[squid-users] Access Denied

[Andre Coetzee]

Hi,

I have setup my squid cache to disallow access to porn sites,
from a list that is downloaded via a perl script.

My question is, can the ACL be setup to display an appropriate
error page (from the squid errors), instead of Access Denied.

I just would like a more user friendly informational error than
Access Denied. There are a few other ACL's which I would like 
different error pages too.

Is this possible ?


Thanks
Andre

[squid-users] access denied

[WiNET .]

I keep getting:

Access Denied.

Access control configuration prevents your request from being allowed
at this time. Please contact your service provider if you feel this is
incorrect.

Your cache administrator is webmaster.


I'm not sure what is wrong. I used to run squid2.7 a long while ago,
this is my first time trying to setup squid3 (squid v3.3.8 if I'm not
mistaken)

my squid.conf:

http_port 3129 transparent
acl our_networks src 192.168.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 3129
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow our_networks
http_access deny all
qos_flows tos local-hit=0x30
qos_flows mark local-hit=0x30
cache_mem 1024 MB
maximum_object_size_in_memory 2048 KB
memory_replacement_policy heap LFUDA
cache_replacement_policy heap LRU
cache_dir ufs /mnt/cache/cache1 8000 16 256
cache_dir ufs /mnt/cache/cache2 8000 16 256
cache_dir ufs /mnt/cache/cache3 8000 16 256
cache_dir ufs /mnt/cache/cache4 8000 16 256
maximum_object_size 1024 MB
logfile_rotate 9
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
refresh_pattern . 0 20% 4320
dns_nameservers 8.8.8.8 8.8.4.4

[squid-users] Access denied

[Stefan . Vogel]

Since a few weeks we have a strange effect on one of our two squids. (2.5
stable3)

We start Internetexplorer and try to open an URL in the internet.
In result I get the authentication window (we authenticate agains
LotusNotes via LDAP)
I type in the correct username/password and get the restult:

>
Error
The requested URL could not be retrieved

While trying to retrieve the URL: http://
The following error was encountered:

* Access denied.
 Access control configuration prevents your request from beeing allowed at
thsi time...
>>

The funny thing is, that if I press F5 it will load the page. This error
appear only one time for each newly opened browser window, but it doesn'
appear everytime.

Usualy the notesserver writes a message to the console if there was an
authentication with a bad password, but in this case there is no notice, so
I think squid does not ask Notes at this point or it asks and find the
password correct (most likely).

Any Ideas?

Kind regards

Stefan Vogel

[squid-users] Access Denied

[Teller Sgt Robert J \(GCE RCT-7 DATA NCOIC\)]

I am currently running squid stable 2.5 on a Debian server using the 2.6
kernel. I have my system setup as a transparent proxy redirecting all
traffic to port 80. Even though it is not recommended I am using NTLM
auth. I have everything working perfectly my users are able to
authenticate and surf to about 95% of the websites but for some reason
some websites show up with a IIS 401 error telling them access denied.
If I configure the user to use the proxy server directly instead of
allowing port redirection to happen, they are able to access the website
just fine or if I change my ACL to allow their IP they can access the
site just fine. Is there anything I can do to fix this or is this just a
side effect of tweaking squid to allow transparent auth?

Thank You
Robert

[squid-users] Access denied

[TopGun Technician]

I have spent over 30 hours reading and trying various solutions from the
documentation, FAQ's and the mail archives.  No matter what I try, I am
getting access denied.
I have added my machine to the ACL, I have added my network to the ACL.
I have tried running squid without the squid.conf.
I need some help!  I have an ISP and I will be putting the Squid server
between the Internet and my customers.  I have a dual Opteron 64 bit
processors with 1.5 gig of ram and two 80 gig SATA drives. I am running
SUSE 9.1 64 bit.
Need recommendations and help.  Thank you in advance.
ERROR
  The requested URL could not be retrieved

While trying to retrieve the URL: http://www.yahoo.com/
The following error was encountered:
  * *Access Denied. *
Access control configuration prevents your request from being
allowed at this time. Please contact your service provider if you
feel this is incorrect.
Your cache administrator is webmaster .

Generated Mon, 13 Dec 2004 01:44:59 GMT by linux.site (squid/2.5.STABLE5)

[squid-users] access denied

[deny]

hello
when i configure my proxy with the server squid  (127.0.0.1 port 3128 )
i have in my navigator
While trying to retrieve the URL: http://www.google.fr/

The following error was encountered:

   * * Access Denied.*

in my squid.conf i ve added

http_access allow manager localhost linux-pour-lesnuls.com
http_access deny manager !localhost
but i ve always access denied



thanks for your help

[squid-users] Access Denied

[Altrock, Jens]

Ok, I corrected cache_default user and cache_default group now, works (had
it written wrong).

Anyway... sometimes the authorization/authentication doesn't work. 
In the first test I had no problems surfing the net via proxy, and some
minutes later I get
an access denied message with the same user... so is this a samba problem
(for I see in the
cache.log that the wbinfo_group.pl script returns that the user isn't in the
specified group, for 
I think that he has problems communicating with the domain PDC via samba)?

Regards,

Jens
###
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

This message has been scanned by F-Secure Anti-Virus.

Re: [squid-users] Access Denied

[Henrik Nordstrom]

Yes. See the deny_info directive in squid.conf.

Regards
Henrik

Andre Coetzee wrote:
> 
> Hi,
> 
> I have setup my squid cache to disallow access to porn sites,
> from a list that is downloaded via a perl script.
> 
> My question is, can the ACL be setup to display an appropriate
> error page (from the squid errors), instead of Access Denied.
> 
> I just would like a more user friendly informational error than
> Access Denied. There are a few other ACL's which I would like
> different error pages too.
> 
> Is this possible ?
> 
> Thanks
> Andre

Re: [squid-users] access denied

[Amos Jeffries]

On 2014-07-04 03:42, WiNET . wrote:

I keep getting:

Access Denied.

Access control configuration prevents your request from being allowed
at this time. Please contact your service provider if you feel this is
incorrect.

Your cache administrator is webmaster.


I'm not sure what is wrong. I used to run squid2.7 a long while ago,
this is my first time trying to setup squid3 (squid v3.3.8 if I'm not
mistaken)


This is because of the fix for CVE-2009-0801. NAT on a separate machine 
has never actually worked properly even in 2.7. The fix we have in 
current Squid involves verifying the TCP destination IP, which also 
enforces that NAT is performed on the Squid machine instead of remotely. 
You need to use policy routing or similar mechanisms on the router to 
get the packets to the Squid machine unchanged for interception to work.


Amos

Re: [squid-users] access denied

[Eliezer Croitoru]

Hey There,

We will need more information in the form of:
Client address
Squid Address
Routing scheme\description
iptables rules
access.log output
Is the squid box the gateway of the network?

In almost all cases the denied is rightful.

Eliezer

On 07/03/2014 06:42 PM, WiNET . wrote:

I keep getting:

Access Denied.

Access control configuration prevents your request from being allowed
at this time. Please contact your service provider if you feel this is
incorrect.

Your cache administrator is webmaster.


I'm not sure what is wrong. I used to run squid2.7 a long while ago,
this is my first time trying to setup squid3 (squid v3.3.8 if I'm not
mistaken)

my squid.conf:

http_port 3129 transparent
acl our_networks src 192.168.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 3129
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow our_networks
http_access deny all
qos_flows tos local-hit=0x30
qos_flows mark local-hit=0x30
cache_mem 1024 MB
maximum_object_size_in_memory 2048 KB
memory_replacement_policy heap LFUDA
cache_replacement_policy heap LRU
cache_dir ufs /mnt/cache/cache1 8000 16 256
cache_dir ufs /mnt/cache/cache2 8000 16 256
cache_dir ufs /mnt/cache/cache3 8000 16 256
cache_dir ufs /mnt/cache/cache4 8000 16 256
maximum_object_size 1024 MB
logfile_rotate 9
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
refresh_pattern . 0 20% 4320
dns_nameservers 8.8.8.8 8.8.4.4

[squid-users] access denied, WHY????????

[guest01]

Hi!

I have a very strange problem with my squid. I am using it on a livecd
as http proxy.
It always worked, but now, I don't know why not!

I am using Debian Woody stable, squid/2.5.STABLE4 with a previous
working config file, all
iptable-rules are disabled. Authentication disabled to.
I tried to increase the debug_level, but there are no concrete errors in
the logfile!!
"The request GET ... is ALLOWED"
There is nothing like a permission denied,  I just get an error page
and I have absolutely
no idea why!!

Testing procedure in the bash (local):
 - export http_proxy=http://localhost:3128
 - wget www.google.at
response:
ERROR 403: Forbidden

Testing procedure via web
 - correct IP  configured in  my firefox
 - trying a little bit surfing www.google.at
response:
Access Denied

Can anyone please help me??? Where could be the problem?
thxs

PS: logfiles get very hugh with debug_level ALL,10! ;-)

Re: [squid-users] Access denied

[Stefan . Vogel]

Addition to my problem:

in access.log the following entry occours:

172.25.9.90 - vogels [10/May/2005:09:51:03 +0200] "GET
http://www.squid-cache.org/Doc/FAQ/FAQ-10.html HTTP/1.1" 403 1433
TCP_DENIED:NONE

after pressing F5 this line is added

172.25.9.90 - vogels [10/May/2005:09:53:11 +0200] "GET
http://www.squid-cache.org/Doc/FAQ/FAQ-10.html HTTP/1.1" 200 32790
TCP_CLIENT_REFRESH_MISS:DIRECT




   
 [EMAIL PROTECTED] 
 c.com 
To 
 10.05.2005 09:20 
cc 
   
   Subject 
       [squid-users] Access denied 
   
   
   
   
   
   




Since a few weeks we have a strange effect on one of our two squids. (2.5
stable3)

We start Internetexplorer and try to open an URL in the internet.
In result I get the authentication window (we authenticate agains
LotusNotes via LDAP)
I type in the correct username/password and get the restult:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Error
The requested URL could not be retrieved

While trying to retrieve the URL: http://
The following error was encountered:

* Access denied.
 Access control configuration prevents your request from beeing allowed at
thsi time...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

The funny thing is, that if I press F5 it will load the page. This error
appear only one time for each newly opened browser window, but it doesn'
appear everytime.

Usualy the notesserver writes a message to the console if there was an
authentication with a bad password, but in this case there is no notice, so
I think squid does not ask Notes at this point or it asks and find the
password correct (most likely).

Any Ideas?

Kind regards

Stefan Vogel

Re: [squid-users] Access denied

[Henrik Nordstrom]

On Tue, 10 May 2005 [EMAIL PROTECTED] wrote:
Addition to my problem:
in access.log the following entry occours:
172.25.9.90 - vogels [10/May/2005:09:51:03 +0200] "GET
http://www.squid-cache.org/Doc/FAQ/FAQ-10.html HTTP/1.1" 403 1433
TCP_DENIED:NONE
after pressing F5 this line is added
172.25.9.90 - vogels [10/May/2005:09:53:11 +0200] "GET
http://www.squid-cache.org/Doc/FAQ/FAQ-10.html HTTP/1.1" 200 32790
TCP_CLIENT_REFRESH_MISS:DIRECT
Odd.
See Squid FAQ 10.9 I set up my access controls, but they don't work! why?
http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#acl-debug>
for instructions how to get a more detailed view of what is going on here.
Regards
Henrik

Re: [squid-users] Access denied

[Stefan . Vogel]

Hello,

I tried and get this in access.log
172.25.9.90 - - [10/May/2005:11:55:34 +0200] "GET http://www.heise.de/
HTTP/1.1" 407 1802 TCP_DENIED:NONE
172.25.9.90 - vogels [10/May/2005:11:55:41 +0200] "GET http://www.heise.de/
HTTP/1.1" 403 1381 TCP_DENIED:NONE

and this in cache.log
2005/05/10 11:55:34| The request GET http://www.heise.de/ is DENIED,
because it matched 'inet_users'
2005/05/10 11:55:34| The reply for GET http://www.heise.de/ is ALLOWED,
because it matched 'all'
2005/05/10 11:55:41| The request GET http://www.heise.de/ is DENIED,
because it matched 'all'
2005/05/10 11:55:41| The reply for GET http://www.heise.de/ is ALLOWED,
because it matched 'all'

in squid.conf I have

http_access allow inet_users
...
http_access deny all
...

the acl inet_users is the ldap-group-helper, and of course I am in that
group.

I don't understand why there is ALLOWED because it matches ALL...

Regards

Stefan




   
 Henrik Nordstrom  
 <[EMAIL PROTECTED] 
 org>   To 
   [EMAIL PROTECTED]  
 10.05.2005 11:29   cc 
   squid-users@squid-cache.org 
       Subject 
   Re: [squid-users] Access denied 
   
   
   
   
   
   






On Tue, 10 May 2005 [EMAIL PROTECTED] wrote:

> Addition to my problem:
>
> in access.log the following entry occours:
>
> 172.25.9.90 - vogels [10/May/2005:09:51:03 +0200] "GET
> http://www.squid-cache.org/Doc/FAQ/FAQ-10.html HTTP/1.1" 403 1433
> TCP_DENIED:NONE
>
> after pressing F5 this line is added
>
> 172.25.9.90 - vogels [10/May/2005:09:53:11 +0200] "GET
> http://www.squid-cache.org/Doc/FAQ/FAQ-10.html HTTP/1.1" 200 32790
> TCP_CLIENT_REFRESH_MISS:DIRECT

Odd.

See Squid FAQ 10.9 I set up my access controls, but they don't work! why?
http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#acl-debug>

for instructions how to get a more detailed view of what is going on here.

