Page 1 of 3

SQUID Proxy problems with assign.stanford.edu

Posted: Wed Aug 05, 2009 12:45 pm
by SanHolo
My University is tangling with the Proxy Software, and now I get an invalid response from http://assign.stanford.edu/ (see HTML).

This is what the Proxy creates:

Code: Select all

./squidclient -p 80 -h <ip omitted> -v http://assign.stanford.edu 
Request: 'GET http://assign.stanford.edu HTTP/1.0
Host: assign.stanford.edu
Accept: */*
Accept: */*

'
HTTP/1.0 502 Bad Gateway
Server: squid/3.1.0.13
Mime-Version: 1.0
Date: Wed, 05 Aug 2009 10:08:46 GMT
Content-Type: text/html
Content-Length: 3147
X-Squid-Error: ERR_INVALID_RESP 0
X-Cache: MISS from proxy.unibe.ch
Via: 1.0 xyz.unibe.ch (squid/3.1.0.13)
Proxy-Connection: close
www.ircache.net issues the following warning:
The following server didn't issue a Date: header in the correct format (possibly not at all) for at least one request. Please ask the suppliers of your Web server software to fix this problem.

* assign.stanford.edu


This object will be considered stale, because it doesn't have any freshness information assigned. It doesn't have a validator present. It will be revalidated on every hit, because it has a Cache-Control: no-cache header. It doesn't have a Content-Length header present, so it can't be used in a HTTP/1.0 persistent connection. The Web server didn't send a Date header for this object, which may cause problems.
Is there anything I can do to resolve this?

Re: SQUID Proxy problems with assign.stanford.edu

Posted: Fri Aug 07, 2009 12:26 pm
by 314159
Folks: this a Mac Pro Dual Quad that "should" be running the "VBig" SMP's at this stage and we need to get this resolved asap if possible.
ALL informed suggestions are welcomed, especially from our I.T. Gurus.

SanHolo,

Have you contacted the University's I.T. Department and explained the situation in detail?
I would be screaming "FOUL" at them for making this modification "mid-stream"(and demand that they provide the solution).

I have absolutely no experience with proxies or "local proxy workarounds".

I know for a fact that several members that post actively to this Forum do!

PLEASE share your expertise so that we can get SanHolo up and running again. :ewink:

SanHolo is a relatively new VOLUNTEER (and "professional" individual) who has been down for 4 days at this stage!!!!!
His request for assistance will soon reach 48 hours with NO responses. We should be able to do better than that. :oops:

THANKS in advance for any and all suggestions (other than beating up his I.T. guys). :)

Re: SQUID Proxy problems with assign.stanford.edu

Posted: Fri Aug 07, 2009 12:58 pm
by SanHolo
Thanks John for chiming in.

Problem is that the University had to Setup the Proxies with a newer version of SQUID and I only discovered that it cannot handle assign.stanford.edu when they rolled it out to the productive systems. They say that they're trying to find solutions for the few websites giving problems, but I have no idea how long this will take them. But I wonder anyway why assign.stanford.edu would use an illegal header.

Too bad I lost more than 10 completed WU's since their deadline has passed by now.

Re: SQUID Proxy problems with assign.stanford.edu

Posted: Fri Aug 07, 2009 1:31 pm
by 314159
I truly do not believe that assign.stanford.edu and assign2.stanford.edu employ "illegal headers".

MANY volunteers in this project use "corporate" machines and contend with various complex proxies.
If your I.T. guys can't get their act in gear, I think that there "may" be a workaround that involves changing the proxy config on your local machine(s).

That's why I am trying to WAKE UP THE PROS (it's early morning here, of course).
(I am totally worthless as a resource in this situation - and certain others too, of course) :ewink:

Perhaps we can get one of the Project's volunteer "PROS" to discuss the situation with your I.T. guys.

In the meantime, try searching this Forum to see if you can find a thread on point.

I am heading back to bed for a few hours......will check progress when I get up.

Re: SQUID Proxy problems with assign.stanford.edu

Posted: Fri Aug 07, 2009 4:16 pm
by tear
Is it a transparent proxy? (i.e. it handles your HTTP connections even though you didn't configure your client for proxy use)
If so, then only workaround I can think of is setting up your own HTTP proxy outside your organization's network.

Such approach would require:
1) A proxy software -- if you go to freshmeat.net/sourceforge.net you'll find plenty of these; langouste see here
can also act as a rudimentary HTTP proxy (with -p command line option)
2) A non-local server you have access to (with static IP)


tear

Re: SQUID Proxy problems with assign.stanford.edu

Posted: Fri Aug 07, 2009 4:36 pm
by BrokenWolf
I wish I could help but we use Monkeysofts ISA server where I work. We just have to put in a user ID and password (I have a service account with internet access so it is not my info in the cfg file) and I'm able to get the clients to talk. I have no idea of what squid even is or how it works.

The only thing I have a question about is this:
Looking at your log file makes me wonder about that bad gateway comment. Could you find out if your Uni. has a backend connection to Stanford? It may be called something like a Business to Business connection and all traffic to Stanford from that connection goes over that route instead of the internet now. We had an issue like this with a vendor that was trying to send us emails and instead of the traffic going out thru their internet connection, it tried to route thru the B2B connection which was firewalled off from most areas except where they needed to talk.

Wish I could help out more.

