Re: [squid-users] TCP_DENIED/403 errors when ads blocking is activated

[Nicolas]

You're right, Matus. That was the issue.
I replace as you suggested:
acl ads dstdom_regex "/etc/squid/ad_block.txt"
by
acl ads dstdomain "/etc/squid/ad_block.txt"
and now it works.

Thank you very much, Matus !

Have a nice day.

Nicolas.

Le 03/12/2022 à 15:02, Matus UHLAR - fantomas a écrit :

On 03.12.22 13:52, Nicolas wrote:

I installed squid on one of my servers, in order to block ads.

When I do not activate ads blocking, it works fine.
However, when I do activate ads blocking, some website are not
accessible.
I can browse www.google.com for example, but I can't access
www.linuxhint.com and a LOT of other websites.

Here's what appears in access.log :
1670071413.742  0 192.168.228.145 TCP_DENIED/403 3985 CONNECT
linuxhint.com:443 - HIER_NONE/- text/html

Here's my squid.conf file :



acl ads dstdom_regex "/etc/squid/ad_block.txt"
http_access deny ads



curl -sS -L --compressed
"http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml=0=plaintext;
> /etc/squid/ad_block.txt
which is on my server :
-rw-r--r-- 1 root root 60609  2 déc.  16:40 /etc/squid/ad_block.txt

I don't see anything special in that file, which contains for example :
1-1ads.com
101com.com
101order.com
123freeavatars.com
180hits.de
180searchassistant.com


the "t.co" matches.

there are no regexes in that file you should probably use "dstdomain"
instead.

regexes match . as any character and match in the middle of strings.



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/403 errors when ads blocking is activated

[Matus UHLAR - fantomas]

On 03.12.22 13:52, Nicolas wrote:

I installed squid on one of my servers, in order to block ads.

When I do not activate ads blocking, it works fine.
However, when I do activate ads blocking, some website are not accessible.
I can browse www.google.com for example, but I can't access www.linuxhint.com 
and a LOT of other websites.

Here's what appears in access.log :
1670071413.742  0 192.168.228.145 TCP_DENIED/403 3985 CONNECT 
linuxhint.com:443 - HIER_NONE/- text/html

Here's my squid.conf file :



acl ads dstdom_regex "/etc/squid/ad_block.txt"
http_access deny ads



curl -sS -L --compressed 
"http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml=0=plaintext;
 > /etc/squid/ad_block.txt
which is on my server :
-rw-r--r-- 1 root root 60609  2 déc.  16:40 /etc/squid/ad_block.txt

I don't see anything special in that file, which contains for example :
1-1ads.com
101com.com
101order.com
123freeavatars.com
180hits.de
180searchassistant.com


the "t.co" matches.

there are no regexes in that file you should probably use "dstdomain" 
instead.


regexes match . as any character and match in the middle of strings.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/403 3954 CONNECT www.welt.de:443 - HIER_NONE/- text/html

[Amos Jeffries]

On 6/01/21 6:21 am, Wolfgang Paul Rauchholz wrote:
I run a home server under Centos 7 and squid 3.5.20. The config is still 
work in progress as I started only today. Any tipps are welcomed
The function is as expected when working from my LAN. But when I tested 
today from my cell phone from outside I received a few TCP_DENIED for 
web pages that are not part of the blacklists and I can access from my LAN.
I also tried a few apps (e.g. Twitter, Linkedin, etc..) and none worked. 
Underneath the config as-is.


Any idea why I cannot connect?



The provided squid.conf has two types of access permitted through this 
proxy:


1) non-LAN traffic is allowed to anything on the whitelist.

2) LAN traffic is allowed to anything on the whitelist AND anything not 
on the blacklist(s).



So the key question is whether the domains you tried are (or were) on 
the whitelist when you access them from outside the LAN.





I have two more question I fiddled with and has no success:

  * Is there a possibility to re-direct certain MACs from the LAN
through Squid and others can go direct?


Getting traffic to the proxy is entirely the OS duty. Most OS can route 
or NAT IPv4 packets based on MAC.


Note that if the client is not opening connections to the proxy by 
itself then you need to follow one of the interception configurations on 
the Squid machine. see 

Squid needs separate http_port's for the intercepted traffic and the 
normal proxy traffic.




  * Is there a good howto that describes in detail how autdetect proxy
works with wpad.dat. I want that when users are on LAN they go
through squid, but when they are travelling they can go direct.




I suggest you have a read of the FAQs 
() about how 
proxies can be used by Browsers. In particular the section "Recommended 
network configuration" and links from there.





Thanks for your help,

Wolfgang



#acl localnet src 172.16.0.0/12   # RFC1918 
possible internal network
#acl localnet src 192.168.0.0/16  # RFC1918 
possible internal network

#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly 
plugged) machines


acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
# Add wo-lar LAN IP
acl lan src 10.5.2.0/24 



FYI: this is what "localnet" ACL is supposed to be set to.

As the squid.conf file itself says:
 # Adapt localnet in the ACL section to list your (internal) IP networks



# Basic user auth
#auth_param basic program /usr/lib64/squid/basic_ncsa_auth 
/etc/squid/.htpasswd

#auth_param basic children 5
#auth_param basic realm Squid Basic Authentication
#auth_param basic credentialsttl 5 hours
#acl password proxy_auth REQUIRED
#http_access allow password



FYI: if you ever want to enable auth this should all be down below the 
blacklist http_access lines.




#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
#http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports



Please re-enable the above lines. They are protecting against whole 
groups of security attacks.




# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
acl allowdomains dstdomain "/etc/squid/whitelists/domains"
acl porn         dstdomain "/etc/squid/blacklists/porn/domains"
acl drugs        dstdomain "/etc/squid/blacklists/drugs/domains"
http_access allow allowdomains
http_access deny porn
http_access deny drugs

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localhost
http_access allow lan

# And finally deny all other access to this proxy
http_access deny all




request_header_access Referer deny all
request_header_access X-Forwarded-For deny all


You have configured "forwarded_for off" and are not using the clients 
X-Forwarded-For header. Which means the above setting does nothing useful.

Re: [squid-users] TCP_DENIED/407 AD auth

[stancfg]

Hello Schroeffu,
Somehow I've manage to miss this last sentence 
I have another proxy in production that is working with ACL's like this, but
showing the same error ""TCP_DENIED/407" 
That is why i decide to build new one and find the "problem".
Probably will try new one with kerberos.
Thank you very much Schroeffu. 

Regards
Stan



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/407 AD auth

[info]

Hi Stan,

when you are using NTLM according the latest sentence in 
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm (very bottom): 

"Note that when using NTLM authentication, you will see two "TCP_DENIED/407" 
entries in access.log for every request. This is due to the challenge-response 
process of NTLM."