Regards
Henrik

Re: [squid-users] Access denied

[Henrik Nordstrom]

On Tue, 10 May 2005 [EMAIL PROTECTED] wrote:
Hello,
I tried and get this in access.log
172.25.9.90 - - [10/May/2005:11:55:34 +0200] "GET http://www.heise.de/
HTTP/1.1" 407 1802 TCP_DENIED:NONE
172.25.9.90 - vogels [10/May/2005:11:55:41 +0200] "GET http://www.heise.de/
HTTP/1.1" 403 1381 TCP_DENIED:NONE
and this in cache.log
2005/05/10 11:55:34| The request GET http://www.heise.de/ is DENIED,
because it matched 'inet_users'
2005/05/10 11:55:34| The reply for GET http://www.heise.de/ is ALLOWED,
because it matched 'all'
2005/05/10 11:55:41| The request GET http://www.heise.de/ is DENIED,
because it matched 'all'
2005/05/10 11:55:41| The reply for GET http://www.heise.de/ is ALLOWED,
because it matched 'all'
in squid.conf I have

http_access allow inet_users
...
http_access deny all
...
the acl inet_users is the ldap-group-helper, and of course I am in that
group.
I don't understand why there is ALLOWED because it matches ALL...
Don't worry, its the http_reply_access check (hinted by "The reply for 
" in the debug message)

More interesting is the "The request GET http://www.heise.de/ is DENIED," 
line.. how is the acl "all" defined in your config?

Regards
Henrik

Re: [squid-users] Access denied

[Stefan . Vogel]

Hello,

the ACL all is defined like

acl all src 0.0.0.0/0.0.0.0

I have never changed anything with this ACL.

What is funny, is that we have to Squidboxes, that are both configured the
same, and only one has this problem. (And 3 weeks ago both were fine...)

Regards
Stefan




   
 Henrik Nordstrom  
 <[EMAIL PROTECTED] 
 org>   To 
   [EMAIL PROTECTED]  
 10.05.2005 14:24   cc 
   Henrik Nordstrom
   <[EMAIL PROTECTED]>,  
   squid-users@squid-cache.org 
   Subject 
   Re: [squid-users] Access denied 
   
   
   
   
   
   






On Tue, 10 May 2005 [EMAIL PROTECTED] wrote:

> Hello,
>
> I tried and get this in access.log
> 172.25.9.90 - - [10/May/2005:11:55:34 +0200] "GET http://www.heise.de/
> HTTP/1.1" 407 1802 TCP_DENIED:NONE
> 172.25.9.90 - vogels [10/May/2005:11:55:41 +0200] "GET
http://www.heise.de/
> HTTP/1.1" 403 1381 TCP_DENIED:NONE
>
> and this in cache.log
> 2005/05/10 11:55:34| The request GET http://www.heise.de/ is DENIED,
> because it matched 'inet_users'
> 2005/05/10 11:55:34| The reply for GET http://www.heise.de/ is ALLOWED,
> because it matched 'all'
> 2005/05/10 11:55:41| The request GET http://www.heise.de/ is DENIED,
> because it matched 'all'
> 2005/05/10 11:55:41| The reply for GET http://www.heise.de/ is ALLOWED,
> because it matched 'all'
>
> in squid.conf I have
> 
> http_access allow inet_users
> ...
> http_access deny all
> ...
>
> the acl inet_users is the ldap-group-helper, and of course I am in that
> group.
>
> I don't understand why there is ALLOWED because it matches ALL...

Don't worry, its the http_reply_access check (hinted by "The reply for
" in the debug message)

More interesting is the "The request GET http://www.heise.de/ is DENIED,"
line.. how is the acl "all" defined in your config?

Regards
Henrik

Fw: [squid-users] Access denied

[Stefan . Vogel]

Hello,

has my last message reach you?

Any more ideas where I can search for a soloution?

Regards
Stefan Vogel


- Forwarded by Stefan Vogel/nu/eu/au/cag on 12.05.2005 13:23 -
   
 [EMAIL PROTECTED] 
 c.com 
To 
 10.05.2005 16:38  Henrik Nordstrom
   <[EMAIL PROTECTED]>   
cc 
   Henrik Nordstrom
   <[EMAIL PROTECTED]>,  
   squid-users@squid-cache.org 
   Subject 
   Re: [squid-users] Access denied 
   
   
   
   
   
   




Hello,

the ACL all is defined like

acl all src 0.0.0.0/0.0.0.0

I have never changed anything with this ACL.

What is funny, is that we have to Squidboxes, that are both configured the
same, and only one has this problem. (And 3 weeks ago both were fine...)

Regards
Stefan





 Henrik Nordstrom
 <[EMAIL PROTECTED]
 org>   To
   [EMAIL PROTECTED]
 10.05.2005 14:24   cc
   Henrik Nordstrom
   <[EMAIL PROTECTED]>,
   squid-users@squid-cache.org
   Subject
       Re: [squid-users] Access denied












On Tue, 10 May 2005 [EMAIL PROTECTED] wrote:

> Hello,
>
> I tried and get this in access.log
> 172.25.9.90 - - [10/May/2005:11:55:34 +0200] "GET http://www.heise.de/
> HTTP/1.1" 407 1802 TCP_DENIED:NONE
> 172.25.9.90 - vogels [10/May/2005:11:55:41 +0200] "GET
http://www.heise.de/
> HTTP/1.1" 403 1381 TCP_DENIED:NONE
>
> and this in cache.log
> 2005/05/10 11:55:34| The request GET http://www.heise.de/ is DENIED,
> because it matched 'inet_users'
> 2005/05/10 11:55:34| The reply for GET http://www.heise.de/ is ALLOWED,
> because it matched 'all'
> 2005/05/10 11:55:41| The request GET http://www.heise.de/ is DENIED,
> because it matched 'all'
> 2005/05/10 11:55:41| The reply for GET http://www.heise.de/ is ALLOWED,
> because it matched 'all'
>
> in squid.conf I have
> 
> http_access allow inet_users
> ...
> http_access deny all
> ...
>
> the acl inet_users is the ldap-group-helper, and of course I am in that
> group.
>
> I don't understand why there is ALLOWED because it matches ALL...

Don't worry, its the http_reply_access check (hinted by "The reply for
" in the debug message)

More interesting is the "The request GET http://www.heise.de/ is DENIED,"
line.. how is the acl "all" defined in your config?

Regards
Henrik

FW: [squid-users] Access Denied

[Teller Sgt Robert J \(GCE RCT-7 DATA NCOIC\)]

Classification: UNCLASSIFIED

I am currently running squid stable 2.5 on a Debian server using the 2.6
kernel. I have my system setup as a transparent proxy redirecting all
traffic to port 80. Even though it is not recommended I am using NTLM
auth. I have everything working perfectly my users are able to
authenticate and surf to about 95% of the websites but for some reason
some websites show up with a IIS 401 error telling them access denied.
If I configure the user to use the proxy server directly instead of
allowing port redirection to happen, they are able to access the website
just fine or if I change my ACL to allow their IP they can access the
site just fine. Is there anything I can do to fix this or is this just a
side effect of tweaking squid to allow transparent auth?

Thank You
Robert

[squid-users] Access Denied (Newbie)

[beno]

Hi;
Here are what I believe are the pertinent lines from my squid.conf file:

cache_peer 2012.vi parent 7080 2020 default no-query
http_port 2020 vhost
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl Safe_ports port 80 8080 7080 transparent   

where "2012.vi" is the name of the site, "7080" is the port to which 
Zope is listening for requests and "2020" is where squid is listening.
I want all requests for all pages on 2012 to be passed transparently to 
port 7080. When I surf to that page, however, I get a squid error 
stating that access is denied. However, before I passed this request 
through squid, I got no such error and the page was correctly served. 
Please help me understand what I've done wrong.

TIA,
beno

RE: [squid-users] Access denied

[Scott Phalen]

I have spent over 30 hours reading and trying various solutions from the
documentation, FAQ's and the mail archives.  No matter what I try, I am
getting access denied.

I have added my machine to the ACL, I have added my network to the ACL.
I have tried running squid without the squid.conf.


[Scott Phalen] 
What version of squid are you using?  
What do your ACLs look like? 
Are you forwarding all requests to another cache?  Or cache array?

This is probably a good start:
Acl mynetwork src 192.168.1.0/24
http_access allow mynetwork

always_direct allow mynetwork 
or
comment out both always_direct and never_direct directives

Regards,
Scott

Re: [squid-users] Access denied

[bimal pandit]

dear sir,

seems that your firewall is stopping everything so first try with no
firewall and then check your firewall settings.

regards

bimal

On Mon, 2004-12-13 at 08:08, TopGun Technician wrote:
> I have spent over 30 hours reading and trying various solutions from the
> documentation, FAQ's and the mail archives.  No matter what I try, I am
> getting access denied.
> 
> I have added my machine to the ACL, I have added my network to the ACL.
> I have tried running squid without the squid.conf.
> 
> I need some help!  I have an ISP and I will be putting the Squid server
> between the Internet and my customers.  I have a dual Opteron 64 bit
> processors with 1.5 gig of ram and two 80 gig SATA drives. I am running
> SUSE 9.1 64 bit.
> 
> Need recommendations and help.  Thank you in advance.
> 
> 
>  ERROR
> 
> 
>The requested URL could not be retrieved
> 
> 
> 
> While trying to retrieve the URL: http://www.yahoo.com/
> 
> The following error was encountered:
> 
>* *Access Denied. *
> 
>  Access control configuration prevents your request from being
>  allowed at this time. Please contact your service provider if you
>  feel this is incorrect.
> 
> Your cache administrator is webmaster .
> 
> 
> Generated Mon, 13 Dec 2004 01:44:59 GMT by linux.site (squid/2.5.STABLE5)

[squid-users] Access Denied Message

[Gustavo Lazarte]

I am getting an error I was getting before

Access Denied

I added the http_access allow all
And http_reply_access allow all

This is what I am getting in my logs

1160755674.734  78547 **.**.7.46 TCP_MISS/000 0 GET 
http://10.1.0.140/eShop/stores/InnisbrookA/images/navbar/navbar-classroomsupplies.jpg
 - DIRECT/10.1.0.140 -
1160755674.734  78531 **.**.7.46 TCP_MISS/000 0 GET 
http://10.1.0.140/eShop/stores/InnisbrookA/images/navbar/navbar-books_mags.jpg 
- DIRECT/10.1.0.140 -
1160755674.734  78531 **.**.7.46 TCP_MISS/000 0 GET 
http://10.1.0.140/eShop/stores/InnisbrookA/images/navbar/navbar-innisproducts.jpg
 - DIRECT/10.1.0.140 -
1160755674.734  77422 **.**.7.46 TCP_MISS/000 0 GET 
http://10.1.0.140/eShop/stores/InnisbrookA/images/navbar/navbar-aboutus.jpg - 
DIRECT/10.1.0.140 -

I if I got directly to the site I can see the images. Any ideas?

Gustavo

Re: [squid-users] access denied

[Christoph Haas]

On Wed, Oct 15, 2003 at 09:19:35PM +0200, deny wrote:
> when i configure my proxy with the server squid  (127.0.0.1 port 3128 )
> i have in my navigator
> 
> While trying to retrieve the URL: http://www.google.fr/
> 
> The following error was encountered:
> 
>* * Access Denied.*
> 
> in my squid.conf i ve added
> 
> http_access allow manager localhost linux-pour-lesnuls.com
> http_access deny manager !localhost
> 
> 
> but i ve always access denied

I bet you also have some other "http_access" lines there. And those are
causing that error message. Look through them. You probably need
something like "acl lan src 10.0.0.0/8" and "http_access allow lan".

 Christoph

-- 
~
~
".signature" [Modified] 3 lines --100%--3,41 All

Re: [squid-users] access denied

[deny]

I bet you also have some other "http_access" lines there. And those are
causing that error message. Look through them. You probably need
something like "acl lan src 10.0.0.0/8" and "http_access allow lan".
Christoph

i have this too

# Only allow cachemgr access from localhost
http_access allow manager localhost linux-pour-lesnuls.com
http_access deny manager !localhost
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# And finally deny all other access to this proxy
http_access deny all


i have a lan which adress are 192.168.0.1 to 192.168.0.3
but i dont know how to configure to add this lan
so i ve configure with localhost
when i launched squid -D
i have
[EMAIL PROTECTED] sbin]# ./squid -D
2003/10/16 20:31:08| squid.conf line 1769: http_access allow manager 
localhost linux-pour-lesnuls.com
2003/10/16 20:31:08| aclParseAccessLine: ACL name 
'linux-pour-lesnuls.com' not found.



thanks


 

Re: [squid-users] access denied

[deny]

Christoph Haas wrote:

On Wed, Oct 15, 2003 at 09:19:35PM +0200, deny wrote:
 

when i configure my proxy with the server squid  (127.0.0.1 port 3128 )
i have in my navigator
While trying to retrieve the URL: http://www.google.fr/

The following error was encountered:

  * * Access Denied.*

in my squid.conf i ve added

http_access allow manager localhost linux-pour-lesnuls.com
http_access deny manager !localhost
but i ve always access denied
   

I bet you also have some other "http_access" lines there. And those are
causing that error message. Look through them. You probably need
something like "acl lan src 10.0.0.0/8" and "http_access allow lan".
Christoph

Hi
i list all my http_access in squid.conf
here are they,it seems good
http_access allow manager localhost
http_access allow lan
http_access deny manager !localhost !lan
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_reply_access allow all
icp_access allow all
and the acl
acl all src 0.0.0.0/0.0.0.0
acl lan src 192.168.0.1/255.255.255.255
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
why i always have "access denied "
when i enter to mozilla with preferences proxy are
http proxy  127.0.0.1   port 3128
thanks




 

Re: [squid-users] access denied

[Christoph Haas]

Hi, Deny...

On Fri, Oct 17, 2003 at 07:41:11AM +0200, deny wrote:
> i list all my http_access in squid.conf
> here are they,it seems good
> 
> http_access allow manager localhost
> http_access allow lan
> http_access deny manager !localhost !lan

Pretty useless. You don't allow any further "manager" accesses so you
don't need this.

> # Deny requests to unknown ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> 
> and the acl
> acl all src 0.0.0.0/0.0.0.0
> acl lan src 192.168.0.1/255.255.255.255
> 
> why i always have "access denied "
> when i enter to mozilla with preferences proxy are
> http proxy  127.0.0.1   port 3128

Are you aware that you are using the proxy as "127.0.0.1" and only
allow access from the "lan" ACL which is 192.168.0.1. Smells like you
mixed up the IP addresses.

 Christoph

-- 
~
~
".signature" [Modified] 3 lines --100%--3,41 All

Re: [squid-users] access denied, WHY????????

