tried another download from download.com and it worked fine also!
What am I missing here that is making the difference? My squid.conf has
NO direct allow access statements in it at all. I have one cache_peer
statement, as such:
<blah> parent 8080 7 no-query login=*:password default no-digest

Here is another example of a line in access.log (pulled from LightSquid)
where a download was allowed:

http://software-files.download.com/sd/4QvrUWIggcGX-pVkX7SrgGrdSMh3zi0Fse
kaZCd_9HxMN6vjVznlblKs501Cv6VntU-dHhPL4lpTL1iskc2_WQfifVnwnnSM/software/
10603791/10408296/3/swiftswitch(install).exe?lop=link&ptype=3000&ontid=7
541&siteId=4&edId=3&pid=10603791&psid=10408296

(corresponding entry in access.log:
TCP_MISS/200 2882605 GET
http://software-files.download.com/sd/4QvrUWIggcGX-pVkX7SrgGrdSMh3zi0Fse
kaZCd_9HxMN6vjVznlblKs501Cv6VntU-dHhPL4lpTL1iskc2_WQfifVnwnnSM/software/
10603791/10408296/3/swiftswitch(install).exe?lop=link&ptype=3000&ontid=7
541&siteId=4&edId=3&pid=10603791&psid=10408296 <USERNAME>
DIRECT/216.239.126.205 application/octet-stream)

Is the URL somehow causing something strange to happen?
I see a number of DIRECT lines in the access.log, not sure what the
pattern is. I am seeing a lot of the following in cache.log if this
means anything with this:

2006/11/21 11:37:54| authenticateDecodeAuth: Unsupported or unconfigured
proxy-auth scheme, 'Basic cGh5bGxpcy5oeWF0dDpDaGFuZWwh'

[2006/11/21 11:38:07, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
  got NTLMSSP command 3, expected 1

I am using NTLM auth only, no basic is configured. Should I turn on
basic then or does this first error really matter? What about the 2nd
error?

Any suggestions on where to look for a cause?

Thanks,
Geoff
Received on Mon Nov 27 2006 - 13:30:26 MST

This archive was generated by hypermail pre-2.1.9 : Fri Dec 01 2006 - 12:00:03 MST