So usually any request from end-user through ntlm auth proxy should log a 
TCP_DENIED/407. If you have websites allowed without authentication in 
squid.conf before the authentication configuration - of course, these are not 
logging 407. The real challenge-response thing maybe somebody else can explain 
that better to you / or link a documentation.

For example I'm running a whitelist configured before the authentication 
configuration, so i can add domains to allow without NTLM (apple.com domains 
etc)

acl white_domain dstdomain "/etc/squid/ka/domains_noauth.acl"
http_access allow white_domain

acl white_regexp url_regex -i "/etc/squid/ka/domains_noauth_regex.acl"
http_access allow white_regexp

#Allow fetch intermediate certs before required authentication, guess this is 
required for SSL BUMP + NTLM
acl fetched_certificate transaction_initiator certificate-fetching
cache allow fetched_certificate
http_access allow fetched_certificate

# NTLM authentication
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
--use-cached-creds --offline-logon
(...)(ntlm configuration, check required ldap groups, blablah)
(...)
(...)
(...)

# Allow based on group membership
# Authentication required, otherwise Pop-Up to Basic Auth
acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users



4. Dezember 2019 15:25, "stancfg"  schrieb:

> Hello Schroeffu 
> 
> I fully agree with you, but why some of request are authenticated and some
> are not.
> Is this a normal behavior.
> Thank you for your help.
> 
> Stan
> 
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/407 AD auth

[stancfg]

Hello Schroeffu 

I fully agree with you, but why some of request are authenticated and some
are not.
Is this a normal behavior.
Thank you for your help.

Stan



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/407 AD auth

[info]

For my understanding, with (NTLM) authentication every request needs to be 
authenticated. Therefore you will see TCP_DENIED/407 anytime before TCP_***/200 
because the request needs to be authenticated anytime again.

Anybody else correct me if I am wrong ;-)

Schroeffu



4. Dezember 2019 15:09, "stancfg"  schrieb:

> Hello everyone, I'm facing some problem with squid.
> Squid proxy is working but in access.log is showing TCP_DENIED/407 for most
> of the connections.
> If i remove authentication configuration from squid.conf this error is
> missing in access.log.
> 
> CentOS Linux release 8.0.1905
> 4.18.0-147.6.el8.x86_64 
> Squid Cache: Version 4.4
> wbinfo -t 
> checking the trust secret for domain AD via RPC calls succeeded
> 
> Any assistance in this matter would be greatly appreciated 
> Regards
> Stan
> 
> *squid.conf*
> 
> *smb.conf*
> 
> *nssswitch.conf*
> 
> *access.log*
> 
> *cache.log*
> 
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/407 accessing webserver on same machine as squid

[j m]

Yes, I sort of pieced together what I found online, which is probably 
dangerous.  I really need to become familiar with how exactly this works for 
security's sake if nothing else.

  From: Amos Jeffries <squ...@treenet.co.nz>
 To: j m <acctforj...@yahoo.com>; "squid-users@lists.squid-cache.org" 
<squid-users@lists.squid-cache.org> 
 Sent: Friday, May 26, 2017 2:53 PM
 Subject: Re: [squid-users] TCP_DENIED/407 accessing webserver on same machine 
as squid
   
Ah, your problem seems to be a misunderstanding of how authentication works.

What Squid receives on messages can have three forms:

  1) no credentials at all
  2) correct credentials
  3) invalid credentials

Your definition of the auth_users ACL using "REQUIRED" takes care of the 
(1) situation. Squid will respond with 407 to get credentials from any 
client that does not send any. This is what you are seeing on that 
second log line of your previous post, and the popup in your tests.

Now the "http_access allow auth_users" line only takes care of situation 
(2), permitting valid users.

Which leaves situation (3) undefined. ... All other traffic continues on 
to the next http_access line, which is "allow all", ouch.


This is why best practice is to use a "deny" line like so:
  http_access deny !auth_users

... which makes it clear what is happening for every non-authenticated 
thing, both situation (1) and (2) traffic.

Rules permitting things through without authenticating go above that 
http_access line, and things applying to authenticated users go below it.

Amos



   ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/407 accessing webserver on same machine as squid

[Amos Jeffries]

On 27/05/17 07:52, Amos Jeffries wrote:

This is why best practice is to use a "deny" line like so:
  http_access deny !auth_users

... which makes it clear what is happening for every non-authenticated 
thing, both situation (1) and (2) traffic.


Sorry "both situation (1) and (3) traffic".

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/407 accessing webserver on same machine as squid

[Amos Jeffries]

Ah, your problem seems to be a misunderstanding of how authentication works.

What Squid receives on messages can have three forms:

 1) no credentials at all
 2) correct credentials
 3) invalid credentials

Your definition of the auth_users ACL using "REQUIRED" takes care of the 
(1) situation. Squid will respond with 407 to get credentials from any 
client that does not send any. This is what you are seeing on that 
second log line of your previous post, and the popup in your tests.


Now the "http_access allow auth_users" line only takes care of situation 
(2), permitting valid users.


Which leaves situation (3) undefined. ... All other traffic continues on 
to the next http_access line, which is "allow all", ouch.



This is why best practice is to use a "deny" line like so:
  http_access deny !auth_users

... which makes it clear what is happening for every non-authenticated 
thing, both situation (1) and (2) traffic.


Rules permitting things through without authenticating go above that 
http_access line, and things applying to authenticated users go below it.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/407 accessing webserver on same machine as squid

[j m]

Here's my squid.conf.  For what it's worth, shellinabox can be made to use only 
HTTP if that's the issue.

auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwd 
auth_param digest realm myrealm auth_param digest children 2  acl auth_users 
proxy_auth REQUIRED acl SSL_ports port 443 acl SSL_ports port SHELLINABOX_PORT 
acl Safe_ports port SHELLINABOX_PORT acl Safe_ports port 80 # http acl 
Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 
# gopher acl Safe_ports port 210 # wais #acl Safe_ports port 1025-65535 # 
unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 
# gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # 
multiling http acl CONNECT method CONNECT http_access deny !Safe_ports 
http_access deny CONNECT !SSL_ports http_access allow auth_users http_access 
allow all https_port SQUID_PORT cert=/etc/squid/squid.pem cache deny all 
netdb_filename none 

  From: Amos Jeffries <squ...@treenet.co.nz>
 To: squid-users@lists.squid-cache.org 
 Sent: Friday, May 26, 2017 12:29 PM
 Subject: Re: [squid-users] TCP_DENIED/407 accessing webserver on same machine 
as squid
   