[Henrik Nordstrom]

On Wed, 2 Mar 2005, guest01 wrote:
I am using Debian Woody stable, squid/2.5.STABLE4 with a previous
working config file, all
iptable-rules are disabled. Authentication disabled to.
I tried to increase the debug_level, but there are no concrete errors in
the logfile!!
"The request GET ... is ALLOWED"
There is nothing like a permission denied,  I just get an error page
and I have absolutely
no idea why!!
What does access.log say?
PS: logfiles get very hugh with debug_level ALL,10! ;-)
And is why the Squid FAQ on how to troubleshoot access controls has a more 
limited debug level...

http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#acl-debug
Regards
Henrik

Re: Fw: [squid-users] Access denied

[Henrik Nordstrom]

On Thu, 12 May 2005 [EMAIL PROTECTED] wrote:


has my last message reach you?


Yes.


Any more ideas where I can search for a soloution?


Most likely the inet_users acl failed for some reason. This would make the 
request fall down to "http_access deny all".



and this in cache.log
2005/05/10 11:55:34| The request GET http://www.heise.de/ is DENIED,
because it matched 'inet_users'
2005/05/10 11:55:34| The reply for GET http://www.heise.de/ is ALLOWED,
because it matched 'all'
2005/05/10 11:55:41| The request GET http://www.heise.de/ is DENIED,
because it matched 'all'
2005/05/10 11:55:41| The reply for GET http://www.heise.de/ is ALLOWED,
because it matched 'all'

in squid.conf I have

http_access allow inet_users
...
http_access deny all
...

the acl inet_users is the ldap-group-helper, and of course I am in that
group.



Regards
Henrik

Re: FW: [squid-users] Access Denied

[Adrian Chadd]

There's definite issues relating to transparent proxying and
authentication - mostly surrounding the question "how does one
know whether the authentication information is for the website
or for the proxy?"

I'd suggest not using transparent proxying for now and waiting for
Squid-2.6 to mature, which'll fix other random problems with
regards to NTLM-authenticated websites.



Adrian

On Sun, Jun 04, 2006, Teller Sgt Robert J (GCE RCT-7 DATA NCOIC) wrote:
> Classification: UNCLASSIFIED
> 
> I am currently running squid stable 2.5 on a Debian server using the 2.6
> kernel. I have my system setup as a transparent proxy redirecting all
> traffic to port 80. Even though it is not recommended I am using NTLM
> auth. I have everything working perfectly my users are able to
> authenticate and surf to about 95% of the websites but for some reason
> some websites show up with a IIS 401 error telling them access denied.
> If I configure the user to use the proxy server directly instead of
> allowing port redirection to happen, they are able to access the website
> just fine or if I change my ACL to allow their IP they can access the
> site just fine. Is there anything I can do to fix this or is this just a
> side effect of tweaking squid to allow transparent auth?
> 
> Thank You
> Robert

Re: [squid-users] Access Denied (Newbie)

[Henrik Nordstrom]

I assume we are talking about an accelerator / reverse proxy here, not a
Internet proxy.

fre 2006-08-25 klockan 12:36 -0400 skrev beno:
> Hi;
> Here are what I believe are the pertinent lines from my squid.conf file:
> 
> cache_peer 2012.vi parent 7080 2020 default no-query

you probably want originserver as well...

> http_port 2020 vhost

there should be a defaulsite in the above defining your default site
name..

> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl Safe_ports port 80 8080 7080 transparent   

why transparent? In either case it doesn't belong there as it's not a
port number.

> where "2012.vi" is the name of the site, "7080" is the port to which 
> Zope is listening for requests and "2020" is where squid is listening.
> I want all requests for all pages on 2012 to be passed transparently to 
> port 7080.

Looks fine.

> When I surf to that page, however, I get a squid error 
> stating that access is denied. However, before I passed this request 
> through squid, I got no such error and the page was correctly served. 
> Please help me understand what I've done wrong.

Anything in cache.log?

What does you http_access rules say?

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] Access Denied (Newbie)

[Visolve Squid]

beno wrote:


Hi;
Here are what I believe are the pertinent lines from my squid.conf file:

cache_peer 2012.vi parent 7080 2020 default no-query
http_port 2020 vhost
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl Safe_ports port 80 8080 7080 transparent  
where "2012.vi" is the name of the site, "7080" is the port to which 
Zope is listening for requests and "2020" is where squid is listening.
I want all requests for all pages on 2012 to be passed transparently 
to port 7080. When I surf to that page, however, I get a squid error 
stating that access is denied. However, before I passed this request 
through squid, I got no such error and the page was correctly served. 
Please help me understand what I've done wrong.

TIA,


Hello ,

Check your http_access rules in squid.conf.

Thanks,
Visolve Squid Team
http://www.visolve.com/squid/

RE: [squid-users] Access Denied Message

[Gustavo Lazarte]

I am using it as a reverse proxy cache so the answer is no

Gustavo
-Original Message-
From: Adil F. Muganlinsky [mailto:[EMAIL PROTECTED]
Sent: Friday, October 13, 2006 12:26 PM
To: Gustavo Lazarte
Subject: Re: [squid-users] Access Denied Message


> I am getting an error I was getting before
>
> Access Denied
>
> I added the http_access allow all
> And http_reply_access allow all
>
> This is what I am getting in my logs
>
> 1160755674.734  78547 **.**.7.46 TCP_MISS/000 0 GET
> http://10.1.0.140/eShop/stores/InnisbrookA/images/navbar/navbar-classroomsupplies.jpg
> - DIRECT/10.1.0.140 -
> 1160755674.734  78531 **.**.7.46 TCP_MISS/000 0 GET
> http://10.1.0.140/eShop/stores/InnisbrookA/images/navbar/navbar-books_mags.jpg
> - DIRECT/10.1.0.140 -
> 1160755674.734  78531 **.**.7.46 TCP_MISS/000 0 GET
> http://10.1.0.140/eShop/stores/InnisbrookA/images/navbar/navbar-innisproducts.jpg
> - DIRECT/10.1.0.140 -
> 1160755674.734  77422 **.**.7.46 TCP_MISS/000 0 GET
> http://10.1.0.140/eShop/stores/InnisbrookA/images/navbar/navbar-aboutus.jpg
> - DIRECT/10.1.0.140 -
>
> I if I got directly to the site I can see the images. Any ideas?
>
> Gustavo
>
>


is your squid is transparent ?

Re: [squid-users] Access Denied Message

[Pablo García]

Did you try to navigate this with a browser from the squid machine ?
It's strage, but as far as I know, the logs should say TCP_DENIED if
the images  were denied by the squid.

Regards, Pablo

On 10/13/06, Gustavo Lazarte <[EMAIL PROTECTED]> wrote:


I am using it as a reverse proxy cache so the answer is no

Gustavo
-Original Message-
From: Adil F. Muganlinsky [mailto:[EMAIL PROTECTED]
Sent: Friday, October 13, 2006 12:26 PM
To: Gustavo Lazarte
Subject: Re: [squid-users] Access Denied Message

Re: [squid-users] Access Denied Message

[Henrik Nordstrom]

fre 2006-10-13 klockan 12:06 -0400 skrev Gustavo Lazarte:

> 1160755674.734  78547 **.**.7.46 TCP_MISS/000 0 GET 
> http://10.1.0.140/eShop/stores/InnisbrookA/images/navbar/navbar-classroomsupplies.jpg
>  - DIRECT/10.1.0.140 -

This indicates Squid tried to contact 10.1.0.140, but didn't get a
response.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

[squid-users] Access denied - ACL problem

[Edward Stafford]

I am new to squid so please bear with me.
I have an internal server that runs a helpdesk application and should
allow users to access it using the computer name as the url on port 81.
I have added a PTR record in our internal DNS server to point
"servername" to the correct ip address.

http://servername:81

However, squid is displaying the following error.
+
ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: http://servername:81/dashboard

The following error was encountered:

* Access Denied.

  Access control configuration prevents your request from being
allowed at this time. Please contact your service provider if you feel
this is incorrect. 

Your cache administrator is webmaster.
Generated Wed, 29 Aug 2007 16:40:50 GMT by sentinal (squid/2.5.STABLE12)

+

I can access this if I disable my proxy settings in the browser.
Can anyone tell me how to correct this.


This email and any files transmitted with it are intended solely for the use of 
the individual (squid-users@squid-cache.org) or entity addressed at [EMAIL 
PROTECTED] If you have received this email in error please notify the system 
manager. Please note that any views or opinions presented in this email are 
solely those of the author and do not necessarily represent those of the 
company.

[squid-users] Access denied without password request

[alpop]

Hello

I need to deny access to anywhere except www.rbc.ru. I wrote this acl:

acl acl-pupkin proxy_auth pupkin

acl acl-pupkin-allow dstdom_regex rbc.ru

http_access allow acl-pupkin acl-pupkin-allow

http_access deny acl-pupkin

It's working. But on that site as on a lot ot others there are some banners, 
counters, etc, which points to other sites. And proxy ask password after any 
moving on allowed site.



Is it possible to fully deny access without any permanent password requests?



with best regards, AGP

[squid-users] access denied with squid-3.0

[Maria Dolores]

Greetings,

I have installed squid-3.0 with squidGuard-1.2.0 in two different linux
systems, the configuration of squid in both is identical.   
In one of them squid works properly, in the other I obtain the message
'ERROR ... Access denied' when I try to access to the web through the
proxy.
 Neither error message is showed in the squid logs in the second system,
the only difference I have observed is at the access.log file:

In the first system the messages in this file are:
113... 470 127.0.0.1TCP_REFRESH_MISS /

In the second system instead of 127.0.0.1 is showed the public IP of the
host:
113... 0 192.168.1.31   TCP_DENIED /403 

The file /etc/hosts in the first machine (acept) has the aspect:
127.0.0.1   acept   localhost 
In the second machine (acept-2) this line was:
127.0.0.1   localhost.localdomain localhost acept-2
I have changed this line for:
127.0.0.1   acept-2 localhost
However the messages in access.log continue showing the public IP and
the problem persists.

What could this error be due to? Where does squid obtain the IP of the
machine?

The squid.conf file's content in both systems is:
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl all src 0/0
no_cache deny all
cache_dir null /tmp
access_log /usr/squid/var/logs/access.log
cache_log /usr/squid/var/logs/cache.log
cache_store_log /usr/squid/var/logs/store.log
hosts_file /etc/hosts
redirect_program /usr/squidGuard/bin/squidGuard
-c /usr/squid/etc/squidGuard.conf
redirect_children 4
refresh_pattern ^ftp:   1440 20% 10080
refresh_pattern ^gopher:1440 0% 1440
refresh_pattern . 0 20% 4320
acl localhost src 127.0.0.1/255.255.255.255
http_access allow localhosts
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_user squid
cache_effective_group squid
visible_hostname acept
coredump_dir /usr/squid/var/cache 

Thanks
Maria D.

[squid-users] Access Denied on special port.

[Lilian . Gix]

Hi,


I don't understand where is my mistake.

Every time I enter an URL like http://mysite:xy/
I have an access denied. Even if I enter an http_access allow all at the
beginning.

My squid is 2.5 Stable 6
Any idea ?

Thanks.

Gix Lilian
Department BR/PII 3 - Global IT-Infrastructure
Bosch Rexroth AG "The Drive & Control Company"
97816 Lohr, Germany 
Phone: + 49 - 9352 - 18 - 4673
Fax: + 49 - 9352 - 18 - 3985
www.boschrexroth.de

[squid-users] "Access Denied" error occurred randomly.

[Monty Ree]

Hello, 


I have used squid 2.6 stable4 for reverse proxy for 10 domains.
It works well, but from time to time I can meet "Access Denied" error.

Then if I execute "/usr/local/squid/sbin/squid -k reconfigure",  works 
again well without error.


But after sometime,  "Access Denied" error occurs again..

I don't know, why this happen.. is it a bug?

More curious thing is that this error happens only for last configured 
domains.

I have installed other versions but the result was same...

Anyone who have experienced like me??


Thanks again..

_
전세계인이 함께하는 웹 메일 서비스인 MSN Hotmail을 만나 보세요.
http://www.hotmail.com/ 

Re: [squid-users] Access denied - ACL problem

[Nabin Limbu]

In squid.conf,

BEFORE the line "http_access deny all" add below 2 lines

acl mynetwork 
http_access allow mynetwork

reload squid configuration.

Regards
Nabin Limbu

> I am new to squid so please bear with me.
> I have an internal server that runs a helpdesk application and should
> allow users to access it using the computer name as the url on port 81.
> I have added a PTR record in our internal DNS server to point
> "servername" to the correct ip address.
>
> http://servername:81
>
> However, squid is displaying the following error.
> +
> ERROR
> The requested URL could not be retrieved
>
> While trying to retrieve the URL: http://servername:81/dashboard
>
> The following error was encountered:
>
> * Access Denied.
>
>   Access control configuration prevents your request from being
> allowed at this time. Please contact your service provider if you feel
> this is incorrect.
>
> Your cache administrator is webmaster.
> Generated Wed, 29 Aug 2007 16:40:50 GMT by sentinal (squid/2.5.STABLE12)
>
> +
>
> I can access this if I disable my proxy settings in the browser.
> Can anyone tell me how to correct this.
>
>
> This email and any files transmitted with it are intended solely for the
> use of the individual (squid-users@squid-cache.org) or entity addressed
> at [EMAIL PROTECTED] If you have received this email in error
> please notify the system manager. Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of the company.

RE: [squid-users] Access denied - ACL problem

[Edward Stafford]

I got a bit further. I added web server host entry in my ACL:
acl servernameHost dstdomain servername

Then I added
http_access allow servernameHost before the deny_all.
That still didn't work. Then I thought It had something to do with the
Safe_Ports. The server accepts access on port 81, but it is not in the
safe ports list.

So I moved the servernameHost acl before the !Safe_ports acl and now I
get a new error.

=
While trying to retrieve the URL: http://servername:81/dashboard

The following error was encountered:

Unable to determine IP address from host name for yaserver 

The dnsserver returned:

Server Failure: The name server was unable to process this query. 

This means that:

 The cache was not able to resolve the hostname presented in the URL. 
 Check if the address is correct. 
=

Resolv.conf on my squid server does point to my internal DNS server and
I do have PTR and HOST records for servername.
Our dns is on a windows 2000 server with AD. Our squid proxy runs on a
linux box in the same subnet, but the local "servername" is on a
different subnet.

As I stated before, if I disable the proxy in the browser settings,
access works fine.
Also if I try to ping servername from the squid box, I get an unknown
host error.
But I can successfully ping servername.domain.local.

