[squid-users] Access Denied for manager
Hello, squid v3.5.21 linux v4.4.120-45-default x86_64 The "manager" is suddenly denied access. I am not aware of any recent updates. This did work 3 days ago. Is the ACL correct? acl manager_admin src 192.168.69.115 # acl localnet src fc00::/7 acl localnet src fe80::/10 # # https, cups acl SSL_ports port 443 acl SSL_ports port 631 # # Jumpline cPanel ports acl SSL_ports port 2083 acl SSL_ports port 2096 # # sma-nas-02, cgatePro, webadmin acl SSL_ports port 5000 acl SSL_ports port 5001 acl SSL_ports port 9010 acl SSL_ports port 9100 acl SSL_ports port 1 # acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 563 acl Safe_ports port 631 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl Safe_ports port 9100 # acl CONNECT method CONNECT acl localnet src 192.168.69.0/24 access_log /var/log/squid/access.log http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow manager_admin http_access allow manager localhost http_access deny manager http_access allow localnet http_access deny all -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Access Denied for manager
On 04/19/2018 12:15 AM, Amos Jeffries wrote: > I see you have a forwarding loop: > > 192.168.69.115 -> Squid -> 192.168.69.246 -> Squid -> DENIED. > > That 192.168.69.115 is trying to fetch "http://proxy1.sma.com";. But the > Squid appears to think its hostname is "sma-server3". > Ah. It would seem the proxy configuration for opensuse LEAP 42.3 is a bit, um, defective. I have the local domain listed as do-not-proxy; yet it does anyway. Using a browser with the same proxy configuration, a manual config, works correctly. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Long delays with TLS
Hello, squid 4.0.23 linux 4.12.14-lp150.12.7-default x86_64 We have been seeing frequent, but not consistent, delays when proxying TLS requests while browsing. By disabling the proxy, those delays stopped occurring. I can see no obvious hint in either the access or cache logs. (Is there a way to use ISO time format in the logs?) Where should I look to find what is causing the delay? [ conf ] acl manager_admin src 192.168.69.115 # # acl localnet src fc00::/7 # acl localnet src fe80::/10 # acl SSL_ports port 443 acl SSL_ports port 631 # # Jumpline cPanel ports acl SSL_ports port 2083 acl SSL_ports port 2096 # # sma-nas-02, cgatePro, webadmin acl SSL_ports port 5000 acl SSL_ports port 5001 acl SSL_ports port 9010 acl SSL_ports port 9100 acl SSL_ports port 1 # acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 563 acl Safe_ports port 631 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl Safe_ports port 9100 # acl CONNECT method CONNECT acl localnet src 192.168.69.0/24 access_log /var/log/squid/access.log # http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow manager_admin http_access allow manager localhost http_access deny manager http_access allow localnet http_access deny all # Squid normally listens to port 3128 http_port 3128 cache_dir ufs /data01/var/cache/squid 51200 16 256 maximum_object_size 9 KB cache_mem 256 MB coredump_dir /var/cache/squid refresh_pattern ^ftp: 1440 20 10080 refresh_pattern ^gopher: 1440 0 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0 0 refresh_pattern . 0 20 4320 cache_log /var/log/squid/cache.log cache_mgr ji...@sohnen-moe.com cache_replacement_policy lru cache_store_log /var/log/squid/store.log cache_swap_high 95 cache_swap_low 90 client_lifetime 1 days connect_timeout 2 minutes error_directory /usr/share/squid/errors/en ftp_passive on memory_replacement_policy lru minimum_object_size 0 KB [ end ] -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] After enabling IPv6 squid no longer responds
Hello, squid v4.8 I have started transitioning our local network to IPv6. After adding v6 addresses to the server and hosts, and enabling an RA, squid no longer delivers anything from its cache, or is exceedingly slow about it. I have reviewed the wiki. The one section that discusses this issue has a solution only for v3.1 or earlier. Does it also apply to later versions? What am I missing? [ squid.conf ] # acl manager url_regex -i ^cache_object:// /squid-internal-mgr/ acl manager_admin src 192.168.69.115 # # acl localnet src fc00::/7 # acl localnet src fe80::/10 # # https, cups acl SSL_ports port 443 acl SSL_ports port 631 # # Jumpline cPanel ports acl SSL_ports port 2083 acl SSL_ports port 2096 # # sma-nas-02, cgatePro, webadmin acl SSL_ports port 5000 acl SSL_ports port 5001 acl SSL_ports port 9010 acl SSL_ports port 9100 acl SSL_ports port 1 # acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 563 acl Safe_ports port 631 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl Safe_ports port 9100 # acl CONNECT method CONNECT acl localnet src 192.168.69.0/24 acl localnet src fd2f:4760:521f:3f3c::0/64 access_log /data01/var/log/squid/access.log # http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow manager_admin http_access allow manager localhost http_access deny manager http_access allow localnet http_access deny all # Squid normally listens to port 3128 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. # cache_dir ufs /var/cache/squid 100 16 256 cache_dir ufs /data01/var/cache/squid 51200 16 256 maximum_object_size 9 KB cache_mem 256 MB # Leave coredumps in the first cache dir coredump_dir /var/cache/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20 10080 refresh_pattern ^gopher: 1440 0 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0 0 refresh_pattern . 