Prohibited header 'Proxy-Connection' present

[vabiro]

Hi,

I appologise if this has been discussed. I tried searching and didn't have any luck.

I was checking my badbehaviour logs and noticed a lot of the notifications identified as: "Prohibited header 'Proxy-Connection' present"

I noticed that when using "strict" mode clients identifying themselves as HTML 1.1, but using 1.0 were rejected.

Are these two things related? I am not using strict mode, so if they are then there could be a problem.

The other thing that I was curious about was whether this could be associated with my Squid Proxy server impacting it. It is not doing reverse proxy, only on-net browsers.

Thanks for a great plugin!

Victor

[michiel_1981]

Hi,

This can definitely come from your squid proxy which should be configured differently, can you confirm the log ip is your computer or squid server?

And yes the strict mode can indeed block legit clients, but they are not setting up a connection correctly and that is why they are getting blocked.

I almost never run in strict mode myself.

Kind regards,
Michiel

[vabiro]

Michael,

Thanks for getting back to me so quickly.

I checked my firewall/squid settings and it appears to be operating in transparent mode, proxying only content to browsers on my network. In effect it is passing along my requests to websites and caching the responses, not passing external requests to my site, caching and passing the responses to external requesters.

I am using Smoothwall 3.0, so most of the configuration is done through the web interface, and not all of the squid.conf file is visible, so here it is in case you're curious:

Code:

visible_hostname gateway
acl localnetgreen src 192.168.123.0/255.255.255.0
http_port 192.168.123.1:800 transparent
cache_mem 8 MB
maximum_object_size_in_memory 32 KB

cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF

half_closed_clients off

cache_swap_high 100%
cache_swap_low 80%

shutdown_lifetime 3 seconds
icp_port 0

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

cache_effective_user squid
cache_effective_group squid

pid_filename /var/run/squid.pid

cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
error_directory /usr/share/errors/English
log_mime_hdrs off

forwarded_for off

acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255

acl SSL_ports port 445 443 441 563
acl Safe_ports port 80                  # http
acl Safe_ports port 81                  # smoothwall http
acl Safe_ports port 21                  # ftp
acl Safe_ports port 445 443 441 563     # https, snews
acl Safe_ports port 70                  # gopher
acl Safe_ports port 210                 # wais
acl Safe_ports port 1025-65535          # unregistered ports
acl Safe_ports port 280                 # http-mgmt
acl Safe_ports port 488                 # gss-http
acl Safe_ports port 591                 # filemaker
acl Safe_ports port 777                 # multiling http
acl CONNECT method CONNECT

redirect_program /usr/bin/updatecacher/redir.pl
http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnetgreen
http_access deny all

umask 022

maximum_object_size 4096 KB
minimum_object_size 0 KB

cache_dir diskd /var/spool/squid/cache 500 16 256

request_body_max_size 0 KB
reply_body_max_size 0 allow all

logfile_rotate 0

strip_query_terms off

acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast

Looking at my web logs in Webalizer I do see an awful lot of request - apparently - coming from my "Gateway". Since it is only supposed to be doing NAT and port forwarding, I am a bit curious why this would be, and if it was associated with this.

Cheers
Victor

[michiel_1981]

Two questions for you.

1. Do you host your site at home behind your gateway, and this gateway is the squid server or do external request bypass the squid server completely and directly connect to apache/nginx/etc...

2. what is the ips that are show up in the badbehaviour logs? Gateway or external? You can find the logs in your root joomla directory and then enter the logs directory.

Kind regards,
Michiel

[vabiro]

1. Do you host your site at home behind your gateway, and this gateway is the squid server or do external request bypass the squid server completely and directly connect to apache/nginx/etc...

I do host it on a linux box behind the FW using Apache. Port 80 is forwarded to the web server, so it shouldn't be passing through squid.

2. what is the ips that are show up in the badbehaviour logs? Gateway or external? You can find the logs in your root joomla directory and then enter the logs directory.

