On 06/19/13 15:08, Lars Noodén wrote:
I'm running into some difficulty with "access denied" in squid3 when I
switch it to act as an intercepting proxy. It works as normal when I use
it as a regular proxy but when turning on intercepting (formerly
transparent proxying) the web browser shows this error:
...Access Denied.
Access control vconfiguration prevents your request from
being allowed at this time. Please contact your service
provider if you feel this is incorrect
...
and the access log shows this kind of message in intercept mode but not
as a normal proxy:
1371640231.979 3 192.168.2.33 TCP_DENIED/403 4014 GET
http://blogs.hbr.org/cs/2013/06/you_have_no_control_over_s.html
- HIER_NONE/- text/html
1371640232.045 3 192.168.2.33 TCP_DENIED/403 3922 GET
http://www.squid-cache.org/Artwork/SN.png -
HIER_NONE/- text/html
So I can see that PF is properly forwarding the connection and that the
browser is actually reaching squid3.
However even completely removing any access limitations in squid.conf
does not let the browser through. The following should be open but still
produces the TCP_DENIED message:
http_access allow all
...
http_port 127.0.0.1:3128 intercept
This occurs with in 5.3-stable on i386 with both squid/3.2.11 from ports
and with squid/3.2.7p0 from the CD, so what should I look at changing?
Regards,
/Lars
Hello,
I have a setup of squid on 5.3 (not -stable though) with intercept, here
is my squid.conf file:
-----
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 127.0.0.1:3128 intercept
icp_port 0
htcp_port 0
snmp_port 0
cache_mem 512 MB
cache_dir ufs /var/squid/cache 100 16 256
access_log syslog:daemon.debug
max_filedesc 1024
coredump_dir /var/squid/cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
-----
And the pf rule to make this work looks like this:
pass in on gif0 inet proto tcp from any to any port = 80 flags S/SA keep
state (sloppy) divert-to 127.0.0.1 port 3128
It works for me.
-peter