0 20 4320 cache_log /data01/var/log/squid/cache.log cache_mgr ji...@sohnen-moe.com cache_replacement_policy lru cache_store_log /data01/var/log/squid/store.log cache_swap_high 95 cache_swap_low 90 client_lifetime 1 days connect_timeout 2 minutes logfile_rotate 0 error_directory /usr/share/squid/errors/en ftp_passive on memory_replacement_policy lru minimum_object_size 0 KB [ end ] -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] After enabling IPv6 squid no longer responds
On 13/11/2019 12.36 pm, James Moe wrote: > After adding v6 addresses to the server and hosts, and enabling an RA, squid > no longer delivers anything from its cache, or is exceedingly slow about it. > Any one? -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] After enabling IPv6 squid no longer responds
On 13/11/2019 12.36 pm, James Moe wrote: > After adding v6 addresses to the server and hosts, and enabling an RA, squid > no longer delivers anything from its cache, or is exceedingly slow about it. > Here is a typical error message from squid: The following error was encountered while trying to retrieve the URL: http://dx.doi.org/ Connection to 2606:4700:20::681a:9ed failed. The system returned: (110) Connection timed out There is nothing in the access.log; the request is utterly ignored. When I have the browser bypass the proxy, the site loads almost instantly. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Changing the time format for access_log
squid 4.8 I changed the default squid log format logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %a %Ss/%03>Hs %a %Ss/%03>Hs % signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Changing the time format for access_log
On 2019-11-19 10:12 PM, Amos Jeffries wrote:
> IIRC, modern
> Squids support a natural position for such parameters -- after the
> %code. Here is an untested example:
>
> %tl{%Y-%m-%dT%H:%M:%S}
>
Thank you. That works quite nicely.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] After enabling IPv6 squid no longer responds
On 2019-11-14 3:04 PM, Alex Rousskov wrote: > Can you connect to port 80 of that IPv6 address using telnet, wget, or > curl running on the Squid box? > Yes. $ telnet fd2f:4760:521f:3f3c::c0a8:45f6 80 Trying fd2f:4760:521f:3f3c::c0a8:45f6... Connected to fd2f:4760:521f:3f3c::c0a8:45f6. Escape character is '^]'. > >> There is nothing in the access.log; the request is utterly ignored. > FYI: "utterly ignored" seems to contradict "error message from squid" > above. > I know. Confusing. I have narrowed the problem space. The issue occurs only with https:, and not always. Most sites timeout, others (partially) load after a delay of 5 - 20 seconds. The delay never occurs for non-secure traffic. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] After enabling IPv6 squid no longer responds
On 2019-11-14 3:04 PM, Alex Rousskov wrote: > FYI: "utterly ignored" seems to contradict "error message from squid" > above. > The command "ip a" produces the following rather intimidating output. Should I add some more IPv6 addresses to the configuration parameter "localnet"? Address fd2f:4760:521f:3f3c::c0a8:45f6 is the IPv6 address given as the static entry for the network interface. 2: eth0: mtu 1460 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:24:8c:9a:f4:f4 brd ff:ff:ff:ff:ff:ff inet 192.168.69.246/24 brd 192.168.69.255 scope global eth0:smasvr3 valid_lft forever preferred_lft forever inet6 fd2f:4760:521f:3f3c:4dfa:4b86:934:5684/64 scope global temporary dynamic valid_lft 602374sec preferred_lft 83376sec inet6 fd2f:4760:521f:3f3c:1f0:8b81:2a1e:bb1f/64 scope global temporary deprecated dynamic valid_lft 516573sec preferred_lft 0sec inet6 fd2f:4760:521f:3f3c:38ef:8276:b87b:5f8d/64 scope global temporary deprecated dynamic valid_lft 430773sec preferred_lft 0sec inet6 fd2f:4760:521f:3f3c:d4c3:7847:797c:37da/64 scope global temporary deprecated dynamic valid_lft 344973sec preferred_lft 0sec inet6 fd2f:4760:521f:3f3c:c02e:96a3:1557:88ec/64 scope global temporary deprecated dynamic valid_lft 259173sec preferred_lft 0sec inet6 fd2f:4760:521f:3f3c:3598:28d1:3525:e51e/64 scope global temporary deprecated dynamic valid_lft 173373sec preferred_lft 0sec inet6 fd2f:4760:521f:3f3c:913c:74dd:d2fd:dc66/64 scope global temporary deprecated dynamic valid_lft 87572sec preferred_lft 0sec inet6 fd2f:4760:521f:3f3c:f592:3b23:f025:50ba/64 scope global temporary deprecated dynamic valid_lft 1773sec preferred_lft 0sec inet6 fd2f:4760:521f:3f3c:224:8cff:fe9a:f4f4/64 scope global mngtmpaddr dynamic valid_lft 2591781sec preferred_lft 604581sec inet6 fd2f:4760:521f:3f3c::c0a8:45f6/64 scope global valid_lft forever preferred_lft forever inet6 fe80::224:8cff:fe9a:f4f4/64 scope link valid_lft forever preferred_lft forever -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Manager access for statistics