It is showing external IP addresses. Here is a sample:

Code:

2009-10-06      05:09:37        121.11.86.106   Prohibited header 'Proxy-Connection' present
2009-10-06      05:10:03        123.164.34.214  Prohibited header 'Proxy-Connection' present
2009-10-06      05:10:07        58.214.5.169    Prohibited header 'Proxy-Connection' present
2009-10-06      05:10:14        220.189.227.2   Prohibited header 'Proxy-Connection' present
2009-10-06      05:10:20        218.28.192.10   Prohibited header 'Proxy-Connection' present
2009-10-06      05:10:24        67.160.42.255   Prohibited header 'Proxy-Connection' present
2009-10-06      05:10:30        211.239.124.90  Prohibited header 'Proxy-Connection' present
2009-10-06      05:10:33        67.160.42.255   Prohibited header 'Proxy-Connection' present
2009-10-06      05:10:40        58.214.5.169    Prohibited header 'Proxy-Connection' present
2009-10-06      05:11:09        195.116.233.210 Prohibited header 'Proxy-Connection' present
2009-10-06      05:11:24        112.91.145.78   Prohibited header 'Proxy-Connection' present

When I was browsing through the logs, looking at more recent entries, this reason is much less prevalent. It is possible that whatever is/was causing this was resolved by a patch that I put in a week or so ago.

Victor

[michiel_1981]

Hmm,

Just for full set of info: what did you patch and can you give all the versions of squid/apache and server distro(ubuntu/debian/fedora/..)

I'll try to setup a virtual server with that and see if I can reproduce the error.

kind regards,
Michiel

[vabiro]

Hmm,

Just for full set of info: what did you patch and can you give all the versions of squid/apache and server distro(ubuntu/debian/fedora/..)

I'll try to setup a virtual server with that and see if I can reproduce the error.

kind regards,
Michiel

The Smoothwall distro contains a bare bones linux kernel, IPTables and a bunch of other programmes.

When they come out with an update it updates several things. In this case I went from update4-i386 to update5-i386.

In the Update 5 was the following:

This update contains numerous updates for components of SmoothWall Express 3.0 as well as improved functionality and several bug fixes.

* New Versions: Snort 2.8.4.1
* Clamav 0.95.2
* Squid 2.7.STABLE6
* Imspector 20090728
* Openssl 0.9.8k
* Openssh 5.2p1
* Module-init-tools 3.5

* Functionality improvements: Open port 4500 to support IPsec NAT traversal.
* Reliability improvements for timed access.
* Fix bouncing port forwards.
* Increase Apache request timeout to 20 minutes to allow slow CGI scripts.
* Add timeouts in connection tracking to avoid spurious log messages.
* Support for Home and End keys in the shell.
* Fix the locate command in the shell.

User interface improvements:

* Don't display high memory usage in red on graphs, as this is normal.
* Typo in error message on external access page.
* Only display PPP control buttons on front page when PPP is enabled.
* Corrections to list of package sources.

Backend changes:

* Load MAC address match module into iptables by default.
* Correct invalid path when stopping DHCP client.
* When an interface address is changed, restart the services which use it.
* Support updating complex iptables rulesets larger than 64K.

The previous versions (Update4-i386) contained the following:

update4-i386 This update corrects several problems with SmoothWall Express 3.0 and adds some enhan 2008-12-08
This update corrects several problems with SmoothWall Express 3.0 and adds some enhancements.

* snort 2.8.3.1
* ClamAV 0.94.2
* squid 2.7.STABLE5, to fix Shoutcast streaming
* IMSpector 20081113, supporting Jabber/Google Talk including SSL man-in-the-middle
* openssl 0.9.8i
* bzip2 1.0.5
* pcre 7.8
* libosip2 3.2.0
* siproxd 0.7.1
* New Timed Access implementation from Steven L. Pittman
* Support for upstream Web proxy when downloading updates
* User interface improvements including background downloading of Snort rules

Before you start building each piece by themselves, just download the Smoothwall ISO and boot from it, and everything will be installed. It then takes a bit of configuration and updating.

Victor

[michiel_1981]

I'll do that, saw they had vmware images so I can play with them.

This isn't going to be a fast reply as I have only Sunday some time, if the errors return please report them as well.

kind regards,
Michiel

[macrylinda1]

I was registered at your forum. I have printed the test message. Do not delete, please.
Just wanted to say thanks to everyone for the warm/scary welcome,I'm really looking forward to talk about anything and everything horror related.

__________________________
watch free movies online