BW

Re: SQUID Proxy problems with assign.stanford.edu

Posted: Sat Aug 08, 2009 9:14 am
by SanHolo
Thanks for the replies!
As far as I can tell, the header of assign.stanford.edu is somewhat malformed, but in a way that any proxy software has no problems with it. Squid is an Open Source Proxy software and is being used by our university, and it got updated to a newer version. Worked flawlessly before. http://en.wikipedia.org/wiki/Squid_(software)

No, it's not a transparent proxy, if you want to get out of the Universities LAN you have to use that proxy. It works with everything but assign.stanford.edu. I didn't ask directly whether we have a B2B connection to Stanford, but I asked for a temporary solution and was told that there is none, except for assign.stanford.edu to change the header. I don't have access to a machine outside the University that would run continuous enough to act as a proxy, but maybe I can setup a temporary one once I get back home. The only thing is - how do I redirect my requests to assign.stanford.edu to go out the universities proxy to my proxy?

They are working on it and I assume it won't take too long. We've had Proxy problems for the last month which was temporarily fixed and now the stable thing that was rolled out caused this problem.

Re: SQUID Proxy problems with assign.stanford.edu

Posted: Sat Aug 08, 2009 9:59 am
by toTOW
I guess setting up a VPN between your machine inside and outside university might be the only solution to solve this issue ... look at the OpenVPN project for more informations.

Re: SQUID Proxy problems with assign.stanford.edu

Posted: Sat Aug 08, 2009 3:33 pm
by 314159
The truly viable solution is to discuss the problem that their I.T. guys JUST created with the highest ranking individual in SahHolo's Department and have him contact the overall head of the University's I.T. Department and DEMAND that it be corrected IMMEDIATELY (with no if, ands, or buts as they say). 8-)

The conversion was disruptive and poorly thought through.

One man's opinion, but I'll bet you that if it had been I that was affected, the situation would have been resolved almost immediately (been there, done that). :ewink:

From what I gather from SanHolo's last post, they are working on the resolution (and I bet that he took action close to what I suggested).

Darn I.T. guys! (ALL present company excluded, of course)..... :wink:

Re: SQUID Proxy problems with assign.stanford.edu

Posted: Sat Aug 08, 2009 4:33 pm
by tear
SanHolo wrote:The only thing is - how do I redirect my requests to assign.stanford.edu to go out the universities proxy to my proxy?
That part is relatively easy -- FAH client has an option to configure external proxy (both Linux and Windows flavors).
You may configure your proxy to listen on port, say... 8888 and configure the client so it directs all its HTTP connections through your proxy.

There are security considerations involved though -- most likely you don't want to set up an "open" HTTP proxy.
You can tighten the security by using proxy authentication (FAH client supports that too) and/or IP based filtering
on the "proxy" machine (if you have appropriate credentials).


tear

Re: SQUID Proxy problems with assign.stanford.edu

Posted: Sat Aug 08, 2009 4:38 pm
by tear
One more thought -- by saying "have to use university proxy" are you saying you can't open a TCP connection to some (any?) port
of arbitrary machine on the internet? There might be some trial and error necessary there...

Surely, they cannot block traffic to :443 (as 443 is HTTPS and nobody sane relays HTTPS connections) though making use
of 443 would require extra privileges on proxy machine.


tear


EDIT: grammar

Re: SQUID Proxy problems with assign.stanford.edu

Posted: Sat Aug 08, 2009 10:45 pm
by SanHolo
I'd have to test more thoroughly, but I can only use some well known ports in order to "get out" of my Universities' network. Everything through port 80 has to go through the proxy, 443 can go straight. There's maybe some other ports like 21 and 22 and more, but those above 1023 are most likely blocked. Probably that's the problem with your Proxy Effort, tear.
tear wrote:That part is relatively easy -- FAH client has an option to configure external proxy (both Linux and Windows flavors).
You may configure your proxy to listen on port, say... 8888 and configure the client so it directs all its HTTP connections through your proxy.
That won't work since I _must_ use the Universities' proxy for port 80. Or am I on the wrong track here?

Re: SQUID Proxy problems with assign.stanford.edu

Posted: Sun Aug 09, 2009 1:49 am
by tear
SanHolo,

You're on the right track -- the effort requires a port that
goes "straight" through. Now, we're pretty sure 443 does,
995 probably too (just as 22/23/25.. et al.).

Finding something above 1024 would be extremely helpful
(as you wouldn't need extra privileges on proxy machine).

EDIT: to iterate a bit further -- having a proxy on port XYZ
implies that from uni perspective you'll *always* connect
to proxy_ip:XYZ no matter the destination host or port of
your HTTP requests

[machine-in-uni] ------uni-net-------> // -----internet-----> [proxy:XYZ] -----internet-----> [assign.stanford.edu:8080]

All that *if* XYZ is a port that goes "straight" through.


tear

Re: SQUID Proxy problems with assign.stanford.edu

Posted: Sun Aug 09, 2009 9:30 am
by SanHolo
I assume there are many ports above 1023 open but the well known "abused" ports. I can run a Torrent client with altered port (55555). 8080 does also work to directly connect to my private Apache.

tear set up a proxy running on port 443 and that seems to work well for now! Thanks m8!

Re: SQUID Proxy problems with assign.stanford.edu

Posted: Sun Aug 09, 2009 2:24 pm
by tear
SanHolo wrote:I assume there are many ports above 1023 open but the well known "abused" ports. I can run a Torrent client with altered port (55555). 8080 does also work to directly connect to my private Apache.
Well then it means you could also use (at least) these if, as you say, direct TCP connections
(no proxy involved) work.
SanHolo wrote:tear set up a proxy running on port 443 and that seems to work well for now! Thanks m8!
Hey, no problem :mrgreen:

tear