Re: Squid not working for connections from ssh-tunnel
It seems the version of squid in ports for 5.2 doesn't support SSL or doesn't support it the same way. What changed? The errors: 2013/03/16 00:33:30| The request CONNECT bitomat.pl:443 is DENIED, because it matched 'Safe_ports' 2013/03/16 00:33:30| The reply for CONNECT bitomat.pl:443 is ALLOWED, because it matched 'Safe_ports' It only started doing this after I upgraded from 5.1 to 5.2 and rebuilt squid in ports. On Sat, Mar 16, 2013 at 9:26 AM, Stuart Henderson s...@spacehopper.orgwrote: On 2013-03-15, John Tate j...@johntate.org wrote: I have a server I use to serve a squid proxy only accessible via ssh tunnel, which has worked fine for over a year. I upgraded from OpenBSD 5.1 to OpenBSD 5.2 and I've also rebuilt squid in ports. It has stopped working for ssh tunnel connections. It works for the elinks browser, but both should be from localhost and be no different as far as I know. I get these errors in the log: [15/Mar/2013:04:01:40 -0700] elijah.secusrvr.com mail.google.comCONNECT mail.google.com:443 HTTP/1.1 403 1323 - Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22 TCP_DENIED:NONE iirc TCP_DENIED/403 is due to acl, try following this about getting some more logging: http://wiki.squid-cache.org/SquidFaq/SquidAcl#I_set_up_my_access_controls.2C_but_they_don.27t_work.21__why.3F localhost can be all sorts of things: 127.0.0.1, ::1, or even some other address, depending on what's set in /etc/resolv.conf and /etc/hosts. -- www.johntate.org
Re: Squid not working for connections from ssh-tunnel
On 2013/03/16 18:40, John Tate wrote: It seems the version of squid in ports for 5.2 doesn't support SSL or doesn't support it the same way. What changed? The errors: 2013/03/16 00:33:30| The request CONNECT bitomat.pl:443 is DENIED, because it matched 'Safe_ports' 2013/03/16 00:33:30| The reply for CONNECT bitomat.pl:443 is ALLOWED, because it matched 'Safe_ports' This is slightly confusing but afaik is normal behaviour when something is rejected; first it indicates the the *request* was rejected, then that the *reply* (i.e. the access denied response) was allowed. Still it gives a clue that the problem is with Safe_ports: -- -- -- acl Safe_ports port 21 80 acl SSL_ports port 443 ... http_access deny !Safe_ports http_access deny CONNECT !SSL_ports ... acl lan src 127.0.0.1 http_access allow localhost http_access allow lan -- -- -- ...so you deny ANY requests unless the dest port is 21/80. ...then you deny CONNECT requests except for port 443 - but this is never reached because you already denied any request other than to 21/80. so you just need to fix Safe_ports. It only started doing this after I upgraded from 5.1 to 5.2 and rebuilt squid in ports. I don't see how this config can have worked with 5.1 either. In any event there were no substantial changes in the Squid port between 5.1 (2.7.STABLE9p15) and 5.2 (2.7.STABLE9p19), just readme tweaks and ports infrastructure changes. (There are bigger changes in 5.3 which has a choice of squid 2.7 and squid 3.2 - generally 3.2 is preferred though it doesn't build on some arch so 2.7 is kept around for now).
Squid not working for connections from ssh-tunnel
I have a server I use to serve a squid proxy only accessible via ssh
tunnel, which has worked fine for over a year. I upgraded from OpenBSD 5.1
to OpenBSD 5.2 and I've also rebuilt squid in ports. It has stopped working
for ssh tunnel connections. It works for the elinks browser, but both
should be from localhost and be no different as far as I know.
I get these errors in the log:
[15/Mar/2013:04:01:40 -0700] elijah.secusrvr.com mail.google.com CONNECT
mail.google.com:443 HTTP/1.1 403 1323 - Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22
TCP_DENIED:NONE
My squid.conf:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
acl Safe_ports port 21 80
acl SSL_ports port 443
cache_mem 256 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 127.0.0.1
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname secusrvr.com
coredump_dir /var/squid
http_port 127.0.0.1:3128
https_port 127.0.0.1:3128 cert=/etc/ssl/private/secusrvr.com.crt
key=/etc/ssl/private/server.key
logformat combined [%tl] %A %{Host}h %rm %ru HTTP/%rv %Hs %st
%{Referer}h %{User-Agent}h %Ss:%Sh
access_log /var/squid/logs/access.log combined
cache_store_log /var/squid/logs/store.log
cache_log /var/squid/logs/cache.log
logfile_rotate 8
cache_dir ufs /var/squid/cache 4096 64 256
I tried googling the error and looking in the manual but still don't fully
understand it.
--
www.johntate.org
Re: Squid not working for connections from ssh-tunnel
On 2013-03-15, John Tate j...@johntate.org wrote: I have a server I use to serve a squid proxy only accessible via ssh tunnel, which has worked fine for over a year. I upgraded from OpenBSD 5.1 to OpenBSD 5.2 and I've also rebuilt squid in ports. It has stopped working for ssh tunnel connections. It works for the elinks browser, but both should be from localhost and be no different as far as I know. I get these errors in the log: [15/Mar/2013:04:01:40 -0700] elijah.secusrvr.com mail.google.com CONNECT mail.google.com:443 HTTP/1.1 403 1323 - Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22 TCP_DENIED:NONE iirc TCP_DENIED/403 is due to acl, try following this about getting some more logging: http://wiki.squid-cache.org/SquidFaq/SquidAcl#I_set_up_my_access_controls.2C_but_they_don.27t_work.21__why.3F localhost can be all sorts of things: 127.0.0.1, ::1, or even some other address, depending on what's set in /etc/resolv.conf and /etc/hosts.