I know it might sound like a DNS issue, but I am only having the issue
when squid is added to the formula.

Any thoughts?





-Original Message-
From: Nabin Limbu [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 29, 2007 12:41 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Access denied - ACL problem

In squid.conf,

BEFORE the line "http_access deny all" add below 2 lines

acl mynetwork 
http_access allow mynetwork

reload squid configuration.

Regards
Nabin Limbu

> I am new to squid so please bear with me.
> I have an internal server that runs a helpdesk application and should 
> allow users to access it using the computer name as the url on port
81.
> I have added a PTR record in our internal DNS server to point 
> "servername" to the correct ip address.
>
> http://servername:81
>
> However, squid is displaying the following error.
> +
> ERROR
> The requested URL could not be retrieved
>
> While trying to retrieve the URL: http://servername:81/dashboard
>
> The following error was encountered:
>
> * Access Denied.
>
>   Access control configuration prevents your request from being 
> allowed at this time. Please contact your service provider if you feel

> this is incorrect.
>
> Your cache administrator is webmaster.
> Generated Wed, 29 Aug 2007 16:40:50 GMT by sentinal 
> (squid/2.5.STABLE12)
>
> +
>
> I can access this if I disable my proxy settings in the browser.
> Can anyone tell me how to correct this.
>
>
> This email and any files transmitted with it are intended solely for 
> the use of the individual (squid-users@squid-cache.org) or entity 
> addressed at [EMAIL PROTECTED] If you have received this 
> email in error please notify the system manager. Please note that any 
> views or opinions presented in this email are solely those of the 
> author and do not necessarily represent those of the company.






This email and any files transmitted with it are intended solely for the use of 
the individual (recipient) or entity addressed at recipient. If you have 
received this email in error please notify the system manager. Please note that 
any views or opinions presented in this email are solely those of the author 
and do not necessarily represent those of the company.

RE: [squid-users] Access denied - ACL problem

[Henrik Nordstrom]

On ons, 2007-08-29 at 15:36 -0400, Edward Stafford wrote:

> =
> While trying to retrieve the URL: http://servername:81/dashboard
> 
> The following error was encountered:
> 
> Unable to determine IP address from host name for yaserver 
> 
> The dnsserver returned:
> 
> Server Failure: The name server was unable to process this query. 

This is because Squid don't know which domain to look into. See the
append_domain or dns_defnames squid.conf directives.

Regards
Henrik


signature.asc
Description: This is a digitally signed message part

RE: [squid-users] Access denied - ACL problem

[Edward Stafford]

Thanks for the pointers. I will look into those directives.
Meanwhile, as a temp workaround, I added an entry for "servername" to
the hosts file on the squid server. 

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 29, 2007 6:21 PM
To: Edward Stafford
Cc: Nabin Limbu; squid-users@squid-cache.org
Subject: RE: [squid-users] Access denied - ACL problem

On ons, 2007-08-29 at 15:36 -0400, Edward Stafford wrote:

> =
> While trying to retrieve the URL: http://servername:81/dashboard
> 
> The following error was encountered:
> 
> Unable to determine IP address from host name for yaserver
> 
> The dnsserver returned:
> 
> Server Failure: The name server was unable to process this query. 

This is because Squid don't know which domain to look into. See the
append_domain or dns_defnames squid.conf directives.

Regards
Henrik


This email and any files transmitted with it are intended solely for the use of 
the individual (Henrik Nordstrom) or entity addressed at [EMAIL PROTECTED] If 
you have received this email in error please notify the system manager. Please 
note that any views or opinions presented in this email are solely those of the 
author and do not necessarily represent those of the company.

[squid-users] "Access denied" pages for HTTPS requests

[Vonlanthen, Elmar]

Hello all

I have the following setup:

- Windows client with Internet Explorer and configured squid proxy for
HTTP *and* HTTPS.
- Squid 3.1.8 as proxy
- Squid access rule:
  acl facebook url_regex facebook.com
  http_access deny facebook

If the client is trying to connect to https://www.facebook.com, the IE
cannot display the squid "access denied" page (IE displays the default
message "Cannot display the website"). It makes sense, because squid
cannot send the error page back via HTTP, if the client is sending a
CONNECT request.

But is there any possiblility to do this anyway?

I did some tests with ssl_bump, deny_info, url_rewrite but wasn't
successful. I wonder if I am the only person with this problem.

Any ideas?

Thanks for any help.

Best regards
Elmar


smime.p7s
Description: S/MIME cryptographic signature

Re: [squid-users] Access denied without password request

[Amos Jeffries]

[EMAIL PROTECTED] wrote:

Hello
I need to deny access to anywhere except www.rbc.ru. I wrote this acl:
acl acl-pupkin proxy_auth pupkin
acl acl-pupkin-allow dstdom_regex rbc.ru


Ew. regex. Use this instead:

  acl acl-pupkin-allow dstdomain rbc.ru


http_access allow acl-pupkin acl-pupkin-allow
http_access deny acl-pupkin
It's working. But on that site as on a lot ot others there are some banners, 
counters, etc, which points to other sites. And proxy ask password after any 
moving on allowed site.

Is it possible to fully deny access without any permanent password requests?


Yes, Using any of the other many ACL types which do not involve auth. 
You will have to pick the criteria yourself.


Here is a useful list of the ACL types available in current squid releases:

  http://www.squid-cache.org/Versions/v2/2.6/cfgman/acl.html
  http://www.squid-cache.org/Versions/v3/3.0/cfgman/acl.html


Amos
--
Please use Squid 2.6.STABLE19 or 3.0.STABLE4

[squid-users] access denied without prompting for login

[Gregory Machin]

Hi
I have the following squid config (below) that worked for a while then
squid started giving page faults so I removed squid then reinstalled
it now when I try to open a site I get access denied with out even
being prompted for my username and password. I have tested the ldap
auth and that is working from the command line.. What have I missed ?
what caused it to break?
Current version of squid  2.6.STABLE16
on Fedora 8


thanks

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b
"OU=Organizational Structure,DC= 
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth

acl all src 0.0.0.0/0.0.0.0
acl locallan src 10.0.1.0/255.255.255.255
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
visible_hostname greg-test
http_access allow localhost
http_access deny all
http_port 3128

hierarchy_stoplist cgi-bin ?
maximum_object_size_in_memory 50 KB
cache_replacement_policy heap LFUDA
maximum_object_size 4096 KB
access_log /var/log/squid/access.log squid

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern .   0   20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 95
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
half_closed_clients off
dns_nameservers 10.0.1.250 196.33.158.230 66.8.85.139
memory_pools off
coredump_dir /var/spool/squid

[squid-users] Access denied when in intercept mode

[nettrino]

Hello all, I am trying to set up a squid proxy to filter HTTPS traffic. In
particular, I want to connect an Android device to the proxy and examine the
requests issued by various applications.

When 'intercept' mode is on, I get 'Access Denied'. I would be most grateful
if you gave me some hint
on what is wrong with my configuration.

I have been following this tutorial:
http://pen-testing-lab.blogspot.com/2013/11/squid-3310-transparent-proxy-for-http.html

My squid version is 3.4.4.2 running in Ubuntu with kernel 3.5.0-48-generic.



Currently I am testing to connect from my laptop (squidCA.pem is added in my
browser)
In the machine where squid is running I have flushed all my iptables rules
and only have


Any help is greatly appreciated. 

Thank you



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Access-denied-when-in-intercept-mode-tp4665775.html
Sent from the Squid - Users mailing list archive at Nabble.com.

RE: [squid-users] access denied with squid-3.0

[Brian Phillips]

You are getting a "access denied" because in the squid.conf of your acept-2
machine, you need the lines:

acl acept2 src 192.168.1.31/32
http_access accept acept2

In between these lines:

acl localhost src 127.0.0.1/255.255.255.255
http_access allow localhosts

Final config would be:

acl localhost src 127.0.0.1/255.255.255.255
acl acept2 src 192.168.1.31/32
http_access allow acept2
http_access allow localhost
http_access deny all

As for where squid pulls the ip address of the machine, I think in the
access.log it actually pulls the ip address of the requesting machine, and
only does a lookup if you want to see hostnames in your log file, rather
than ip addresses.  You should probably tell us how you are initiating these
connections to the proxy, and if you are using any type of redirection like
iptables or the sorts.

Brian

-Original Message-
From: Maria Dolores [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 04, 2006 3:40 AM
To: squid-users@squid-cache.org
Subject: [squid-users] access denied with squid-3.0

Greetings,

I have installed squid-3.0 with squidGuard-1.2.0 in two different linux
systems, the configuration of squid in both is identical.   
In one of them squid works properly, in the other I obtain the message
'ERROR ... Access denied' when I try to access to the web through the
proxy.
 Neither error message is showed in the squid logs in the second system,
the only difference I have observed is at the access.log file:

In the first system the messages in this file are:
113... 470 127.0.0.1TCP_REFRESH_MISS /

In the second system instead of 127.0.0.1 is showed the public IP of the
host:
113... 0 192.168.1.31   TCP_DENIED /403 

The file /etc/hosts in the first machine (acept) has the aspect:
127.0.0.1   acept   localhost 
In the second machine (acept-2) this line was:
127.0.0.1   localhost.localdomain localhost acept-2
I have changed this line for:
127.0.0.1   acept-2 localhost
However the messages in access.log continue showing the public IP and
the problem persists.

What could this error be due to? Where does squid obtain the IP of the
machine?

The squid.conf file's content in both systems is:
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl all src 0/0
no_cache deny all
cache_dir null /tmp
access_log /usr/squid/var/logs/access.log
cache_log /usr/squid/var/logs/cache.log
cache_store_log /usr/squid/var/logs/store.log
hosts_file /etc/hosts
redirect_program /usr/squidGuard/bin/squidGuard
-c /usr/squid/etc/squidGuard.conf
redirect_children 4
refresh_pattern ^ftp:   1440 20% 10080
refresh_pattern ^gopher:1440 0% 1440
refresh_pattern . 0 20% 4320
acl localhost src 127.0.0.1/255.255.255.255
http_access allow localhosts
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_user squid
cache_effective_group squid
visible_hostname acept
coredump_dir /usr/squid/var/cache 

Thanks
Maria D.

RE: [squid-users] access denied with squid-3.0

[Brian Phillips]

If I understand your iptables script, you have a transparent setup that
grabs all traffic leaving port 80 on the outer interface (the one 'closest'
to the internet).  This should be consistent with what your proxy is
showing.  We would need to know more about the physical connections of the
two machines.  Are they both NAT'ed?  Does the other machine (the one that
initially worked properly) have the same/similar iptables script?

Brian

-Original Message-
From: Maria Dolores [mailto:[EMAIL PROTECTED] 
Sent: Thursday, January 05, 2006 2:17 AM
To: Brian Phillips
Subject: RE: [squid-users] access denied with squid-3.0

Thanks Brian,
 With your instruction I have achieved squid works without problems,
even several squid instances.

 I don't initiate the conexion with the proxy in any manner because my
system works with squid like a local proxy. The configuration of
iptables I use for a user 'fulano', with squid in the port 3128:
 *nat
:PREROUTING ACCEPT [463:69228]
:POSTROUTING ACCEPT [3343:204776]
:OUTPUT ACCEPT [3257:199616]
:proxy_fulano - [0:0]
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner fulano -j
proxy_fulano
-A proxy_fulano -m owner --uid-owner squid -j RETURN
-A proxy_fulano -p tcp -j REDIRECT --to-ports 3128

Thanks again for your help
 Kind regards
   Maria D.



El mié, 04-01-2006 a las 11:39 -0700, Brian Phillips escribió:
> You are getting a "access denied" because in the squid.conf of your
acept-2
> machine, you need the lines:
> 
> acl acept2 src 192.168.1.31/32
> http_access accept acept2
> 
> In between these lines:
> 
> acl localhost src 127.0.0.1/255.255.255.255
> http_access allow localhosts
> 
> Final config would be:
> 
> acl localhost src 127.0.0.1/255.255.255.255
> acl acept2 src 192.168.1.31/32
> http_access allow acept2
> http_access allow localhost
> http_access deny all
> 
> As for where squid pulls the ip address of the machine, I think in the
> access.log it actually pulls the ip address of the requesting machine, and
> only does a lookup if you want to see hostnames in your log file, rather
> than ip addresses.  You should probably tell us how you are initiating
these
> connections to the proxy, and if you are using any type of redirection
like
> iptables or the sorts.
> 
> Brian
> 
> -Original Message-
> From: Maria Dolores [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 04, 2006 3:40 AM
> To: squid-users@squid-cache.org
> Subject: [squid-users] access denied with squid-3.0
> 
> Greetings,
> 
> I have installed squid-3.0 with squidGuard-1.2.0 in two different linux
> systems, the configuration of squid in both is identical.   
> In one of them squid works properly, in the other I obtain the message
> 'ERROR ... Access denied' when I try to access to the web through the
> proxy.
>  Neither error message is showed in the squid logs in the second system,
> the only difference I have observed is at the access.log file:
> 
> In the first system the messages in this file are:
> 113... 470 127.0.0.1  TCP_REFRESH_MISS /
> 
> In the second system instead of 127.0.0.1 is showed the public IP of the
> host:
> 113... 0 192.168.1.31 TCP_DENIED /403 
> 
> The file /etc/hosts in the first machine (acept) has the aspect:
> 127.0.0.1 acept   localhost 
> In the second machine (acept-2) this line was:
> 127.0.0.1 localhost.localdomain localhost acept-2
> I have changed this line for:
> 127.0.0.1 acept-2 localhost
> However the messages in access.log continue showing the public IP and
> the problem persists.
> 
> What could this error be due to? Where does squid obtain the IP of the
> machine?
> 
> The squid.conf file's content in both systems is:
> http_port 3128 transparent
> hierarchy_stoplist cgi-bin ?
> acl all src 0/0
> no_cache deny all
> cache_dir null /tmp
> access_log /usr/squid/var/logs/access.log
> cache_log /usr/squid/var/logs/cache.log
> cache_store_log /usr/squid/var/logs/store.log
> hosts_file /etc/hosts
> redirect_program /usr/squidGuard/bin/squidGuard
> -c /usr/squid/etc/squidGuard.conf
> redirect_children 4
> refresh_pattern ^ftp:   1440 20% 10080
> refresh_pattern ^gopher:1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl localhost src 127.0.0.1/255.255.255.255
> http_access allow localhosts
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> cache_effective_user squid
> cache_effective_group squid
> visible_hostname acept
> coredump_dir /usr/squid/var/cache 
> 
> Thanks
>   Maria D.
> 

RE: [squid-users] Access Denied on special port.