Hello, opensuse v42.2 linux v4.4.87-18.29-default x86_64 squid v3.5.21 On occasion I look at the squid statistics; it has been a while since I last checked them, at least a month. The request was denied as not having access privileges. I do not see why it is now being denied. My understanding is that the ACL names "manager" and "manager_admin" would be allowed since they are first in the list (see below). What have I misunderstood? http://proxy1.sma.com:3128/squid-internal-mgr/info acl manager url_regex -i ^cache_object:// /squid-internal-mgr/ acl manager_admin src 192.168.69.115 # acl localnet src 192.168.69.0/24 acl localnet src fc00::/7 acl localnet src fe80::/10 # acl SSL_ports port 443 acl SSL_ports port 631 # # Jumpline cPanel ports acl SSL_ports port 2083 acl SSL_ports port 2096 # acl SSL_ports port 5000 # NAS acl SSL_ports port 9100 acl SSL_ports port 1# Webmin # acl Safe_ports port 563 # nntp acl Safe_ports port 631 # cups acl Safe_ports port 9100# ?network printer? # # From the default conf: acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http # acl CONNECT method CONNECT # http_access allow manager_admin manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access deny all # Squid normally listens to port 3128 http_port 3128 access_log /var/log/squid/access.log -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Manager access for statistics
On 10/29/2017 04:54 AM, Amos Jeffries wrote: > >> # >> http_access allow manager_admin manager >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow localnet >> http_access deny all > > Two things: > > 1) 'manager' is a pre-defined ACL. The your redefinition contradicts the > case sensitive URI path. Best not to re-define it. > Okay. I commented the "manager" line. > > 2) the current recommended practice is to place the manager ACLs after > the 'CONNECT !SSL_Ports' line. > That does not affect the admin access but prevents several more attack > scenarios against Squid. > Okay. > > 3) you are not denying manager access to any of the 'localnet' ranges. > So the whole manager ACL section is pretty pointless. > I do not understand. I made the changes you indicated (that I understood) and restarted Squid. No change. # acl manager url_regex -i ^cache_object:// /squid-internal-mgr/ http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow manager_admin http_access allow manager localhost http_access deny manager http_access allow localnet http_access deny all > > What does access.log show for the manager request? > The above port is IPv6-enabled but the manager_admin ACL only allows an > IPv4. > 1509311060.445 15 192.168.69.115 TCP_MISS/403 4464 GET http://proxy1.sma.com:3128/squid-internal-mgr/info - HIER_DIRECT/192.168.69.246 text/html 1509311060.822 0 192.168.69.115 TCP_IMS_HIT/304 311 GET http://sma-server3:3128/squid-internal-static/icons/SN.png - HIER_NONE/- image/png -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Manager access for statistics
On 10/30/2017 10:16 AM, Amos Jeffries wrote: > > Between them these entries appear to be saying that you have very > probably configured the Squid machines host name as "sma-server3" > instead of "proxy1.sma.com". > "proxy1.sma.com" is an alias for sma-server3.sma.com. I have tried using sma-server3 directly with the same disappointing result. I presume that I have mis-configured Squid somehow, a safe assumption. I do not see the error, though. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] How to unblock a port
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Squid rejects connections made with <https://sohnen-moe.com:2083/>. I had thought that the ACL "acl Safe_ports port 1025-65535" was sufficient. Obviously not. What should I change to allow connections with port 2083? - [ Excerpts from the conf: ] acl localnet src fc00::/7 acl localnet src fe80::/10 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 563 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT acl localnet src 192.168.69.0/24 http_access allow manager managerAdmin http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access deny all - -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlQrL+YACgkQzTcr8Prq0ZPhzwCgtfqmpUuOKvfp1elqnaMsRwAs uj4AnjCfgbBYCE44UmdWfP/Lutudro8r =Dvjw -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] How to unblock a port
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/30/2014 03:43 PM, Ambrose LI wrote: >> What should I change to allow connections with port 2083? > You need SSL_ports instead of Safe_ports for https > Thank you! - -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlQrNOAACgkQzTcr8Prq0ZPwagCeKuOcC6h+jA2yBxdjAg+8MCxo 8KwAoI/C2zxNwlsTQ1YnyW2l4uA4GYjg =LFg3 -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