On 27/05/17 04:17, j m wrote:
> I have a webserver and squid 3.5 running on the same Linux machine.  > The 
> webserver is actually part of shellinabox, so it's only for me 
to > access.  Shellinabox simply presents a terminal and login in a web 
 > browser.  I want it to be accessible only through squid for more > 
security. > > shellinabox works fine if I access it directly, but 
through squid I > see this in access.log: > > 1495813953.860    79 
204.155.22.30 TCP_TUNNEL/200 1440 CONNECT > IP:PORT USER HIER_DIRECT/IP 
 > > > 1495813962.001      0 204.155.22.30 TCP_DENIED/407 4397 CONNECT > 
IP:PORT USER HIER_NONE/- text/html > > > I've replaced the real IP, 
PORT, and USER with those words, however > the real PORT is a 
nonstandard port number.There are some other > posts I found mentioning 
a 407 error and it was said it occurs when > the webpage is asking for 
authentication.  However I don't understand > this, since shellinabox 
only display a login prompt which I wouldn't > think would be a 
problem.  Another post said a 407 is when squid auth > is failing, but I 
can get to external websites through squid. > > Does it matter that what 
I'm trying to access is HTTPS instead of > HTTP?
Yes it does. Beyond the obvious encryption there are messaging 
differences that directly effect what the proxy can do.


The first log entry indicates that something has already been done to 
let the port "work", so your config is already non-standard and probably 
doing something weird. The presence of a USER value other than "-" 
indicates that the proxy-auth is working at least for that transaction.

Yes the 407 is login to *Squid*. Nothing to do with the shellinabox 
software, the HEIR_NONE/- on the second line says shellinabox is not 
even being contacted yet for that transaction.


It is not possible to say why anything is happening here without knowing 
your config structure and intended policy. You will need to provide your 
squid.conf details to get much help.

If you need to obfuscate IP's please map them as if you were using the 
10/8 or 192.168/16 ranges so we can still identify any subtle things 
like TCP connections going wrong without revealing your public addresses.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


   ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/407 accessing webserver on same machine as squid

[Amos Jeffries]

On 27/05/17 04:17, j m wrote:
I have a webserver and squid 3.5 running on the same Linux machine.  > The webserver is actually part of shellinabox, so it's only for me 
to > access.  Shellinabox simply presents a terminal and login in a web 
> browser.  I want it to be accessible only through squid for more > 
security. > > shellinabox works fine if I access it directly, but 
through squid I > see this in access.log: > > 1495813953.860 79 
204.155.22.30 TCP_TUNNEL/200 1440 CONNECT > IP:PORT USER HIER_DIRECT/IP 
> > > 1495813962.001  0 204.155.22.30 TCP_DENIED/407 4397 CONNECT > 
IP:PORT USER HIER_NONE/- text/html > > > I've replaced the real IP, 
PORT, and USER with those words, however > the real PORT is a 
nonstandard port number.There are some other > posts I found mentioning 
a 407 error and it was said it occurs when > the webpage is asking for 
authentication.  However I don't understand > this, since shellinabox 
only display a login prompt which I wouldn't > think would be a 
problem.  Another post said a 407 is when squid auth > is failing, but I 
can get to external websites through squid. > > Does it matter that what 
I'm trying to access is HTTPS instead of > HTTP?
Yes it does. Beyond the obvious encryption there are messaging 
differences that directly effect what the proxy can do.



The first log entry indicates that something has already been done to 
let the port "work", so your config is already non-standard and probably 
doing something weird. The presence of a USER value other than "-" 
indicates that the proxy-auth is working at least for that transaction.


Yes the 407 is login to *Squid*. Nothing to do with the shellinabox 
software, the HEIR_NONE/- on the second line says shellinabox is not 
even being contacted yet for that transaction.



It is not possible to say why anything is happening here without knowing 
your config structure and intended policy. You will need to provide your 
squid.conf details to get much help.


If you need to obfuscate IP's please map them as if you were using the 
10/8 or 192.168/16 ranges so we can still identify any subtle things 
like TCP connections going wrong without revealing your public addresses.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/403 on raspberrypi

[domshyra]

I tried that but still 403 :/. 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-DENIED-403-on-raspberrypi-tp4680711p4680723.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/403 on raspberrypi

[Antony Stone]

On Friday 02 December 2016 at 21:30:57, domshyra wrote:

> So I have changed the file to a sample conf file. Here is what it looks
> like now

http_access allow all

Looks to me to be your biggest problem.

Standard security practice is "allow what you specifically know you want to 
allow, and deny by default everything else".

So, create your ACLs to allow what you want to allow, and then "deny all" at 
the end.


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/403 on raspberrypi

[domshyra]

So I have changed the file to a sample conf file. Here is what it looks like
now




authenticated_ips is a list of ip addresses that are going to be outgoing
ips and 192.168.1.25 isn't part of it. I have received a new 403 error which
is this below


192.168.1.25 is my macbook which is SSH'd into the raspberry pi 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-DENIED-403-on-raspberrypi-tp4680711p4680721.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/403 on raspberrypi

[Amos Jeffries]

On 2/12/2016 4:36 a.m., domshyra wrote:
> Hello. I have looked for countless hours to solve this problem. 
> I have tried reordering the config file so that 
>  are all in different orders 
> 
> I've messed with http_access deny !Safe_ports
> 
> None of the regular trouble shooting issues helped. 
> I am on wifi on the pi with a static ip address, and I have tried explicitly
> adding that as well
> 

Try:


You have mentioned quite a few things being tried, but the config you
put the changes matters a lot to determine whether an attempt works or not.



> acl localnet src 192.168.0.0/16# RFC1918 possible internal network
> #acl localnet src 192.168.1.39/24 #home wifi

You removed the default "http_access allow localnet" line that uses this
ACL check to let traffic through.


> 
> # SAFE PORTS
> acl SSL_ports  port 443 494 2598

> acl Safe_ports port 1025-65535  # unregistered ports
> acl CONNECT method CONNECT
> never_direct allow all
> 

So Squid is never allowed to connect to any server ... Um.


> acl authenticated_ips src "/etc/squid3/ip_auth"
> 
> # HTTP ACCESS
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access allow authenticated_ips
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny all
> icp_access deny all
> htcp_access deny all



> pi@raspberrypi:~ $ sudo tail -F /var/log/squid3/access.log 
> 1480315313.153  1 192.168.1.25 TCP_DENIED/403 3637 CONNECT 
> 127.0.0.1:19536 - HIER_NONE/- text/html

Read through the http_access ACL checks top-down left-to-right ...

> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access allow authenticated_ips
> http_access deny CONNECT !SSL_ports
> http_access allow localhost

These 403 transactions are;
 *not* cache manager requests, next
 *not* cache manager requests, next
 *are* to a port listed in Safe_ports, next


Is 192.168.1.25 or a subnet containing it listed in the file
/etc/squid3/ip_auth ?
 Was it listed there when you started or last reconfigured Squid?


Starting from the default config file you should only have to add the
19536 port to SSL_ports and replace localnet ACL with your
authenticated_ips thing.

Just be extra paranoid about adding ports to SSL_Ports. Be sure you know
that the protocol(s!) being used over that port are safe. Squid does not
have any control or insight into whats happening over a CONNECT tunnel
once its permitted.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/403

[Amos Jeffries]

On 15/10/2015 8:42 p.m., Filip Maroul wrote:
> Hello I am try to configure squid3 on debian 8 x64 version of squid is 3.4.8
> Here is the conf file:

How certain are you that is the config file being used?
The access.log says things are explicitly being denied, which that
config says are allowed.

Try running squid -k parse, and see if there are any ERROR or FATAL
messages displayed.

Also check that the output lines saying "Processing:" contain the config
file lines you are expecting to be used.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED and TCP_MISS_ABORTED

[Amos Jeffries]

On 26/02/2015 8:44 a.m., Mike wrote:
 We have recently been seeing this error on squid where one site that our
 users need access to is not loading at all.
 
 1424889858.688  0 127.0.0.1 TCP_DENIED/407 3968 GET
 http://www.afa.net/ - HIER_NONE/- text/html
 1424889878.725  20014 127.0.0.1 TCP_MISS_ABORTED/000 0 GET
 http://www.afa.net/ testuser1 HIER_DIRECT/66.210.221.116
 
 [root@xeserver squid]# squid -v
 Squid Cache: Version 3.4.7
 
 Attempted to add an acl:
 acl allowafa dstdomain .afa.net .afastore.net
 http_access allow allowafa
 
 but this did not fix it.
 
 I understand the /407 as it related to http access means proxy
 authentication required, which is what every customer does when the
 browser is opened up, so authentication is already done

That does not follow from the 407. In fact it means exactly the opposite
-  authentication *not* done.

The existence of testuser1 information is what tells that
authentication is done.

 and active in
 the server, otherwise other websites would not be loading either.
 
 All other sites we need access to work fine, it is just something about
 this one... Any suggestions?

ABORTED means the client disconnected. As they are able to do at any
time. This particular transaction tool 20 seconds and transferred 0
bytes to the client. No surprise they give up and disconnect.

The usual culprits are:
* broken Path-MTU discovery
* broken ECMP support
* Expect:100-continue
* broken TCP ECN support
* TCP window scaling

The 100-continue problem could be from the client, but the rest for your
case will be happening between Squid and server somewhere (if at all).

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/411

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 7/11/2014 10:20 p.m., Riccardo Castellani wrote:
 Can I bypass this TCP_DENIE/D411 error in Squid? I read this
 error is about Length Required field but we can permit Squid can
 handle this request POST ?

If you send a message without saying how big its attached object is.
When is the server supposed to know that it has finished and the next
one starting?

Amos

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUXJKQAAoJELJo5wb/XPRjw3QIAIsuzGjrIserp22emYlYow0x
tsI7fnjDWi+BMa15gSDL1ZA8jujngErSkpfLRsniTxmVC21G8BTyNfPvYbNHBB+v
iQMqebkZMLiP6cUc+PNxPMBrdmaxbWfc276LYhvUr7AI83EWzNNJKckFHw5D98zZ
37KyYuwQlN0CYjgg7YzxtFeg9XWSvaiMTdenXXkfS6Yb/7sSDr2VKs1ue/PBwKu/
juDKV5DunmaG74pY5hM+ijS9RhMDbuaMYcrgrzpgZ1mgq13qkG84z4OD7YEAUJkM
1Y1DlmpJuCu1SlWX87CtDKuLWZwoL2s6ciJCuVNfHDwOZowiC0RVJd5acUgX4vo=
=WzpB
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/403

[Antony Stone]

On Wednesday 05 November 2014 at 10:39:19 (EU time), navari.lore...@gmail.com 
wrote:

 I'm configuring a Squid Web Proxy Cache and I apply the deny policy to some
 sites.  This is the problem:
 
 when people access sites with GET they have the right html error page
 ERR_ACCES_DENIED
 (LOG = TCP_DENIED/403 4069 GET http://www.sex.com/ - HIER_NONE/- text/html)
 
 when people access sites with CONNECT they DON'T have the right html
 error page
 but te message CONNECTION REFUSED BY PROXY SERVER
 (LOG = TCP_DENIED/403 3681 CONNECT facebook.com:443 - HIER_NONE/-
 text/html)
 
 I would like to have the same error page for all.
 
 Can anyone help ??

Please tell us the version of Squid you are using, and show us the rules you 
have implemented for the deny policy.


Regards,


Antony.

-- 
Most people have more than the average number of legs.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/403

[Rafael Akchurin]

Hello Navari,

Just my two cents - 
http://docs.diladele.com/faq/squid.html#why-i-see-cannot-connect-to-site-using-https-browser-message-instead-of-usual-site-is-blocked

Raf

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of navari.lore...@gmail.com
Sent: Wednesday, November 5, 2014 10:39 AM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] TCP_DENIED/403

Good day today.
I' m configuring a Squid Web Proxy Cache and  I apply the deny policy to some 
sites l this is the problem:

when people accesses sites with GET they have the right html error page 
ERR_ACCES_DENIED (LOG = TCP_DENIED/403 4069 GET http://www.sex.com/ - 
HIER_NONE/- text/html)

when people accesses sites with CONNECT they DON'T  have the right html error 
page but te message CONNECTION REFUSED BY PROXY SERVER (LOG = TCP_DENIED/403 
3681 CONNECT facebook.com:443 - HIER_NONE/- text/html)

I would like to have the same error page for all.

Can anyone help ??