[James Zuelow]

Check your safe ports settings in squid.conf

Most likely the port you are trying to use isn't listed.

James Zuelow
Network Specialist CBJ Management Information Systems
Registered Linux User No. 186591   
Ph: (907) 586-0239
Fax:(907) 586-4504


>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>Sent: Tuesday, September 07, 2004 8:07 AM
>To: [EMAIL PROTECTED]
>Subject: [squid-users] Access Denied on special port.
>
>
>Hi,
>
>
>I don't understand where is my mistake.
>
>Every time I enter an URL like http://mysite:xy/
>I have an access denied. Even if I enter an http_access allow 
>all at the
>beginning.
>
>My squid is 2.5 Stable 6
>Any idea ?
>
>Thanks.
>
>Gix Lilian
>Department BR/PII 3 - Global IT-Infrastructure
>Bosch Rexroth AG "The Drive & Control Company"
>97816 Lohr, Germany 
>Phone: + 49 - 9352 - 18 - 4673
>Fax: + 49 - 9352 - 18 - 3985
>www.boschrexroth.de
>

Re: [squid-users] Access Denied on special port.

[ecasbas]

[EMAIL PROTECTED] wrote:
Hi,
I don't understand where is my mistake.
Every time I enter an URL like http://mysite:xy/
I have an access denied. Even if I enter an http_access allow all at the
beginning.
My squid is 2.5 Stable 6
Any idea ?
Thanks.
Gix Lilian
Department BR/PII 3 - Global IT-Infrastructure
Bosch Rexroth AG "The Drive & Control Company"
97816 Lohr, Germany 
Phone: + 49 - 9352 - 18 - 4673
Fax: + 49 - 9352 - 18 - 3985
www.boschrexroth.de

 

Probably the xy port is denied.
Look in squid.conf for the Safe_ports acl,
but be careful for security reasons if you change it.
Emilio C.

Re: [squid-users] "Access Denied" error occurred randomly.

[Henrik Nordstrom]

tor 2006-11-30 klockan 13:34 + skrev Monty Ree:
> Hello, 
> 
> I have used squid 2.6 stable4 for reverse proxy for 10 domains.
> It works well, but from time to time I can meet "Access Denied" error.

"Access Denied" as in a Squid access denied page and TCP_DENIED in
access.log, or "Access Denied" as in a server error page and
TCP_MISS/4xx in access.log?

> Then if I execute "/usr/local/squid/sbin/squid -k reconfigure",  works 
> again well without error.
> 
> But after sometime,  "Access Denied" error occurs again..
> 
> I don't know, why this happen.. is it a bug?

Hard to say without further analysis of your setup.

A good start if it's a Squid access denied page is
http://wiki.squid-cache.org/SquidFaq/SquidAcl#head-57ab8844e9060937c4a654e1aa7568f87cb25aef

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] "Access denied" pages for HTTPS requests

[Chad Naugle]

This is a Internet Explorer setting under "Internet Options -> Advanced
-> Browsing" called "Show Friendly HTTP Error messages", disable this to
get the real error messages.

ALSO, if you are trying to simply block facebook, create a dstdomain
ACL instead, and don't forget to include fbcdn.net.

-
Chad E. Naugle
Tech Support II, x. 7981
Travel Impressions, Ltd.
 


>>> "Vonlanthen, Elmar" 
11/15/2010 10:23 AM >>>
Hello all

I have the following setup:

- Windows client with Internet Explorer and configured squid proxy for
HTTP *and* HTTPS.
- Squid 3.1.8 as proxy
- Squid access rule:
  acl facebook url_regex facebook.com
  http_access deny facebook

If the client is trying to connect to https://www.facebook.com, the IE
cannot display the squid "access denied" page (IE displays the default
message "Cannot display the website"). It makes sense, because squid
cannot send the error page back via HTTP, if the client is sending a
CONNECT request.

But is there any possiblility to do this anyway?

I did some tests with ssl_bump, deny_info, url_rewrite but wasn't
successful. I wonder if I am the only person with this problem.

Any ideas?

Thanks for any help.

Best regards
Elmar


Travel Impressions made the following annotations
-
"This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use, or distribution of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you."

RE: [squid-users] "Access denied" pages for HTTPS requests

[Vonlanthen, Elmar]

Hello

> This is a Internet Explorer setting under "Internet Options 
> -> Advanced
> -> Browsing" called "Show Friendly HTTP Error messages", 
> disable this to
> get the real error messages.

This is not working for me. If I do it under IE 8, I still get the same
message (even with browser restart):

   Internet Explorer cannot display the webpage 
   
   What you can try: 
 You are not connected to the Internet. Check your Internet
connection  
 
 Retype the address.  
 
 Go back to the previous page.  
 
   Most likely causes:
*You are not connected to the Internet.
*The website is encountering problems.
*There might be a typing error in the address.
 
 More information


And it would not be a feasible solution, because I cannot control the
clients settings.

But I think this cannot work, because the client is not trying to get
the website with a GET request but with a CONNECT request. So Squid is
not able to send the errorpage back. Or am I wrong?

I have tried with ssl_bump.
I don't want to break allowed SSL connections. So my aproach was to use
ssl_bump only for denied websites. But even then I have the same
problem. IE cannot display the "Access denied" page (with HTTP it is
working).

If I add the option "deny_info" and define a redirection page, it is
working with firefox, but with IE or Chrome I have sill no success.

Chrome is displaying this error: 
Error 111 (net::ERR_TUNNEL_CONNECTION_FAILED): Unknown Error.

Any other ideas?

> ALSO, if you are trying to simply block facebook, create a 
> dstdomain ACL instead, and don't forget to include fbcdn.net.

You are right, thanks.

Best regards
Elmar


smime.p7s
Description: S/MIME cryptographic signature

RE: [squid-users] "Access denied" pages for HTTPS requests

[Amos Jeffries]

On Mon, 15 Nov 2010 17:14:49 +0100, "Vonlanthen, Elmar"
 wrote:
> Hello
> 
>> This is a Internet Explorer setting under "Internet Options 
>> -> Advanced
>> -> Browsing" called "Show Friendly HTTP Error messages", 
>> disable this to
>> get the real error messages.
> 
> This is not working for me. If I do it under IE 8, I still get the same
> message (even with browser restart):
> 
>Internet Explorer cannot display the webpage 
>
>What you can try: 
>  You are not connected to the Internet. Check your Internet
> connection  
>  
>  Retype the address.  
>  
>  Go back to the previous page.  
>  
>Most likely causes:
> *You are not connected to the Internet.
> *The website is encountering problems.
> *There might be a typing error in the address.
>  
>  More information
> 
> 
> And it would not be a feasible solution, because I cannot control the
> clients settings.
> 
> But I think this cannot work, because the client is not trying to get
> the website with a GET request but with a CONNECT request. So Squid is
> not able to send the errorpage back. Or am I wrong?


Squid *is* sending the error page response back. However, there were some
security vulnerabilities and at least one virus discovered a while back
involving the way the popular browsers display such pages. So they disabled
it.

The 307 status code was created for non-GET redirects. Use that and as the
browsers gain support for it your site will start to work. Hopefully some
may already.

Amos

RE: [squid-users] "Access denied" pages for HTTPS requests

[Vonlanthen, Elmar]

Hello again 

> -Original Message-
> From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
> Sent: Montag, 15. November 2010 23:19
> To: Vonlanthen, Elmar
> Cc: squid-users@squid-cache.org
> Subject: RE: [squid-users] "Access denied" pages for HTTPS requests
> 
> On Mon, 15 Nov 2010 17:14:49 +0100, "Vonlanthen, Elmar"
>  wrote:
> > Hello
> > 
> >> This is a Internet Explorer setting under "Internet Options
> >> -> Advanced
> >> -> Browsing" called "Show Friendly HTTP Error messages",
> >> disable this to
> >> get the real error messages.
> > 
> > This is not working for me. If I do it under IE 8, I still get the 
> > same message (even with browser restart):
> > 
> >Internet Explorer cannot display the webpage
> >
> >What you can try: 
> >  You are not connected to the Internet. Check your Internet 
> > connection
> >  
> >  Retype the address.  
> >  
> >  Go back to the previous page.  
> >  
> >Most likely causes:
> > *You are not connected to the Internet.
> > *The website is encountering problems.
> > *There might be a typing error in the address.
> >  
> >  More information
> > 
> > 
> > And it would not be a feasible solution, because I cannot 
> control the 
> > clients settings.
> > 
> > But I think this cannot work, because the client is not 
> trying to get 
> > the website with a GET request but with a CONNECT request. 
> So Squid is 
> > not able to send the errorpage back. Or am I wrong?
> 
> 
> Squid *is* sending the error page response back. However, 
> there were some security vulnerabilities and at least one 
> virus discovered a while back involving the way the popular 
> browsers display such pages. So they disabled it.

Ok, you are right. I saw it in the tcpdump.

> The 307 status code was created for non-GET redirects. Use 
> that and as the browsers gain support for it your site will 
> start to work. Hopefully some may already.

How can I specify the status code?

With deny_info it seems not to be possible:
deny_info 307:http://myredirect-page

Thanks.

Best regards
Elmar


smime.p7s
Description: S/MIME cryptographic signature

Re: [squid-users] access denied without prompting for login

[Amos Jeffries]

> Hi
> I have the following squid config (below) that worked for a while then
> squid started giving page faults so I removed squid then reinstalled
> it now when I try to open a site I get access denied with out even
> being prompted for my username and password. I have tested the ldap
> auth and that is working from the command line.. What have I missed ?
> what caused it to break?
> Current version of squid  2.6.STABLE16
> on Fedora 8
>

Assuming that your obfuscated parameters are right the rest of the config
looks fine.

Most likely that the squid_ldap_auth helper fails when run as the squid
user but runs as root?

Or possibly, that sometime in the last 2 hours you successfully
authenticated with different (now wrong) credentials?


>
> thanks
>
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b
> "OU=Organizational Structure,DC= 
> acl ldapauth proxy_auth REQUIRED
> http_access allow ldapauth

I'd really, really recommend placing this below the Safe_ports and CONNECT
safety nets.

>
> acl all src 0.0.0.0/0.0.0.0
> acl locallan src 10.0.1.0/255.255.255.255
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> visible_hostname greg-test
> http_access allow localhost
> http_access deny all
> http_port 3128
>
> hierarchy_stoplist cgi-bin ?
> maximum_object_size_in_memory 50 KB
> cache_replacement_policy heap LFUDA
> maximum_object_size 4096 KB
> access_log /var/log/squid/access.log squid
>
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern .   0   20% 4320
> quick_abort_min 0 KB
> quick_abort_max 0 KB
> quick_abort_pct 95
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> half_closed_clients off
> dns_nameservers 10.0.1.250 196.33.158.230 66.8.85.139
> memory_pools off
> coredump_dir /var/spool/squid
>


Amos

[squid-users] Access Denied with transparent mode on FreeBSD

[iain]

FreeBSD 9.1 installation with Squid installed from ports and using
transparent mode results in "Access Denied" messages when trying to
browse regular HTTP.

Log files fill up with:

*** LOGFILE ***
1359013451.945  0 XXX.XXX.XXX.25 TCP_MISS/403 4272 GET
http://www.facebook.com/ - HIER_NONE/- text/html
1359013451.946139 XXX.XXX.XXX.137 TCP_MISS/403 4369 GET
http://www.facebook.com/ - HIER_DIRECT/XXX.XXX.XXX.25 text/html
1359013451.966  0 XXX.XXX.XXX.25 TCP_MISS/403 4071 GET
http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
1359013451.967  1 XXX.XXX.XXX.137 TCP_MISS/403 4168 GET
http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/XXX.XXX.XXX.25
text/html
1359013451.992  0 XXX.XXX.XXX.25 TCP_MISS/403 4179 GET
http://www.facebook.com/favicon.ico - HIER_NONE/- text/html
1359013451.992  1 XXX.XXX.XXX.137 TCP_MISS/403 4276 GET
http://www.facebook.com/favicon.ico - HIER_DIRECT/XXX.XXX.XXX.25 text/html
*** END ***

Squid.conf file is:

*** SQUID.CONF ***
visible_hostname X
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
machines
acl localnet src ::::/48 # More IPv6 ...
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl cacti src XXX.XXX.0.154/32
acl snmpstats snmp_community tainROcacti
acl sliema_net_fine src XXX.XXX.0.0/25
acl sliema_net_core src XXX.XXX.0.128/25
acl sliema_net_gnet src XXX.XXX.1.0/25
acl sliema_net_norm src XXX.XXX.1.128/25
acl topsites dstdomain "/usr/local/etc/squid/squid-topsites.text"
acl youtube dstdomain .youtube.com
acl youtube dstdomain .youtu.be
acl youtube dstdomain .googlevideo.com
acl cdners dstdomain .akamai.com
acl cdners dstdomain .llnwd.net
acl facebook dstdomain .facebook.com
tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_norm
tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_fine
tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_core
snmp_port 3401
snmp_access allow snmpstats cacti
snmp_access deny all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 intercept
http_port 80
cache_dir ufs /var/squid/cache/squid 100 16 256
cache_mem 256 MB
coredump_dir /var/squid/cache/squid
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90%
432000
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$
43200 90% 432000
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern -i youtube.com/.* 43200 90% 432000
refresh_pattern -i youtu.be/.* 43200 90% 432000
refresh_pattern -i ytimg.com/.* 43200 90% 432000
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
*** END ***

And squid compile options are:

*** SQUID VERSION ***
Squid Cache: Version 3.2.6
configure options:
'--with-default-user=squid'
'--bindir=/usr/local/sbin'
'--sbindir=/usr/local/sbin'
'--datadir=/usr/local/etc/squid'
'--libexecdir=/usr/local/libexec/squid'
'--localstatedir=/var/squid'
'--sysconfdir=/usr/local/etc/squid'
'--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid/squid.pid'
'--enable-auth'
'--enable-build-info'
'--enable-loadable-modules'
'--enable-removal-policies=lru heap'
'--disable-epoll'
'--disable-linux-netfilter'
'--disable-linux-tproxy'
'--disable-translation'
'--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS
fake getpwnam'
'--enable-auth-digest=file'
'--enable-external-acl-helpers=file_userip unix_group'
'--enable-auth-negotiate=none'
'--enable-auth-ntlm=fake smb_lm'
'--enable-storeio=diskd rock ufs aufs'
'--enable-disk-io=AIO Blocking DiskDaemon IpcIo Mmapped DiskThreads'
'--enable-log-daemon-helpers=file'
'--enable-url-rewrite-helpers=fake'
'--enable-icmp'
'--enable-htcp'
'--disable-forw-via-d

[squid-users] Access Denied using Squid as reverse proxy

[juan_fla]

I'm trying to set up squid as reverse proxy/cache for a mediawiki website. At
this time, http requests to the website give me an Access denied message.
Looks like I need to map requests to port 80 somehow to the port 3129 (where
Squid is listening right now) but I don't understand how.

