RE: [squid-users] PROBLEM ACCESS JSP PAGE

From: Oscar Andr�s Eraso Moncayo <Oscar.Eraso_at_sisa.com.co>
Date: Thu, 10 Mar 2011 16:20:53 -0500

Hi, I set forwarded_for on, in the squid.conf, and I have not been successful, the page displays the same error message.

Thanks to all,
Regards.

________________________________________
From: Amos Jeffries [squid3_at_treenet.co.nz]
Sent: Wednesday, March 09, 2011 11:59 PM
To: Oscar Andr�s Eraso Moncayo; webmaster_at_minminas.gov.co; squid-users_at_squid-cache.org
Subject: Re: [squid-users] PROBLEM ACCESS JSP PAGE

cc'ing the site webmaster in on this.
Although hopefully they are reading their logs and see all the crashes I
just caused while testing.

On 10/03/11 16:14, Oscar Andr�s Eraso Moncayo wrote:
> Hi, the website is not broken, is ok,
>

The website is an executable program written in Java code. It crashed
due to some text being received. I call that broken.

"The full stack trace of the root cause is available in the Apache
Tomcat/6.0.16 logs."

This website does not pass the trivial HTTP connectivity test:

## telnet www.minminas.gov.co 80
Trying 190.90.9.227...
Connected to www.minminas.gov.co.
Escape character is '^]'.
GET /minminas/ HTTP/1.1
Host: www.minminas.gov.co

HTTP/1.1 500 Internal Server Error
Date: Thu, 10 Mar 2011 04:28:20 GMT
Server: Apache/2.2.11 (Win32) mod_jk/1.2.28
Content-Length: 1259
Connection: close
Content-Type: text/html;charset=utf-8

<elided error page>

> the website is accessed fine without proxy setting in the browser.

Due to the website having been tested and debugged with a web browser no
doubt. This means only that it works for a browser when directly
connected to the website.
  I just spent an hour testing potential workarounds. The number of
things which die stating "NullPointerEception" is horribly large.

I found that it dies with your error if the X-Forwarded-For header
exists but contains "unknown".

  That text is sent when you configure "forwarded_for off" in
squid.conf. The site works if XFF contains a valid IPv4-only address, or
does not exist at all. It dies if any non-IPv4 address or ultipel
addresses are sent. So any IPv6 clients you have behind Squid cannot get
a response despite Squid doing the v6->v4 conversion.

In summary:

If you only have IPv4 clients:
   forwarded_for on

If you have any IPv6 clients:
   acl deadGovt dstdomain .minminas.gov.co
   request_header_acecss X-Forwarded-For deny deadGovt

(until the site gets fixed or you get squid-3.2 which does
"forwarded_for delete").

It also dies horribly if you omit/anonymize the browser type header or
several other common headers. Which may be a problem if you tried
setting up Squid as an "anonymous" proxy.

Amos

--
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.11
   Beta testers wanted for 3.2.0.5
Received on Thu Mar 10 2011 - 21:27:39 MST

This archive was generated by hypermail 2.2.0 : Fri Mar 11 2011 - 12:00:01 MST