Re: Squid not working for connections from ssh-tunnel
It seems the version of squid in ports for 5.2 doesn't support SSL or doesn't support it the same way. What changed? The errors: 2013/03/16 00:33:30| The request CONNECT bitomat.pl:443 is DENIED, because it matched 'Safe_ports' 2013/03/16 00:33:30| The reply for CONNECT bitomat.pl:443 is ALLOWED, because it matched 'Safe_ports' It only started doing this after I upgraded from 5.1 to 5.2 and rebuilt squid in ports. On Sat, Mar 16, 2013 at 9:26 AM, Stuart Henderson s...@spacehopper.orgwrote: On 2013-03-15, John Tate j...@johntate.org wrote: I have a server I use to serve a squid proxy only accessible via ssh tunnel, which has worked fine for over a year. I upgraded from OpenBSD 5.1 to OpenBSD 5.2 and I've also rebuilt squid in ports. It has stopped working for ssh tunnel connections. It works for the elinks browser, but both should be from localhost and be no different as far as I know. I get these errors in the log: [15/Mar/2013:04:01:40 -0700] elijah.secusrvr.com mail.google.comCONNECT mail.google.com:443 HTTP/1.1 403 1323 - Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22 TCP_DENIED:NONE iirc TCP_DENIED/403 is due to acl, try following this about getting some more logging: http://wiki.squid-cache.org/SquidFaq/SquidAcl#I_set_up_my_access_controls.2C_but_they_don.27t_work.21__why.3F localhost can be all sorts of things: 127.0.0.1, ::1, or even some other address, depending on what's set in /etc/resolv.conf and /etc/hosts. -- www.johntate.org
Re: Squid not working for connections from ssh-tunnel
On 2013/03/16 18:40, John Tate wrote: It seems the version of squid in ports for 5.2 doesn't support SSL or doesn't support it the same way. What changed? The errors: 2013/03/16 00:33:30| The request CONNECT bitomat.pl:443 is DENIED, because it matched 'Safe_ports' 2013/03/16 00:33:30| The reply for CONNECT bitomat.pl:443 is ALLOWED, because it matched 'Safe_ports' This is slightly confusing but afaik is normal behaviour when something is rejected; first it indicates the the *request* was rejected, then that the *reply* (i.e. the access denied response) was allowed. Still it gives a clue that the problem is with Safe_ports: -- -- -- acl Safe_ports port 21 80 acl SSL_ports port 443 ... http_access deny !Safe_ports http_access deny CONNECT !SSL_ports ... acl lan src 127.0.0.1 http_access allow localhost http_access allow lan -- -- -- ...so you deny ANY requests unless the dest port is 21/80. ...then you deny CONNECT requests except for port 443 - but this is never reached because you already denied any request other than to 21/80. so you just need to fix Safe_ports. It only started doing this after I upgraded from 5.1 to 5.2 and rebuilt squid in ports. I don't see how this config can have worked with 5.1 either. In any event there were no substantial changes in the Squid port between 5.1 (2.7.STABLE9p15) and 5.2 (2.7.STABLE9p19), just readme tweaks and ports infrastructure changes. (There are bigger changes in 5.3 which has a choice of squid 2.7 and squid 3.2 - generally 3.2 is preferred though it doesn't build on some arch so 2.7 is kept around for now).
Squid not working for connections from ssh-tunnel
I have a server I use to serve a squid proxy only accessible via ssh tunnel, which has worked fine for over a year. I upgraded from OpenBSD 5.1 to OpenBSD 5.2 and I've also rebuilt squid in ports. It has stopped working for ssh tunnel connections. It works for the elinks browser, but both should be from localhost and be no different as far as I know. I get these errors in the log: [15/Mar/2013:04:01:40 -0700] elijah.secusrvr.com mail.google.com CONNECT mail.google.com:443 HTTP/1.1 403 1323 - Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22 TCP_DENIED:NONE My squid.conf: hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY hosts_file /etc/hosts refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl purge method PURGE acl CONNECT method CONNECT acl Safe_ports port 21 80 acl SSL_ports port 443 cache_mem 256 MB http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl lan src 127.0.0.1 http_access allow localhost http_access allow lan http_access deny all http_reply_access allow all icp_access allow all visible_hostname secusrvr.com coredump_dir /var/squid http_port 127.0.0.1:3128 https_port 127.0.0.1:3128 cert=/etc/ssl/private/secusrvr.com.crt key=/etc/ssl/private/server.key logformat combined [%tl] %A %{Host}h %rm %ru HTTP/%rv %Hs %st %{Referer}h %{User-Agent}h %Ss:%Sh access_log /var/squid/logs/access.log combined cache_store_log /var/squid/logs/store.log cache_log /var/squid/logs/cache.log logfile_rotate 8 cache_dir ufs /var/squid/cache 4096 64 256 I tried googling the error and looking in the manual but still don't fully understand it. -- www.johntate.org
Re: Squid not working for connections from ssh-tunnel
On 2013-03-15, John Tate j...@johntate.org wrote: I have a server I use to serve a squid proxy only accessible via ssh tunnel, which has worked fine for over a year. I upgraded from OpenBSD 5.1 to OpenBSD 5.2 and I've also rebuilt squid in ports. It has stopped working for ssh tunnel connections. It works for the elinks browser, but both should be from localhost and be no different as far as I know. I get these errors in the log: [15/Mar/2013:04:01:40 -0700] elijah.secusrvr.com mail.google.com CONNECT mail.google.com:443 HTTP/1.1 403 1323 - Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22 TCP_DENIED:NONE iirc TCP_DENIED/403 is due to acl, try following this about getting some more logging: http://wiki.squid-cache.org/SquidFaq/SquidAcl#I_set_up_my_access_controls.2C_but_they_don.27t_work.21__why.3F localhost can be all sorts of things: 127.0.0.1, ::1, or even some other address, depending on what's set in /etc/resolv.conf and /etc/hosts.