Squid 3.3.8, FreeBSD 6.2.

Web server is listening to port 3130. Squid is listening on 3129. 

Trying to browse the homepage ( http://mydomain.org - not the real domain)
results in: 

ERROR 
The requested URL could not be retrieved 
The following error was encountered while trying to retrieve the URL:
http://localhost:3129/index.html
Access Denied. 
Access control configuration prevents your request from being allowed at
this time. Please contact your service provider if you feel this is
incorrect. 
Your cache administrator is webmaster. 

However, adding the Squid port number does work - the response is the
homepage ( http://mydomain.org:3129/ ) 


Squid.conf: 


http_port 3129 accel defaultsite=mydomain.org 
cache_peer 127.0.0.1 parent 3130 0 no-query originserver  name=myAccel
login=PASS 
acl our_sites dstdomain mydomain.org 

http_access allow our_sites 
cache_peer_access myAccel allow our_sites 
cache_peer_access myAccel deny all 

cache_dir ufs /home/mydomain/website/webroot/cache/squid 100 16 256 
coredump_dir /home/mydomain/opt/squid/var/cache/squid 

refresh_pattern ^ftp:1440   20% 10080 
refresh_pattern ^gopher:14400%  1440 
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0 
refresh_pattern .0  20% 4320 

visible_hostname mydomain.org 
  

I've tried adding references to port 80 but so far nothing has worked. 

I will sincerely appreciate any suggestions. We have had the website down
for two months now trying to get Squid working :( 

Thank you.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Access-Denied-using-Squid-as-reverse-proxy-tp4662839.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] Access denied when in intercept mode

[Eliezer Croitoru]

Hey there,

it depends on the topology and you current iptables and squid.conf state.
Can you share:
"squid -v"
iptables-save
cat squid.conf
(remove any confidential data and spaces + comments from the squid.conf)

Eliezer

On 05/01/2014 03:51 AM, nettrino wrote:

Hello all, I am trying to set up a squid proxy to filter HTTPS traffic. In
particular, I want to connect an Android device to the proxy and examine the
requests issued by various applications.

When 'intercept' mode is on, I get 'Access Denied'. I would be most grateful
if you gave me some hint
on what is wrong with my configuration.

I have been following this tutorial:
http://pen-testing-lab.blogspot.com/2013/11/squid-3310-transparent-proxy-for-http.html

My squid version is 3.4.4.2 running in Ubuntu with kernel 3.5.0-48-generic.



Currently I am testing to connect from my laptop (squidCA.pem is added in my
browser)
In the machine where squid is running I have flushed all my iptables rules
and only have


Any help is greatly appreciated.

Thank you



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Access-denied-when-in-intercept-mode-tp4665775.html
Sent from the Squid - Users mailing list archive at Nabble.com.

RE: [squid-users] Access denied when in intercept mode

[Lawrence Pingree]

If you are getting access denied it is most likely a squid ACL. By default
squid.conf has most things blocked in the ACL.



Best regards,
The Geek Guy

Lawrence Pingree
http://www.lawrencepingree.com/resume/

Author of "The Manager's Guide to Becoming Great"
http://www.Management-Book.com
 


-Original Message-
From: Eliezer Croitoru [mailto:elie...@ngtech.co.il] 
Sent: Wednesday, April 30, 2014 8:34 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Access denied when in intercept mode

Hey there,

it depends on the topology and you current iptables and squid.conf state.
Can you share:
"squid -v"
iptables-save
cat squid.conf
(remove any confidential data and spaces + comments from the squid.conf)

Eliezer

On 05/01/2014 03:51 AM, nettrino wrote:
> Hello all, I am trying to set up a squid proxy to filter HTTPS 
> traffic. In particular, I want to connect an Android device to the 
> proxy and examine the requests issued by various applications.
>
> When 'intercept' mode is on, I get 'Access Denied'. I would be most 
> grateful if you gave me some hint on what is wrong with my 
> configuration.
>
> I have been following this tutorial:
> http://pen-testing-lab.blogspot.com/2013/11/squid-3310-transparent-pro
> xy-for-http.html
>
> My squid version is 3.4.4.2 running in Ubuntu with kernel
3.5.0-48-generic.
>
>
>
> Currently I am testing to connect from my laptop (squidCA.pem is added 
> in my
> browser)
> In the machine where squid is running I have flushed all my iptables 
> rules and only have
>
>
> Any help is greatly appreciated.
>
> Thank you
>
>
>
> --
> View this message in context: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Access-denied-when-
> in-intercept-mode-tp4665775.html Sent from the Squid - Users mailing 
> list archive at Nabble.com.
>

Re: [squid-users] Access Denied with transparent mode on FreeBSD

[Leslie Jensen]

2013-01-24 09:41, iain skrev:

FreeBSD 9.1 installation with Squid installed from ports and using
transparent mode results in "Access Denied" messages when trying to
browse regular HTTP.

Log files fill up with:

*** LOGFILE ***
1359013451.945  0 XXX.XXX.XXX.25 TCP_MISS/403 4272 GET
http://www.facebook.com/ - HIER_NONE/- text/html
1359013451.946139 XXX.XXX.XXX.137 TCP_MISS/403 4369 GET
http://www.facebook.com/ - HIER_DIRECT/XXX.XXX.XXX.25 text/html
1359013451.966  0 XXX.XXX.XXX.25 TCP_MISS/403 4071 GET
http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
1359013451.967  1 XXX.XXX.XXX.137 TCP_MISS/403 4168 GET
http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/XXX.XXX.XXX.25
text/html
1359013451.992  0 XXX.XXX.XXX.25 TCP_MISS/403 4179 GET
http://www.facebook.com/favicon.ico - HIER_NONE/- text/html
1359013451.992  1 XXX.XXX.XXX.137 TCP_MISS/403 4276 GET
http://www.facebook.com/favicon.ico - HIER_DIRECT/XXX.XXX.XXX.25 text/html
*** END ***

Squid.conf file is:

*** SQUID.CONF ***
visible_hostname X
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
machines
acl localnet src ::::/48 # More IPv6 ...
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl cacti src XXX.XXX.0.154/32
acl snmpstats snmp_community tainROcacti
acl sliema_net_fine src XXX.XXX.0.0/25
acl sliema_net_core src XXX.XXX.0.128/25
acl sliema_net_gnet src XXX.XXX.1.0/25
acl sliema_net_norm src XXX.XXX.1.128/25
acl topsites dstdomain "/usr/local/etc/squid/squid-topsites.text"
acl youtube dstdomain .youtube.com
acl youtube dstdomain .youtu.be
acl youtube dstdomain .googlevideo.com
acl cdners dstdomain .akamai.com
acl cdners dstdomain .llnwd.net
acl facebook dstdomain .facebook.com
tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_norm
tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_fine
tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_core
snmp_port 3401
snmp_access allow snmpstats cacti
snmp_access deny all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 intercept
http_port 80
cache_dir ufs /var/squid/cache/squid 100 16 256
cache_mem 256 MB
coredump_dir /var/squid/cache/squid
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90%
432000
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$
43200 90% 432000
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern -i youtube.com/.* 43200 90% 432000
refresh_pattern -i youtu.be/.* 43200 90% 432000
refresh_pattern -i ytimg.com/.* 43200 90% 432000
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
*** END ***

And squid compile options are:

*** SQUID VERSION ***
Squid Cache: Version 3.2.6
configure options:
'--with-default-user=squid'
'--bindir=/usr/local/sbin'
'--sbindir=/usr/local/sbin'
'--datadir=/usr/local/etc/squid'
'--libexecdir=/usr/local/libexec/squid'
'--localstatedir=/var/squid'
'--sysconfdir=/usr/local/etc/squid'
'--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid/squid.pid'
'--enable-auth'
'--enable-build-info'
'--enable-loadable-modules'
'--enable-removal-policies=lru heap'
'--disable-epoll'
'--disable-linux-netfilter'
'--disable-linux-tproxy'
'--disable-translation'
'--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS
fake getpwnam'
'--enable-auth-digest=file'
'--enable-external-acl-helpers=file_userip unix_group'
'--enable-auth-negotiate=none'
'--enable-auth-ntlm=fake smb_lm'
'--enable-storeio=diskd rock ufs aufs'
'--enable-disk-io=AIO Blocking DiskDaemon IpcIo Mmapped DiskThreads'
'--enable-log-daemon-helpers=file'
'--enable-url-rewrite-helpers=fake'
'--enable-icmp'
'--enable-h

Re: [squid-users] Access Denied with transparent mode on FreeBSD

[Guy Helmer]

On Jan 24, 2013, at 2:41 AM, iain  wrote:

> FreeBSD 9.1 installation with Squid installed from ports and using
> transparent mode results in "Access Denied" messages when trying to
> browse regular HTTP.
> 
> Log files fill up with:
> 
> *** LOGFILE ***
> 1359013451.945  0 XXX.XXX.XXX.25 TCP_MISS/403 4272 GET
> http://www.facebook.com/ - HIER_NONE/- text/html
> 1359013451.946139 XXX.XXX.XXX.137 TCP_MISS/403 4369 GET
> http://www.facebook.com/ - HIER_DIRECT/XXX.XXX.XXX.25 text/html
> 1359013451.966  0 XXX.XXX.XXX.25 TCP_MISS/403 4071 GET
> http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
> 1359013451.967  1 XXX.XXX.XXX.137 TCP_MISS/403 4168 GET
> http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/XXX.XXX.XXX.25
> text/html
> 1359013451.992  0 XXX.XXX.XXX.25 TCP_MISS/403 4179 GET
> http://www.facebook.com/favicon.ico - HIER_NONE/- text/html
> 1359013451.992  1 XXX.XXX.XXX.137 TCP_MISS/403 4276 GET
> http://www.facebook.com/favicon.ico - HIER_DIRECT/XXX.XXX.XXX.25 text/html
> *** END ***
> 
> Squid.conf file is:
> 
> *** SQUID.CONF ***
> visible_hostname X
> acl localnet src 10.0.0.0/8   # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12# RFC1918 possible internal network
> acl localnet src 192.168.0.0/16   # RFC1918 possible internal network
> acl localnet src fc00::/7   # RFC 4193 local private network range
> acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
> machines
> acl localnet src ::::/48 # More IPv6 ...
> acl SSL_ports port 443
> acl Safe_ports port 80# http
> acl Safe_ports port 21# ftp
> acl Safe_ports port 443   # https
> acl Safe_ports port 70# gopher
> acl Safe_ports port 210   # wais
> acl Safe_ports port 1025-65535# unregistered ports
> acl Safe_ports port 280   # http-mgmt
> acl Safe_ports port 488   # gss-http
> acl Safe_ports port 591   # filemaker
> acl Safe_ports port 777   # multiling http
> acl CONNECT method CONNECT
> acl cacti src XXX.XXX.0.154/32
> acl snmpstats snmp_community tainROcacti
> acl sliema_net_fine src XXX.XXX.0.0/25
> acl sliema_net_core src XXX.XXX.0.128/25
> acl sliema_net_gnet src XXX.XXX.1.0/25
> acl sliema_net_norm src XXX.XXX.1.128/25
> acl topsites dstdomain "/usr/local/etc/squid/squid-topsites.text"
> acl youtube dstdomain .youtube.com
> acl youtube dstdomain .youtu.be
> acl youtube dstdomain .googlevideo.com
> acl cdners dstdomain .akamai.com
> acl cdners dstdomain .llnwd.net
> acl facebook dstdomain .facebook.com
> tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_norm
> tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_fine
> tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_core
> snmp_port 3401
> snmp_access allow snmpstats cacti
> snmp_access deny all
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port 3128 intercept
> http_port 80
> cache_dir ufs /var/squid/cache/squid 100 16 256
> cache_mem 256 MB
> coredump_dir /var/squid/cache/squid
> refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
> refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90%
> 432000
> refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$
> 43200 90% 432000
> refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
> refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
> refresh_pattern -i youtube.com/.* 43200 90% 432000
> refresh_pattern -i youtu.be/.* 43200 90% 432000
> refresh_pattern -i ytimg.com/.* 43200 90% 432000
> refresh_pattern ^ftp: 144020% 10080
> refresh_pattern ^gopher:  14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0   0%  0
> refresh_pattern . 0   20% 4320
> *** END ***
> 
> And squid compile options are:
> 
> *** SQUID VERSION ***
> Squid Cache: Version 3.2.6
> configure options:
>   '--with-default-user=squid'
>   '--bindir=/usr/local/sbin'
>   '--sbindir=/usr/local/sbin'
>   '--datadir=/usr/local/etc/squid'
>   '--libexecdir=/usr/local/libexec/squid'
>   '--localstatedir=/var/squid'
>   '--sysconfdir=/usr/local/etc/squid'
>   '--with-logdir=/var/log/squid'
>   '--with-pidfile=/var/run/squid/squid.pid'
>   '--enable-auth'
>   '--enable-build-info'
>   '--enable-loadable-modules'
>   '--enable-removal-policies=lru heap'
>   '--disable-epoll'
>   '--disable-linux-netfilter'
>   '--disable-linux-tproxy'
>   '--disable-translation'
>   '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS
> fake getpwnam'
>   '--enable-auth-digest=file'
>   '--enable-external-acl-helpers=file_userip unix_group'
>   '--enable-auth-negotiate=none'
>   '--enable-auth-ntlm

Re: [squid-users] Access Denied with transparent mode on FreeBSD

[Eliezer Croitoru]

Notice that you have TCP_MISS flag and 403 response which means that 
it's not being denied directly by squid acls but at another level.