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-DENIED-403-tp4668210.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/403

[navari.lore...@gmail.com]

thank for replay

SO = CentOS 7

squid-3.4.6-1.el7.centos.x86_64

=

[root@lv-034-005 squid]# cat squid.conf
#
# Recommended minimum configuration:
#

#Default: debug_options ALL,1
#more: debug_options ALL,1 33,2 28,9
debug_options ALL,1 28,3

visible_hostname proxy.usl1.toscana.it
append_domain .usl1.toscana.it
ftp_passive on
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .0 20% 4320
error_directory /etc/squid/errors
maximum_object_size 8192 KB
cache_dir ufs /var/spool/squid 8192 16 128
cache_log none
cache_store_log none
cache_mem 512 MB

#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8# RFC1918 possible internal network
#acl localnet src 172.16.0.0/12# RFC1918 possible internal network
acl localnet src 192.168.0.0/16# RFC1918 possible internal network
#acl localnet src fc00::/7   # RFC 4193 local private network range
#acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443 563 445 8080 10443 27443 28443
#acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 22# telnet
acl Safe_ports port 443563 445 # https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
##

## ACL definition ##
acl siti_proibiti  url_regex  /etc/squid/siti.proibiti.squid

## ACL application ##
http_access deny siti_proibiti

##

# LDAP AUTH -
auth_param basic program /usr/lib64/squid/basic_ldap_auth -b
ou=users,dc=usl1,dc=toscana,dc=it -H ldap://portale3.usl1.toscana.it/
auth_param basic children 5
auth_param basic realm Accesso ad Internet
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl user_authentication proxy_auth REQUIRED
http_access allow user_authentication

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on localhost is a local user
http_access deny to_localhost

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern .020%4320
[root@lv-034-005 squid]#


[root@lv-034-005 squid]# cat siti.proibiti.squid
facebook\.(com|org|info|net|it)
twitter\.(com|org|info|net|it)
\.sex\.(com|org|info|net|it)
google-analytics\.com
youporn\.com
adultfriend\.com
pornhub\.com
sex
porn
games
giochi
gaytube\.com
amantesorgias\.com
porno\.com
www\.topgirlsitalia\.it
\.twitter\.com
\.myspace\.com
\.hi5\.com
\.teamviewer\.com
fbcdn-sphotos-e-a.akamaihd.net
[root@lv-034-005 squid]#





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-DENIED-403-tp4668210p4668216.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/403

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 5/11/2014 10:39 p.m., navari.lore...@gmail.com wrote:
 Good day today. I' m configuring a Squid Web Proxy Cache and  I
 apply the deny policy to some sites l this is the problem:
 
 when people accesses sites with GET they have the right html error
 page ERR_ACCES_DENIED (LOG = TCP_DENIED/403 4069 GET
 http://www.sex.com/ - HIER_NONE/- text/html)
 
 when people accesses sites with CONNECT they DON'T  have the right
 html error page but te message CONNECTION REFUSED BY PROXY SERVER 
 (LOG = TCP_DENIED/403 3681 CONNECT facebook.com:443 - HIER_NONE/-
 text/html)
 
 I would like to have the same error page for all.
 
 Can anyone help ??
 

Sorry, the answer there is no.

If you look at the TCP packets being sent back by Squid, adn also
shown by those log entries. Squid *is* sending back the same 403 error
in both cases to the client browser.

What is happening is that the browser treates CONNECT and GET
differently. Specifically they refuse to show any remotely generated
(by Squid) content in the even of a 4xx or 5xx response to CONNECT.

To get this changed you will have to discuss it with the browser
people. They do it this way because of past hstory with malicious
payloads being delivered back in 4xx errors to CONNECT.

Amos

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUWfvtAAoJELJo5wb/XPRjiMgH/iBOO2WiuZ8QnWrcxz/spKpe
pf8KAGwzvtqJMuP0ZUWSLzmfVXEHWf1HlljiwoP+2n73zg3JS51iVSd7f6L3rbGM
eWhZhZ+syWJQ3LBretZHgpvXMuyjiu74PF7m/LkL61G4j/41oVvZeBIt8DQ54ml0
8yC196NIVEAjf2PXasHywgO+Is8L839l4uEh+WVudrDt9VCGEO7V1TJAt6qXiF6j
nwzJEbzzjCLfTosqwdBW1I/QuXVjj230XRVRVT38x/SSu7C1DFY68AvrkIK4DKae
YD0h2ElYEvg2O97KFo6BUugbbUeT/SNz+NGTKNvbz0di0AlwNVVyGj6nuTKayEg=
=Ol/T
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/403 after Upgrading from 3.4.4 to 3.4.7 (ssl_bump enabled)

[Tom Tom]

Entry created in bugzilla:
http://bugs.squid-cache.org/show_bug.cgi?id=4122



On Mon, Oct 20, 2014 at 7:25 AM, Amos Jeffries squ...@treenet.co.nz wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 20/10/2014 6:18 p.m., Tom Tom wrote:
 Hi Amos

 Do you have new findings? Should I open a bug for better tracking?


 I got nothing new sorry. Yes a bug tracker would be useful to keep
 track of it.

 Amos

 Kind regards, Tom

 On Mon, Oct 13, 2014 at 8:16 AM, Amos Jeffries
 squ...@treenet.co.nz wrote: On 13/10/2014 6:26 p.m., Tom Tom
 wrote:
 Hi

 Does anyone have some ideas/hints concerning this problem?

 I am looking into it and fairly sure its a bug in how the ACL
 result is returning 1 == ALLOWED. But that was done to solve
 another bug in auth ACLs re-authenticating credentials from outside
 the encryption, using the encrypted channel.

 Am still trying to figure out what the appropriate fix might look
 like.

 Amos
 ___ squid-users
 mailing list squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2.0.22 (MingW32)

 iQEcBAEBAgAGBQJURJyvAAoJELJo5wb/XPRj3ugIALwdE3qvJ64VaFeia1S7SPDS
 Ct36Rl/rBiSOpYV6CDakcHdISILEZcn0IkJFgnWMtBcZhMjna2K/Ot1qu5WSC1BO
 dMQUt9KqU/x+O9gtx4Y9kUn6d3eUxzo+Y+5zACn/eFtBxwPj6LBLLnfYyf0OrnSj
 XLeKDJDazNBC4AIUdJziIKrdZJNPrmXhO1Zi1g1CtuWB0ZEGAeTJVnRcLOaNeCFI
 nOQnccBxqO7Dly71plx9ro6gBLDT1zor3/W8FhFGEx+syBw75elSp3aQJUZa4E+T
 mOriNL+uQ0gI4uhh5+xI80MQgA/4p3l6hlVUEONeqE06nw7s9Vus6JJPjGDXsqU=
 =HN83
 -END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/403 after Upgrading from 3.4.4 to 3.4.7 (ssl_bump enabled)

[Tom Tom]

Hi Amos

Do you have new findings? Should I open a bug for better tracking?

Kind regards,
Tom

On Mon, Oct 13, 2014 at 8:16 AM, Amos Jeffries squ...@treenet.co.nz wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 13/10/2014 6:26 p.m., Tom Tom wrote:
 Hi

 Does anyone have some ideas/hints concerning this problem?

 I am looking into it and fairly sure its a bug in how the ACL result
 is returning 1 == ALLOWED. But that was done to solve another bug in
 auth ACLs re-authenticating credentials from outside the encryption,
 using the encrypted channel.

