I had a problem at work today where someone complained that they could search google and see all the results but when they clicked on one they got an error message. It turned out that the error message was from the Squid Proxy and they did not have access to the site. This was puzzling for 2 reasons. First this person was not supposed to be filtered through the whitelist proxy. Secondly, why was the whitelist proxy allowing a google search?

The problem with the user being on the wrong Proxy was easily fixed. What I then dug into was trying to determine what was going on with the whitelist to allow a google search.

So first the setup…

It’s pretty simple I’m running Squid Proxy 2.6 on a Debian 4 (Etch). I know I’m a few releases behind here but hey the system “just works” and it is a custom install on a Cobalt RAQ3. I’m not about to break it by trying to upgrade when it’s not needed. Any way, Squid is running a whitelist using this line in the config:

acl whitelist url_regex "/etc/squid/whitelist"

http_access allow all whitelist

So I’m never allowing www.google.com/* which is what would allow me to open up searching. The whitelist does have a few references to google.com but they are explicit for certain sites like:

maps.google.com/*

khm3.google.com/*

gg.google.com/*

ssl.google-analytics.com/*

Of course I set myself on the Squid Proxy and tried to go to http://www.google.com, https://www.google.com, as well as removing the www. In every case I was greeted with the “Access Denied” page. I then added google as a search provider in IE9. I searched and low and behold it returned a google search page. Matt helped out by sniffing packets and watching the logs. We could see where the Squid was allowing the google search page through. So what was going on here?

I started to take apart the string that was being used for the search:

http://www.google.com/search?q=dogs&sourceid=ie7&rls=com.microsoft:en-us:IE-Address&ie=&oe=

I cut everything out one at a time and found that this was the minimum to get through:

http://www.google.com/search?q=pregnant+mermaids&rls=com.microsoft:en-us

I’m not sure what the &rls means. I did a little searching but didn’t come up with anything except that it’s used other places like the default Firefox home page. We do whitelist microsoft.com. I commented that out of the whitelist and reloaded Squid with the same results. Matt changed microsoft to something else and that worked as well. After a bit it hit me what was happening.

We allow all .gov sites which sometimes include .us sites so .us/* is listed in the whitelist. I commented this out and the site was blocked. Finally success, but I need to allow those .us sites and additionally what was Squid recognizing –us as .us and allowing a search to go through to google.com which was not allowed?

Well I didn’t really waste time researching this. I’ve found the online documentation for Squid lacking. I’m not sure the book they sell would have helped. I admit that it could be a version issue but again, I’m not upgrading. So my solution was to add a blacklist and explicitly block google. As mentioned I need some google sites so I can’t just blacklist google.com. I added www.google.com/search to a file called /etc/squid/blacklist and added these lines to the squid.conf:

acl blacklist url_regex "/etc/squid/blacklist"
http_access deny blacklist

After reloading Squid, I tested a search and was given the “Access Denied” page. All was right with the world again. I hope this info will help someone else dealing with a similar issue.

Mood:  surprised

Chat Subject: Unknown

Your Question: do you support IP v6?

A Verizon Service Representative will be with you shortly. Thank you. (16:00:09)

Agent Michelle has joined. (16:00:14)

Michelle : Chat ID for this session is 06021125658. (16:00:14)

Michelle(16:00:35): Thank You for choosing the New Frontier Live chat my name is (Michelle), I will be more than happy to assist you today.

Shawn(16:00:50): thanks. I just want to know if you support IPv6

Shawn(16:01:05): I'd like to configure my router for IPv6 if that is an option.

Michelle(16:01:55): I am sorry I have been told that we dont support that yet

Shawn(16:02:10): Do you know when that will supported?

Michelle(16:02:20): Do you have Fios service? And is there something we can try to help you with?

Shawn(16:02:35): I do have Fios service.

Shawn(16:02:50): Everything is working fine. I would just like to upgrade to the future.

Michelle(16:04:05): No problem, I am sorry but I dont have information as to when we would be able to support that

Shawn(16:05:00): The Internet is my copilot. The Internet spoke to me in a dream and told me the future was IPv6. I'm just trying to comply with its wishes to embrace the future.

Michelle(16:05:35): ok

Michelle(16:05:40): Thank you for chatting with the New Frontier, is there anything else I can assist you with?