You can see you have double entries which can indicate a forward loop.
Please provide us with yout ipfw\pf rules and also tcpdump of a single 
request\stream and if IP is sensitive just send it to my private EMAIL.


A great suggestion is to remove completely the http_port 80 since it's 
not a common proxy port and can confuse debugging.

Change it to port 81 for the time being.

Regards,
Eliezer

On 1/24/2013 10:41 AM, iain wrote:

FreeBSD 9.1 installation with Squid installed from ports and using
transparent mode results in "Access Denied" messages when trying to
browse regular HTTP.

Log files fill up with:

*** LOGFILE ***
1359013451.945  0 XXX.XXX.XXX.25 TCP_MISS/403 4272 GET
http://www.facebook.com/ - HIER_NONE/- text/html
1359013451.946139 XXX.XXX.XXX.137 TCP_MISS/403 4369 GET
http://www.facebook.com/ - HIER_DIRECT/XXX.XXX.XXX.25 text/html
1359013451.966  0 XXX.XXX.XXX.25 TCP_MISS/403 4071 GET
http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
1359013451.967  1 XXX.XXX.XXX.137 TCP_MISS/403 4168 GET
http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/XXX.XXX.XXX.25
text/html
1359013451.992  0 XXX.XXX.XXX.25 TCP_MISS/403 4179 GET
http://www.facebook.com/favicon.ico - HIER_NONE/- text/html
1359013451.992  1 XXX.XXX.XXX.137 TCP_MISS/403 4276 GET
http://www.facebook.com/favicon.ico - HIER_DIRECT/XXX.XXX.XXX.25 text/html
*** END ***

Squid.conf file is:

*** SQUID.CONF ***
visible_hostname X
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
machines
acl localnet src ::::/48 # More IPv6 ...
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl cacti src XXX.XXX.0.154/32
acl snmpstats snmp_community tainROcacti
acl sliema_net_fine src XXX.XXX.0.0/25
acl sliema_net_core src XXX.XXX.0.128/25
acl sliema_net_gnet src XXX.XXX.1.0/25
acl sliema_net_norm src XXX.XXX.1.128/25
acl topsites dstdomain "/usr/local/etc/squid/squid-topsites.text"
acl youtube dstdomain .youtube.com
acl youtube dstdomain .youtu.be
acl youtube dstdomain .googlevideo.com
acl cdners dstdomain .akamai.com
acl cdners dstdomain .llnwd.net
acl facebook dstdomain .facebook.com
tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_norm
tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_fine
tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_core
snmp_port 3401
snmp_access allow snmpstats cacti
snmp_access deny all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 intercept
http_port 80
cache_dir ufs /var/squid/cache/squid 100 16 256
cache_mem 256 MB
coredump_dir /var/squid/cache/squid
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90%
432000
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$
43200 90% 432000
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern -i youtube.com/.* 43200 90% 432000
refresh_pattern -i youtu.be/.* 43200 90% 432000
refresh_pattern -i ytimg.com/.* 43200 90% 432000
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
*** END ***

And squid compile options are:

*** SQUID VERSION ***
Squid Cache: Version 3.2.6
configure options:
'--with-default-user=squid'
'--bindir=/usr/local/sbin'
'--sbindir=/usr/local/sbin'
'--datadir=/usr/local/etc/squid'
'--libexecdir=/usr/local/libexec/squid'
'--localstatedir=/var/squid'
'--sysconfdir=/usr/local/etc/squid'
'--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid/squid.pid'
'--enable-auth'
'--enable-build-info'
'--enable-loadable-modules'
'--enable-removal-policies=lru heap'
'--disable-epoll'
'--disable-linux-netfilter'
'--disable-linux-tproxy'
'--dis

Re: [squid-users] Access Denied using Squid as reverse proxy

[Amos Jeffries]

On 24/10/2013 3:17 p.m., juan_fla wrote:

I'm trying to set up squid as reverse proxy/cache for a mediawiki website. At
this time, http requests to the website give me an Access denied message.
Looks like I need to map requests to port 80 somehow to the port 3129 (where
Squid is listening right now) but I don't understand how.
Bad idea. Squid as reverse-proxy should be listening directly on port 80 
and handlnig the traffic as it arrives there.


The wiki service should ideally be listening on port 80 on a 
different/private/localhost IP somewhere else. Squid gets configured 
with a cache_peer directive pointing at the wiki web server listening 
port. Public DNS gets configured pointing all visitor at Squid.


Details can be found in this example config along with instructions on 
proper testing of reverse-proxies:

  http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting


Squid 3.3.8, FreeBSD 6.2.

Web server is listening to port 3130. Squid is listening on 3129.


Ideally both should be listening on port 80, just different IPs.

However, IF you really need the web server to be listening on a 
different port you can set the cache_peer in the above mentioned config 
rules to point at any port you like. Just be extra careful that the web 
server is configured to ensure the scripts it runs only generate URLs with:
1) relative URLs whenever possible ... so the client softwareuses its 
original URL domain:port details for followup requests
2) omitted port number when domain is unavoidable ... implying default 
port 80 so it goes back to Squid.
3) omitted "scheme:" ... so http://and https:// can be determined by the 
frontend Squid without causing trouble.


 As a backup you can have Squid listening on port 3130 *as well*. But 
if that is possible there is usually not much reason for the web server 
to avoid port 80 is there?



Trying to browse the homepage ( http://mydomain.org - not the real domain)
results in:

ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL:
http://localhost:3129/index.html
Access Denied.
Access control configuration prevents your request from being allowed at
this time. Please contact your service provider if you feel this is
incorrect.
Your cache administrator is webmaster.

However, adding the Squid port number does work - the response is the
homepage ( http://mydomain.org:3129/ )


BUT  Squid is not being asked to fetch website " mydomain.org " ... it 
is being asked to fetch website " localhost:3129 "




Squid.conf:


http_port 3129 accel defaultsite=mydomain.org


http_port 80 accel defaultsite=mydomain.org


cache_peer 127.0.0.1 parent 3130 0 no-query originserver  name=myAccel
login=PASS
acl our_sites dstdomain mydomain.org

http_access allow our_sites
cache_peer_access myAccel allow our_sites
cache_peer_access myAccel deny all

cache_dir ufs /home/mydomain/website/webroot/cache/squid 100 16 256
coredump_dir /home/mydomain/opt/squid/var/cache/squid

refresh_pattern ^ftp:1440   20% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .0  20% 4320

visible_hostname mydomain.org
   


I've tried adding references to port 80 but so far nothing has worked.

I will sincerely appreciate any suggestions. We have had the website down
for two months now trying to get Squid working :(


Three things:

* make Squid listen on port 80

* run your tests with *exactly* the same URLs the visitors will be 
requesting ... http://mydomain.org/
 - find out where that "localhost:3129" is coming from and fix it. It 
is something between you test browser and Squid.


* configure DNS to point mydomain.org at the Squid proxy IP address

Amos

[squid-users] Access Denied on an URL with a port

[Cliff Barnes]

Hi List!

This is my first posting to the list and I hope, I don´t ask something that
is asked and answered many times before...

On this URL:

http://www3.renault-agriculture.com:85/scripts/wgate/zw20/!?~login=EINTICS&~
language=DE

I get the "Access Denied" message from SQUID.

My configuration:

Internet -- TrendMicro Interscan Viruswall -- SQUID -- Users

I guess it´s because the ":85", but I don´t know... please help me!

Ciao
Cliff

Re: [squid-users] Access Denied on an URL with a port

[Lieven Marchand]

"Cliff Barnes" <[EMAIL PROTECTED]> writes:

> I guess it´s because the ":85", but I don´t know... please help me!

Add port 85 to the Safe_ports acl in squid.conf.

-- 
Never argue with a fool in public. People might not see the difference.

Re: [squid-users] Access Denied on an URL with a port

[Marc Elsen]

Cliff Barnes wrote:
> 
> Hi List!
> 
> This is my first posting to the list and I hope, I don´t ask something that
> is asked and answered many times before...
> 
> On this URL:
> 
> http://www3.renault-agriculture.com:85/scripts/wgate/zw20/!?~login=EINTICS&~
> language=DE
> 
> I get the "Access Denied" message from SQUID.
> 
> My configuration:
> 
> Internet -- TrendMicro Interscan Viruswall -- SQUID -- Users
> 
> I guess it´s because the ":85", but I don´t know... please help me!

 It is, make sure that if you want squid to allow connections to that
port,
 that it is listed in safe ports in squid.conf.
 See acl Safe_ports, and related comments in squid.conf.default.


 M.

> 
> Ciao
> Cliff

-- 

 'Time is a consequence of Matter thus
 General Relativity is a direct consequence of QM
 (M.E. Mar 2002)

Re: [squid-users] Access Denied on an URL with a port

[Cliff Barnes]

Hello Marc,

 I don´t know if this is really what I want... because of:

 Internet -- TrendMicro Interscan Viruswall -- SQUID -- Users

SQUID should always connect through the Viruswall and never direct to the
internet. If I put in port 85 to the safe_ports, will SQUID bypass the
virusprotection?

CU
Cliff


- Original Message -
From: "Marc Elsen" <[EMAIL PROTECTED]>
To: "Cliff Barnes" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, February 07, 2003 10:01 AM
Subject: Re: [squid-users] Access Denied on an URL with a port


>
>
> Cliff Barnes wrote:
> >
> > Hi List!
> >
> > This is my first posting to the list and I hope, I don´t ask something
that
> > is asked and answered many times before...
> >
> > On this URL:
> >
> >
http://www3.renault-agriculture.com:85/scripts/wgate/zw20/!?~login=EINTICS&~
> > language=DE
> >
> > I get the "Access Denied" message from SQUID.
> >
> > My configuration:
> >
> > Internet -- TrendMicro Interscan Viruswall -- SQUID -- Users
> >
> > I guess it´s because the ":85", but I don´t know... please help me!
>
>  It is, make sure that if you want squid to allow connections to that
> port,
>  that it is listed in safe ports in squid.conf.
>  See acl Safe_ports, and related comments in squid.conf.default.
>
>
>  M.
>
> >
> > Ciao
> > Cliff
>
> --
>
>  'Time is a consequence of Matter thus
>  General Relativity is a direct consequence of QM
>  (M.E. Mar 2002)
>

Re: [squid-users] Access Denied on an URL with a port

[Lieven Marchand]

"Cliff Barnes" <[EMAIL PROTECTED]> writes:

>  I don´t know if this is really what I want... because of:
> 
>  Internet -- TrendMicro Interscan Viruswall -- SQUID -- Users
> 
> SQUID should always connect through the Viruswall and never direct to the
> internet. If I put in port 85 to the safe_ports, will SQUID bypass the
> virusprotection?

No.

-- 
Never argue with a fool in public. People might not see the difference.

Re: [squid-users] Access Denied on an URL with a port

[Marc Elsen]

Cliff Barnes wrote:
> 
> Hello Marc,
> 
>  I don´t know if this is really what I want... because of:
> 
>  Internet -- TrendMicro Interscan Viruswall -- SQUID -- Users
> 
> SQUID should always connect through the Viruswall and never direct to the

 In that case you need :

 never_direct allow all

 in squid.conf.

 M.

> internet. If I put in port 85 to the safe_ports, will SQUID bypass the
> virusprotection?
> 
> CU
> Cliff
> 
> - Original Message -
> From: "Marc Elsen" <[EMAIL PROTECTED]>
> To: "Cliff Barnes" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Friday, February 07, 2003 10:01 AM
> Subject: Re: [squid-users] Access Denied on an URL with a port
> 
> >
> >
> > Cliff Barnes wrote:
> > >
> > > Hi List!
> > >
> > > This is my first posting to the list and I hope, I don´t ask something
> that
> > > is asked and answered many times before...
> > >
> > > On this URL:
> > >
> > >
> http://www3.renault-agriculture.com:85/scripts/wgate/zw20/!?~login=EINTICS&~
> > > language=DE
> > >
> > > I get the "Access Denied" message from SQUID.
> > >
> > > My configuration:
> > >
> > > Internet -- TrendMicro Interscan Viruswall -- SQUID -- Users
> > >
> > > I guess it´s because the ":85", but I don´t know... please help me!
> >
> >  It is, make sure that if you want squid to allow connections to that
> > port,
> >  that it is listed in safe ports in squid.conf.
> >  See acl Safe_ports, and related comments in squid.conf.default.
> >
> >
> >  M.
> >
> > >
> > > Ciao
> > > Cliff
> >
> > --
> >
> >  'Time is a consequence of Matter thus
> >  General Relativity is a direct consequence of QM
> >  (M.E. Mar 2002)
> >

-- 

 'Time is a consequence of Matter thus
 General Relativity is a direct consequence of QM
 (M.E. Mar 2002)

Re: [squid-users] Access Denied on an URL with a port

[Cliff Barnes]

Thank you for this very, very, very quick answer!

Cliff


--
WHAT CAN THE ENLIGHTENED DO? :: the enlightened can write any software. can
as in a question of ability. with little thought, they can reverse-engineer
without debuggers, and tell what is possible and what is not without a
technical detail.

[squid-users] Access denied on transparent after upgrade 3.1.x to 3.3

[Ali Jawad]

Hi
I did upgrade from squid 3.1.x to 3.3 "and tried 3.2.5 in between"
problem is now that i have upgraded transparent proxy always returns
access denied even if I do set src all to allowed. Please see a sample
config below

http://pastebin.com/vEWgsPkz

On 3.1.x the transparent proxy did work just fine for http_port, I did
upgrade due to issue with https_port, but since the upgrade even the
http_port for transparent always returns denied.

Please advice.

Regards

[squid-users] Access Denied when a question mark is in the URL

[Boniforti Flavio]

I got a problem when accessing URLs which contain "?" like when they
pass some values...

What's the matter here?