 Am still trying to figure out what the appropriate fix might look like.

 Amos
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2.0.22 (MingW32)

 iQEcBAEBAgAGBQJUO25CAAoJELJo5wb/XPRjjH0IAM2OK8MGRgkaxqBpXo+wKXiQ
 szuQfM3xSSUqXx6uFmD1IPssGRSy3ZxA5UBu5nVZB6X++nVGEkMwgjwo/dkymaw/
 9egyKHGBBbVE1HjVi8/zktN01x1Tdrqo3fw6VpkzqQfsJAp5zt+/H4PjZvoRW11F
 NrCAIFlAx5eymYPZVunVOgejBb3G0zINn76MY5SnIRFUOtJurooTKcQx8fPppo4r
 yWYNLSrCxAq6ZKEqyHV0koiNp0ezjblwu53M8aZX1oXXdHjdcHwMKBBJ+x7CXhyj
 /rHYScUsn1B16SsQ4azA3mnlmP7AZgxjiv0MRiGfsrB9sWLQFydzneQppPfvxVo=
 =/B6U
 -END PGP SIGNATURE-
 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/403 for internal servers

[Satish Thareja]

Thanks Eliezer.

I think the server is the rejecting squid's IP as you pointed out,
with http_access not blocked for any machine.

Regards,
Satish

On Wed, Jun 5, 2013 at 1:51 AM, Eliezer Croitoru elie...@ngtech.co.il wrote:
 Sorry Satish Thareja,

 This post is outdated since squid is not in 2.5\6 but on 3.3.
 If you will share more from squid.conf lines we can try to help you.
 if you can share the access.log we can try to understand.
 please share IP etc..
 if you are getting 403 it means that the server is rejecting you and not
 squid.

 use http_access allow all
 if in this case it's not working either you are trying to access some
 strange port or strange method.

 Regards,
 Eliezer


 On 6/4/2013 7:20 PM, Satish Thareja wrote:

 Amos,

 The config is to allow http access for all but this case.
 I came across this link :

 http://www.linuxquestions.org/questions/linux-networking-3/so-many-tcp_denied-in-squid-access-log-469574/

 but I do not have anything blocked in my configuration.

 Is it possible that, if the 'host' does not allow access to all
 machines ( and new request from squid machine ), then we will get
 TCP_DENIED/403 status code ??

 Thanks,
 Satish

 On Tue, Jun 4, 2013 at 5:22 PM, Amos Jeffries squ...@treenet.co.nz
 wrote:

 On 4/06/2013 11:17 p.m., Satish Thareja wrote:


 Hi,

 I have configured my squid box without restricting 'http_access' on
 any resource.
 But when I try to access a resource 'host.domain.com' using the
 hostname (i.e. host ) directly, I am getting TCP_DENIED/403 response
 code.

 I able to resolve 'host' from the squid machine directly, but http
 requests to the 'host' still fail.

 What could possibly wrong with my configuration?



 Perhapse if you showed the configuration somebody might have a clue

 Amos

Re: [squid-users] TCP_DENIED/403 for internal servers

[Amos Jeffries]

On 4/06/2013 11:17 p.m., Satish Thareja wrote:

Hi,

I have configured my squid box without restricting 'http_access' on
any resource.
But when I try to access a resource 'host.domain.com' using the
hostname (i.e. host ) directly, I am getting TCP_DENIED/403 response
code.

I able to resolve 'host' from the squid machine directly, but http
requests to the 'host' still fail.

What could possibly wrong with my configuration?


Perhapse if you showed the configuration somebody might have a clue

Amos

Re: [squid-users] TCP_DENIED/403 for internal servers

[Satish Thareja]

Amos,

The config is to allow http access for all but this case.
I came across this link :
http://www.linuxquestions.org/questions/linux-networking-3/so-many-tcp_denied-in-squid-access-log-469574/

but I do not have anything blocked in my configuration.

Is it possible that, if the 'host' does not allow access to all
machines ( and new request from squid machine ), then we will get
TCP_DENIED/403 status code ??

Thanks,
Satish

On Tue, Jun 4, 2013 at 5:22 PM, Amos Jeffries squ...@treenet.co.nz wrote:
 On 4/06/2013 11:17 p.m., Satish Thareja wrote:

 Hi,

 I have configured my squid box without restricting 'http_access' on
 any resource.
 But when I try to access a resource 'host.domain.com' using the
 hostname (i.e. host ) directly, I am getting TCP_DENIED/403 response
 code.

 I able to resolve 'host' from the squid machine directly, but http
 requests to the 'host' still fail.

 What could possibly wrong with my configuration?


 Perhapse if you showed the configuration somebody might have a clue

 Amos

Re: [squid-users] TCP_DENIED/403 for internal servers

[Eliezer Croitoru]

Sorry Satish Thareja,

This post is outdated since squid is not in 2.5\6 but on 3.3.
If you will share more from squid.conf lines we can try to help you.
if you can share the access.log we can try to understand.
please share IP etc..
if you are getting 403 it means that the server is rejecting you and not 
squid.


use http_access allow all
if in this case it's not working either you are trying to access some 
strange port or strange method.


Regards,
Eliezer

On 6/4/2013 7:20 PM, Satish Thareja wrote:

Amos,

The config is to allow http access for all but this case.
I came across this link :
http://www.linuxquestions.org/questions/linux-networking-3/so-many-tcp_denied-in-squid-access-log-469574/

but I do not have anything blocked in my configuration.

Is it possible that, if the 'host' does not allow access to all
machines ( and new request from squid machine ), then we will get
TCP_DENIED/403 status code ??

Thanks,
Satish

On Tue, Jun 4, 2013 at 5:22 PM, Amos Jeffries squ...@treenet.co.nz wrote:

On 4/06/2013 11:17 p.m., Satish Thareja wrote:


Hi,

I have configured my squid box without restricting 'http_access' on
any resource.
But when I try to access a resource 'host.domain.com' using the
hostname (i.e. host ) directly, I am getting TCP_DENIED/403 response
code.

I able to resolve 'host' from the squid machine directly, but http
requests to the 'host' still fail.

What could possibly wrong with my configuration?



Perhapse if you showed the configuration somebody might have a clue

Amos

RE: [squid-users] TCP_DENIED/403

[Andrew Krupiczka]

Have you specified
https_port 443 ... cert=
http://www.squid-cache.org/Versions/v2/2.7/cfgman/https_port.html 

Regards,

Andrew

-Original Message-
From: Mike Muir [mailto:mm...@uniqueltd.com] 
Sent: Tuesday, October 16, 2012 3:41 PM
To: squid-users@squid-cache.org
Subject: [squid-users] TCP_DENIED/403

Hello,

I'm getting a TCP DENIED/403 in the access log when trying to access all HTTPS 
sites via web browser. The browser displays: Error 111
(net::ERR_TUNNEL_CONNECTION_FAILED): Unknown error.

