TOPIC:

I've been using IPcop for many years successfully, and have recently run into one site that fails to work correctly for 2 applications whenever squid transparent proxying is turned on. (Everything else has been working nicely.)

I am running IPcop 1.4.12, the latest release, with no additions other than midentd (locally installed).

The two Linux applciations that have problems are CallGit and FLdigi. These apps make http requests to a site: www.qrz.com . Both apps appear to be making http requests, yet never get the site response whenever transparent proxying is active (they get a socket timeout, and appear to get the request to the site but never see the site response). Both work fine when proxying is disabled. The web site works fine in a browser when transparent proxying is active. I have contacted both application authors and they state that they are making simple http requests to the site and parsing retuned http data.

What I'd like to do is to setup a redirect for this one web site prior to the redirect for squid transparent proxying. I don't know where exactly to add the rule, or know what the appropriate syntax for the entry would be. It looks like rc.firewall.local is the place recommended to add the custom rule, but I don't know what the correct start and stop rules for bypassing squid for a single site would be.

I'd greatly appreciate any advice and ideas as to how to solve my squid proxy issue.

Rick

Very strange, especially as it works fine with your web browser. I suspect that the applications be making non-standards compliant HTTP requests. You may want to sniff the HTTP requests using Wireshark.

In the meantime, to bypass Squid, a quick (and nasty) fix would be to insert the following commands in the rc.firewall.local file which you rightly identified:
[code:1]
start rule:
/sbin/iptables -t nat -A CUSTOMPREROUTING -p tcp --dport 80 -d www.qrz.com -j ACCEPT

reload rule:
/sbin/iptables -t nat -F CUSTOMPREROUTING
/sbin/iptables -t nat -A CUSTOMPREROUTING -p tcp --dport 80 -d www.qrz.com -j ACCEPT

stop rule:
/sbin/iptables -t nat -F CUSTOMPREROUTING
[/code:1]

You may want to include additional lines for qrz.com in case the applications don't use www.qrz.com.

To activate the rules simply type ". /etc/rc.firewall.local start"

Thank you so much!

This worked perfectly!

I did do some Wireshark sniffing prior to asking about the bypass rule. It looked to me like the apps were using http get requests, but I may not have looked closely enough or known exactly what to look for when doing the sniff.

Thanks again,
Rick

Glad to hear that it's working OK.

Re: Wireshark sniffing
Yes the apps would be expected to use GET requests. The problem is with the contents of these requests. If you want to investigate further, you may try comparing the requests from your browser and any of the apps and see if you can identify any significant differences.

Would be interested to see if this throws up anything or you could post the results?