---
Boniforti Flavio
Provincia del Verbano-Cusio-Ossola
Ufficio Informatica

Tecnoparco del Lago Maggiore
Via dell'Industria, 25
28924 Verbania
---

[squid-users] access denied with 2.5S11, but ok wiht 2.5S9 same config

[Arno . STREULI]

Hello,
I juste create a new proxy with squid 2.5S11 on solaris 8, I take the same
config (exceopt of the name of the server) that the one is running in
production on another server. But I get an access denied.
here is the cache.log (I don0't know why I got that on log, i didn't ask
for any debug or something).

2005/10/04 09:23:11| storeLateRelease: released 0 objects
[2005/10/04 09:23:42, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
  Got user=[B9J] domain=[D-BI1] workstation=[X-VCZMTNSARFNFZ] len1=24
len2=24
[2005/10/04 09:23:42, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
  NTLMSSP Sign/Seal - Initialising with flags:
[2005/10/04 09:23:42, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x0216


here is my config:
cache_effective_user squid
cache_effective_group nobody

http_port 8080
refresh_pattern .   0   20% 4320
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440

visible_hostname squid
cache_mem 300 MB

# Authentication scheme
## NTLM auth
auth_param ntlm program /opt/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 64
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm max_challenge_reuses 0

external_acl_type NT_global_group concurrency=40 %LOGIN
/opt/squid/libexec/wbinfo_group.pl
external_acl_type NT_group concurrency=30 %LOGIN
/opt/squid/libexec/wbinfo_group.pl

acl techuser external NT_global_group D-BI1\SurfeursWebCCH-T
acl webuserCA external NT_global_group D-BI1\SurfeursWebCCH
D-BI1\SurfeursWebCCH-T
acl webuserAutre external NT_group D-B1\SurfeursWebBCH DH1\SurfeursWebHCH
# ACL config
acl SSL_ports port 443 563 22
acl CONNECT method CONNECT
acl all src 0.0.0.0/0.0.0.0
acl QUERY urlpath_regex cgi-bin \?
acl manager proto cache_object
acl auth proxy_auth REQUIRED
acl ftp proto ftp
acl java_jvm browser Java/1.4

acl to_localhost dst 127.0.0.0/8
acl local dst 10.137.0.0/255.255.0.0
acl localhost src 127.0.0.1/255.255.255.255

acl CI dst 10.0.0.0/255.0.0.0
acl ci-dst dst 10.137.0.0/255.255.0.0
acl ci-src src 10.137.0.0/255.255.0.0

acl AntiVirus1 dstdomain .symantec.com
acl AntiVirus2 dstdomain .symantecliveupdate.com

# cache directory info
cache_dir diskd /cache1 25000 64 256
cache_replacement_policy LFUDA

maximum_object_size 20 MB

cache_swap_high 80
cache_swap_low 70
# cache log file path
cache_store_log none
cache_access_log /opt/squid/logs/access.log
cache_log /opt/squid/logs/cache.log
pid_filename /opt/squid/logs/squid.pid

http_reply_access allow all
icp_access allow all

redirect_children 20
coredump_dir /usr/local/squid/var

forwarded_for off
hierarchy_stoplist cgi-bin ?

## http access rules
http_access allow manager ci-src
http_access allow manager localhost
http_access deny manager

http_access allow java_jvm
http_access allow AntiVirus1
http_access allow AntiVirus2
http_access allow ci-src auth webuserCA
http_access allow !ci-src auth webuserAutre
http_access deny all


Any hint on why ?
all usual wbinfo test and ntlm_auth are wokring fine.

thanks in advance



**
DISCLAIMER - E-MAIL
---
The information contained in this E-Mail is intended for the named
recipient(s). It may  contain certain  privileged and confidential
information, or  information  which  is  otherwise  protected from
disclosure. If  you  are  not the intended recipient, you must not
copy,distribute or take any action in reliance on this information
**

Re: [squid-users] Access denied on transparent after upgrade 3.1.x to 3.3

[Eliezer Croitoru]

Hey Ali,

Two major points for you.
Squid requires one port to be a regular forward proxy with no 
transparent or other options.


What is your problem? regular proxy or just intercept?

To make things simpler advance one step at a time please.
- basic squid configuration without intercept.
ALL is not a dst or src but a ALL by all means so just use one line in 
the http_access and only one to make it clear:

http_access allow all.

Be ware that this will make your proxy *open* to anyone and it is just a 
debugging step which you should change after the test.


How do you intercept you traffic? iptables? routing?bridging?

Please attach the access.log to confirm it's squid problem and not other 
problem you are having since it smells something else to me.


Regards,
Eliezer

On 12/19/2012 4:05 PM, Ali Jawad wrote:

Hi
I did upgrade from squid 3.1.x to 3.3 "and tried 3.2.5 in between"
problem is now that i have upgraded transparent proxy always returns
access denied even if I do set src all to allowed. Please see a sample
config below

http://pastebin.com/vEWgsPkz

On 3.1.x the transparent proxy did work just fine for http_port, I did
upgrade due to issue with https_port, but since the upgrade even the
http_port for transparent always returns denied.

Please advice.

Regards



--
Eliezer Croitoru
https://www1.ngtech.co.il
sip:ngt...@sip2sip.info
IT consulting for Nonprofit organizations
eliezer  ngtech.co.il

Re: [squid-users] Access denied on transparent after upgrade 3.1.x to 3.3

[Ali Jawad]

Hi
I do intercept traffic using iptables, problem is same config works
for squid 3.1.2, I did remove all access rules and ended up with the
config below but I still get an access denied error.

always_direct allow all
ssl_bump allow all
sslproxy_cert_error allow all


http_port 0.0.0.0:80 transparent
http_port 0.0.0.0:8080 transparent
http_port 0.0.0.0:3128
#http_port 127.0.0.1:3080 intercept
#https_port 0.0.0.0:443 transparent  intercept
cert=/etc/squid/proxy.example.com.cert
key=/etc/squid/proxy.example.com.key
#https_port 0.0.0.0:443 transparent  ssl-bump
cert=/etc/squid/proxy.example.com.cert
key=/etc/squid/proxy.example.com.key

http_access allow all

coredump_dir /usr/local/squid/var/cache/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
#debug_options ALL,3


Regards

On Wed, Dec 19, 2012 at 9:45 PM, Eliezer Croitoru  wrote:
> egards,
> Eliezer

Re: [squid-users] Access denied on transparent after upgrade 3.1.x to 3.3

[Ali Jawad]

Hi
I did miss to point out an important factor, the server is a remote
transparent proxy, in other words

my pc "uses a custom dns to point certain sites to proxy server" --
Internet Gateway  Transparent proxy with public IP and redirect
port 80 to proxy

Regards

On Thu, Dec 20, 2012 at 11:05 AM, Ali Jawad  wrote:
> Hi
> I do intercept traffic using iptables, problem is same config works
> for squid 3.1.2, I did remove all access rules and ended up with the
> config below but I still get an access denied error.
>
> always_direct allow all
> ssl_bump allow all
> sslproxy_cert_error allow all
>
>
> http_port 0.0.0.0:80 transparent
> http_port 0.0.0.0:8080 transparent
> http_port 0.0.0.0:3128
> #http_port 127.0.0.1:3080 intercept
> #https_port 0.0.0.0:443 transparent  intercept
> cert=/etc/squid/proxy.example.com.cert
> key=/etc/squid/proxy.example.com.key
> #https_port 0.0.0.0:443 transparent  ssl-bump
> cert=/etc/squid/proxy.example.com.cert
> key=/etc/squid/proxy.example.com.key
>
> http_access allow all
>
> coredump_dir /usr/local/squid/var/cache/squid
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern .   0   20% 4320
> #debug_options ALL,3
>
>
> Regards
>
> On Wed, Dec 19, 2012 at 9:45 PM, Eliezer Croitoru  
> wrote:
>> egards,
>> Eliezer

Re: [squid-users] Access denied on transparent after upgrade 3.1.x to 3.3

[Eliezer Croitoru]

Try to start from scratch what you are doing what are your settings?
If you have access denied you should look at the access.log.
What do you have there?
I dont think it's squid issue but another thing on the way but we cannot 
even try helping you with the basic logs needed.


Regards,
Eliezer

On 12/20/2012 4:44 PM, Ali Jawad wrote:

Hi
I did miss to point out an important factor, the server is a remote
transparent proxy, in other words

my pc "uses a custom dns to point certain sites to proxy server" --
Internet Gateway  Transparent proxy with public IP and redirect
port 80 to proxy

Regards

On Thu, Dec 20, 2012 at 11:05 AM, Ali Jawad  wrote:

Hi
I do intercept traffic using iptables, problem is same config works
for squid 3.1.2, I did remove all access rules and ended up with the
config below but I still get an access denied error.

always_direct allow all
ssl_bump allow all
sslproxy_cert_error allow all


http_port 0.0.0.0:80 transparent
http_port 0.0.0.0:8080 transparent
http_port 0.0.0.0:3128
#http_port 127.0.0.1:3080 intercept
#https_port 0.0.0.0:443 transparent  intercept
cert=/etc/squid/proxy.example.com.cert
key=/etc/squid/proxy.example.com.key
#https_port 0.0.0.0:443 transparent  ssl-bump
cert=/etc/squid/proxy.example.com.cert
key=/etc/squid/proxy.example.com.key

http_access allow all

coredump_dir /usr/local/squid/var/cache/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
#debug_options ALL,3


Regards

On Wed, Dec 19, 2012 at 9:45 PM, Eliezer Croitoru  wrote:

egards,
Eliezer


--
Eliezer Croitoru
https://www1.ngtech.co.il
sip:ngt...@sip2sip.info
IT consulting for Nonprofit organizations
eliezer  ngtech.co.il

Re: [squid-users] Access denied on transparent after upgrade 3.1.x to 3.3

[Amos Jeffries]

On 21/12/2012 3:44 a.m., Ali Jawad wrote:

Hi
I did miss to point out an important factor, the server is a remote
transparent proxy, in other words

my pc "uses a custom dns to point certain sites to proxy server" --
Internet Gateway  Transparent proxy with public IP and redirect
port 80 to proxy


So you have:
 1) custom DNS pointing webstes at the proxy with "transparent" option set?
  --> BROKEN. DNS pointing at a proxy is "reverse-proxy" configuration. 
http_port requires reverse-proxy "accel" option and related settings.


 2) a "transparent" proxy (which type? there there are 5 types of 
"transparent" supported by Squid today, all of which work very diferently)

redirecting traffic to itself.
 --> BROKEN. lookup "forwarding loops" for lot of detaisl on what is 
wrong with that.



If I make two assumptions about your setup and the error (which you 
still have not presented proper details about). I can assume that the 
3.3 is rejecting your traffic at the Host: header validation stage, when 
the TCP destination IP address is not found in the kernel NAT tables or 
the one found does not match the HTTP request destination domain. There 
are several major problems with NAT interception methods which means the 
NAT operation *must* be performed on the Squid box - this rejection is 
the visible result of remote-box NAT operation sending conflicting 
information at TCP/IP and HTTP protocol layers.


Amos

Re: [squid-users] Access Denied when a question mark is in the URL

[Marc Elsen]

Boniforti Flavio wrote:
> 
> I got a problem when accessing URLs which contain "?" like when they
> pass some values...

  What is the problem, then ?

  Which version of squid are you using ?
  On which platform/os/version ?

  M.

> 
> What's the matter here?
>

Re: [squid-users] Access Denied when a question mark is in the URL

[Henrik Nordstrom]

I would guess you are inside a proxy firewall. See the Squid FAQ.

Regards
Henrik

fre 2003-03-14 klockan 14.46 skrev Boniforti Flavio:
> I got a problem when accessing URLs which contain "?" like when they
> pass some values...
> 
> What's the matter here?
> 
> ---
> Boniforti Flavio
> Provincia del Verbano-Cusio-Ossola
> Ufficio Informatica
> 
> Tecnoparco del Lago Maggiore
> Via dell'Industria, 25
> 28924 Verbania
> ---
-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

RE: [squid-users] Access Denied when a question mark is in the URL

[Boniforti Flavio]

> I would guess you are inside a proxy firewall. See the Squid FAQ.

Yes, in fact I am behind another proxy.

As far as I understand I would have to enable my proxy to ALWAYS forward
requests directly to the other proxy, right?

RE: [squid-users] Access Denied when a question mark is in the URL

[Henrik Nordstrom]

tis 2003-03-18 klockan 09.09 skrev Boniforti Flavio:
> > I would guess you are inside a proxy firewall. See the Squid FAQ.
> 
> Yes, in fact I am behind another proxy.
> 
> As far as I understand I would have to enable my proxy to ALWAYS forward
> requests directly to the other proxy, right?

Or to be more precise in Squid terms to NEVER attempt to go direct.

-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

RE: [squid-users] Access Denied when a question mark is in the URL

[Boniforti Flavio]

> Or to be more precise in Squid terms to NEVER attempt to go direct.

Well, I actually have "never_direct allow all" in my config...

And now it seems to work (I correctly access some Lotus Domino-based
applications which require "?" to pass parameters)...

Is this enough?

Thanks

RE: [squid-users] Access Denied when a question mark is in the URL

[Henrik Nordstrom]

tis 2003-03-18 klockan 12.50 skrev Boniforti Flavio:
> > Or to be more precise in Squid terms to NEVER attempt to go direct.
> 
> Well, I actually have "never_direct allow all" in my config...
> 
> And now it seems to work (I correctly access some Lotus Domino-based
> applications which require "?" to pass parameters)...
> 
> Is this enough?

Yes.

-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] access denied with 2.5S11, but ok wiht 2.5S9 same config

[Mark Elsen]

 > Hello,
> I juste create a new proxy with squid 2.5S11 on solaris 8, I take the same
> config (exceopt of the name of the server) that the one is running in
> production on another server. But I get an access denied.
> here is the cache.log (I don0't know why I got that on log, i didn't ask
> for any debug or something).
>
> 2005/10/04 09:23:11| storeLateRelease: released 0 objects
> [2005/10/04 09:23:42, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
>  Got user=[B9J] domain=[D-BI1] workstation=[X-VCZMTNSARFNFZ] len1=24
> len2=24
> [2005/10/04 09:23:42, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
>  NTLMSSP Sign/Seal - Initialising with flags:
> [2005/10/04 09:23:42, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>  Got NTLMSSP neg_flags=0x0216
>
>

  Check access.log , for the particular uri.
  Post here , for instance.

  M.