I've included the following in my squid.conf (I'm using Squid 2.7) which to my 
understanding should allow traffic on 443:

acl SSL_ports port 443
acl CONNECT method CONNECT

http_access deny CONNECT !SSL_ports

I'll provide more info if necessary, but has anyone experienced this problem 
before? Any help would be appreciated.

Regards

Re: [squid-users] TCP_DENIED/403

[Eliezer Croitoru]

On 10/16/2012 9:41 PM, Mike Muir wrote:

Hello,

I'm getting a TCP DENIED/403 in the access log when trying to access
all HTTPS sites via web browser. The browser displays: Error 111
(net::ERR_TUNNEL_CONNECTION_FAILED): Unknown error.

I've included the following in my squid.conf (I'm using Squid 2.7)
which to my understanding should allow traffic on 443:

acl SSL_ports port 443
acl CONNECT method CONNECT

http_access deny CONNECT !SSL_ports

I'll provide more info if necessary, but has anyone experienced this
problem before? Any help would be appreciated.

Regards


what version of squid?
what are the allow (not deny) acls?
what ports?
what browser?
what site?

Regards,
Eliezer

--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer at ngtech.co.il

Re: [squid-users] TCP_DENIED/403

[Mike Muir]

My acl section and http_access:

acl manager proto cache_object COAP
acl localhost src 127.0.0.1/32 ::1
acl Whitelist dstdomain /etc/squid/whitelist_sites
acl ncsa_users proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80
acl CONNECT method CONNECT
acl all src all


# cachemgr access
http_access allow manager localhost
http_access deny manager
# http_access Section
http_access allow ncsa_users Whitelist
http_access deny CONNECT !SSL_ports
http_access deny !Safe_ports
http_access deny all

Squid version: 2.7
Port: 443
Browser: Chrome
Site: gmail.com (although it's denying all https requests)

On Tue, Oct 16, 2012 at 5:41 PM, Eliezer Croitoru elie...@ngtech.co.il wrote:
 On 10/16/2012 9:41 PM, Mike Muir wrote:

 Hello,

 I'm getting a TCP DENIED/403 in the access log when trying to access
 all HTTPS sites via web browser. The browser displays: Error 111
 (net::ERR_TUNNEL_CONNECTION_FAILED): Unknown error.

 I've included the following in my squid.conf (I'm using Squid 2.7)
 which to my understanding should allow traffic on 443:

 acl SSL_ports port 443
 acl CONNECT method CONNECT

 http_access deny CONNECT !SSL_ports

 I'll provide more info if necessary, but has anyone experienced this
 problem before? Any help would be appreciated.

 Regards

 what version of squid?
 what are the allow (not deny) acls?
 what ports?
 what browser?
 what site?

 Regards,
 Eliezer

 --
 Eliezer Croitoru
 https://www1.ngtech.co.il
 IT consulting for Nonprofit organizations
 eliezer at ngtech.co.il



-- 
Mike Muir Jr IT Administrator
v: 902.492.0100 ext.131

f: 902.492.0078
www.me-ality.com

| 420 Lexington Ave., Suite 1701, New York, NY 10170-1704
| 133 Troop Ave., Dartmouth, NS, B3B 2A7

Re: [squid-users] TCP_DENIED/403

[Amos Jeffries]

On 17.10.2012 09:49, Mike Muir wrote:

My acl section and http_access:

acl manager proto cache_object COAP
acl localhost src 127.0.0.1/32 ::1
acl Whitelist dstdomain /etc/squid/whitelist_sites
acl ncsa_users proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80
acl CONNECT method CONNECT
acl all src all


# cachemgr access
http_access allow manager localhost
http_access deny manager
# http_access Section
http_access allow ncsa_users Whitelist
http_access deny CONNECT !SSL_ports
http_access deny !Safe_ports
http_access deny all


NP: sequence of deny lines followed by deny all is equivalent to 
deny all


Meaning your config is effectively:

  http_access allow manager localhost
  http_access deny manager
  http_access allow ncsa_users Whitelist
  http_access deny all

... notice how there are no controls/limits on CONNECT or even port 
number any more.




Squid version: 2.7



Please upgrade. 2.7 is deprecated now and has not been supported for 
several years.


Squid-2.7 does not support coap:// protocol. You can remove that from 
the manager ACL. If you actually want coap:// support upgrade to 
squid-3.2 minimum.
 Not that Squid coap://.../squid-internal-mgr/* URLs would get anywhere 
near CoAP protocol anyway.




Port: 443
Browser: Chrome
Site: gmail.com (although it's denying all https requests)



net::ERR_TUNNEL_CONNECTION_FAILED is a 'friendly' Chrome error 
message, hiding all the relevant HTTP details about the *actual* HTTP 
level problem. Check the HTTP traffic (will probably require a TCP dump, 
or digging into the developer tools on Chrome).


This will give you both the HTTP headers for the transaction, and the 
real Squid response error page - if any HTTP took place.


Your proxy requires authentication for whitelisted sites (even if they 
are used in CONNECT), so unless Chrome is sending user credentials when 
trying to open a new tunnel through Squid, it will be rejected with an 
auth challenge response status. Squid-2 does not support keep-alive and 
authentication exchange on CONNECT - resulting in the connection closing 
after the challenge. Only CONNECT with pre-sent credentials are accepted 
by your Squid - Chrome is responsible for re-opening the CONNECT tunnel 
with credentials if it closes after a challenge.



Amos


On Tue, Oct 16, 2012 at 5:41 PM, Eliezer Croitoru wrote:

On 10/16/2012 9:41 PM, Mike Muir wrote:


Hello,

I'm getting a TCP DENIED/403 in the access log when trying to 
access

all HTTPS sites via web browser. The browser displays: Error 111
(net::ERR_TUNNEL_CONNECTION_FAILED): Unknown error.

I've included the following in my squid.conf (I'm using Squid 2.7)
which to my understanding should allow traffic on 443:

acl SSL_ports port 443
acl CONNECT method CONNECT

http_access deny CONNECT !SSL_ports

I'll provide more info if necessary, but has anyone experienced 
this

problem before? Any help would be appreciated.

Regards


what version of squid?
what are the allow (not deny) acls?
what ports?
what browser?
what site?