Shawn(16:06:05): Thanks for checking. I'll check back in a few months or whenever I have that dream again. It was after a fairly large plate of nachos made with black beans that were probably a month old or so. Perhaps that had something to do with it.

Shawn(16:06:10): thank you,

Shawn(16:06:15): you've answered all my questions perfectly

Shawn(16:06:15): goodbye

Michelle(16:06:20): Thank you for chatting with the New Frontier, if you do not have any further questions, please close the chat. We appreciate your business and have a great day!

Michelle(16:06:47): you are very welcome!

Mood:  not sure

Your garbage will outlive you... 

 I know I haven't really been posting on here. I suppose I am not sure what I want to do with this site. I have been considering turning it into a tech blog instead of the randomness that it is now. I need to update the links on the side for sure. I have a few pages of interest to add. 

 Despite what I said before, I am thinking of joining Face Book. I suppose I really don't have a good reason for not joining. It is just another point of presense on the internet... in some ways that scares me. I think that the internet will, one day, become selfaware. When that day comes, how much do you want it to know about YOU? Or maybe it will know so much about you and think you are cool and have great musical taste and want to be your friend... so then when it desiceds to kill off 98% of the human race for posting "FIRST!!!!!" and other nonsense on the internet, you will be spared. So you can see my hesitation. 

I watched a decent Korean movie last night. The English title is "I'm a Cyborg, but that's OK". The title is the only reason I wanted to see this movie. The description on IMDB turned out to be all wrong. It is the story of a girl who is, or thinks she is, a Cyborg, but as the title suggests, "that's OK". She ends up in a mental hospital and is on a quest to recharge herself. She needs to be fully charged to escape and rescue her grandmother who was taken to a mental hospital herself. She makes friends with the vending machine, radio, lights and other electronics in the hospital. One of the other patients falls in love with her and crazy funny stuff happens along the way.

There are 2 other movies that I am interested in seeing. The first is a Thai movie called "Chocolate". It is an action movie with no stunt doubles or wires! it is very raw and amazing. Do not expect elegant Crouching Tiger Hidden Dragon fights. You can see the preview on IMDB. The rundown is that the movie is about this autistic girl who is really good at martial arts and takes on the local gang/crime boss. One of the tag lines for the movie is "A special needs girl, with a special need... to kick some ass!" How can you NOT see this movie?!

 The other movie is very interesting because it has so much going on. First of all it is a musical/opera. It is called "Repo! The Genetic Opera". Again you can see a preview for it on IMDB. The title caught my attention right away. But then I saw the preview and it looked very good. I don't know if this is based on a comic book but there are certainly some influences there. The cast is actually pretty good with the curious exception of Paris Hilton... yeah WTF? I am not going to let that keep me away from this movie, she doesnt have a major role any way. So the basics of this movie, aside from being a rock opera of sorts, is that in the future people get organ transplants like crazy because of some disease. Of course there is one large evil company doing these transplants. Since the transplants don't come cheap some people default on their payments... Enter the Repo man... he comes for your to reposese your organs! 

I will report back on both of these movies when I can.

Remember, your garbage will outlive you...

Mood:  sharp

the Smithsonian has an article about the leap second that will be put into place at the end of the year. for the technical details please read the article and/or these, link1 link2. simply, we are going to gain one second. it is nice to have just one more second. you can use that time to party, reflect, or sleep.

 time has always been of interest to me. i seem to be obsessed with it or avoiding it (which is a form of obsession). i feel like time does not truely exist outside the realm of human thought. time is an idea we use to describe the difference between actions. time is just a human perception. i wonder if there are other ways of organizing information and actions? in Slaughterhouse 5 by Kurt Vonnegut the Tralfamadorians view all time at once. how do you reference actions if they are all preceived as happening at once? i think that there is no way for me to conseptualize it since all i have ever known is a sequential passage of time. 

 it is now "time" for lunch so i will stop my ramblings, for now.

Mood:  rushed

it seems to go in cycles. i started my first online journal (now known as a blog) in 1996. it was eventually left fowl in 2001. in january of 2004 i joined live journal and kept a journal there for about 2 years. when i started live journal i imported every journal entry i had made on my original site and backdated everything. i had an impressive amount of entries. today is a different story. i didn't backup any entries after i closed out my live journal account. it doesn't really bother me though. this journal is about starting fresh.

 so this is me starting fresh...