Regards,
Eliezer

--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer at ngtech.co.il

Re: [squid-users] TCP_DENIED/403 3502 GET errors

[Eliezer Croitoru]

On 8/27/2012 11:09 PM, grant lowe wrote:

What am I doing wrong?

squid does exactly what the squid.conf saying..
##start
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
##end
there is not one acl match for your client.
the localnet acl is for 10.0.0.0/24
and your network is at:10.2.12.151/32
you can add acl for the whole 10.2.12.0/24 network.
what network are your client sitting at?

Regards,
Eliezer

--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer at ngtech.co.il

Re: [squid-users] TCP_DENIED/TCP_MISS

[alexus]

ok, makes sense now :)
thank you for explanation :)

On Tue, Mar 20, 2012 at 11:27 PM, Amos Jeffries squ...@treenet.co.nz wrote:
 On 21.03.2012 15:04, alexus wrote:

 I dont understand maybe someone else can help me understand that...
 how is that I allowed this domain in my log I get deny and next line
 is miss?!

 1332295011.844      0 186.176.225.154 TCP_DENIED/407 4183 GET
 http://f.femowe.com/cgi/r? - NONE/- text/html
 1332295013.395    166 186.176.225.154 TCP_MISS/302 1552 GET
 http://f.femowe.com/cgi/r? gmbproxy DIRECT/70.42.23.12 text/html


 That is Authentication happening.

 The client and Squid requests credentials DENIED/407.
 Then the client repeats with credentials and gets admitted.

 http://wiki.squid-cache.org/SquidFaq/SquidLogs#Squid_result_codes
 http://wiki.squid-cache.org/SquidFaq/SquidLogs#HTTP_status_codes



 and this is what I have in my squid.conf

 acl bk dstdomain f.femowe.com
 http_access deny !bk


 This config snippet is irrelevant by itself ... it denies on URL which are
 *not* involving the domain which your log snippet is about.


 Amos



-- 
http://alexus.org/

Re: [squid-users] TCP_DENIED/TCP_MISS

[Amos Jeffries]

On 21.03.2012 15:04, alexus wrote:

I dont understand maybe someone else can help me understand that...
how is that I allowed this domain in my log I get deny and next line
is miss?!

1332295011.844  0 186.176.225.154 TCP_DENIED/407 4183 GET
http://f.femowe.com/cgi/r? - NONE/- text/html
1332295013.395166 186.176.225.154 TCP_MISS/302 1552 GET
http://f.femowe.com/cgi/r? gmbproxy DIRECT/70.42.23.12 text/html



That is Authentication happening.

The client and Squid requests credentials DENIED/407.
Then the client repeats with credentials and gets admitted.

http://wiki.squid-cache.org/SquidFaq/SquidLogs#Squid_result_codes
http://wiki.squid-cache.org/SquidFaq/SquidLogs#HTTP_status_codes



and this is what I have in my squid.conf

acl bk dstdomain f.femowe.com
http_access deny !bk


This config snippet is irrelevant by itself ... it denies on URL which 
are *not* involving the domain which your log snippet is about.



Amos

Re: [squid-users] TCP_DENIED/407 with SSL-Sites, but the site is accessible...

[Nick Cairncross]

Well, for me it is not so much of a problem since I upstream to an ISP
with content/malware protection etc, but it would be nice to be able
report on all users of every method. Perhaps someone could enlighten this
mail? 

My relevant squid.conf is as follows (I have the ACLs defined obviously...)

## GLOBAL DENY RULES
http_access deny !Safe_ports
http_access deny MSNMessenger CNP_172SUBNETS !IP_MSNMESSENGER
http_access deny StopDirectIP !IP_CONNECTALLOW
http_access deny CONNECT !SSL_Ports !CNP_172SUBNETS
http_access deny POST !SSL_Ports !RTMP_ports !CNP_172SUBNETS

# POST/CONNECT Method ALLOW #
http_access allow CONNECT CNP_172SUBNETS
http_access allow POST CNP_172SUBNETS

## USERS AUTHENTICATION ACL##
http_access allow AuthenticatedUsers





On 30/08/2010 11:39, Tom Tux tomtu...@gmail.com wrote:

Hi Nick

Thank you for this explanation. I think, you're right. Could this
eventually be a security-problem, to allow unauthenticated
https-traffic with http_access allow CONNECT SSL_ports? Might be
yes, might be no. Is this behaviour part of a fact with SSL/HTTPS or
could this be eventually solved with a future release of squid? Do you
allow the CONNECT-method in your setup?

Regards,
Tom

2010/8/28 Nick Cairncross nick.cairncr...@condenast.co.uk:
 Tom,

 Just to say what I think (since you have almost the same setup as me I
think): you will always get that 407 at the moment. Squid requires an
authenticated user before allowing the page but you can't authenticate
every method (at least that is what I have found) in my setup.

 Regardless of whether it is ntlm or Kerberos etc. Your rule about
connect I think needs an allow connect ssl_ports ABOVE your allow
INTERNET_ACCESS because you're just disallowing the CONNECT method (not
the same as the GET method) using non-ssl ports otherwise. There's
nothing talking about allowing it.



 I think that's right
 Nick



 On 27 Aug 2010, at 10:09, Tom Tux tomtu...@gmail.com wrote:

 Hi Amos

 Thanks a lot for this informations.

 Is it usual/normal, that all https-requests have this error?
 1282899033.246  0 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT
 mail.google.com:443 - NONE/- text/html

 As I already mentioned: The sites, which are denied in the access.log,
 are normal accessible and appears correctly (this is, what I don't
 understandmmmh).
 I think, that I don't have rules, which explicitly require another
 authentication instead of kerberos. Here is an extract of my
 squid.conf:

 The ACL INTERNET_ACCESS is an external_acl with squid_kerb_ldap:
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports

 # Block invalid Users
 http_access deny !INTERNET_ACCESS
 http_access allow INTERNET_ACCESS
 http_access deny all

 When I trace the http/https-traffic with httpfox (firefox-addon), then
 I got also no errors or denies back.

 Thanks a lot for all helps.
 Tom


 2010/8/27 Amos Jeffries squ...@treenet.co.nz:
 Tom Tux wrote:

 Hi

 For every HTTPS-Site I have the following tcp_denied/407-entry in the
 access.log:
 282895826.492  1 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT
 mail.google.com:443 - NONE/- text/html
 1282896033.320  1 xx.xx.xx.xx TCP_DENIED/407 3744 CONNECT
 secure-www.novell.com:443 - NONE/- text/html

 The sites, which are denied in the access.log, are though accessible,
 but I have this errors. For me it seems, that squid needs a user
 authentication. But this should be given with
kerberos-authentication,
 which works fine.

 I have the following directives configured (as default):
 acl SSL_ports port 443
 acl CONNECT method CONNECT
 http_access deny CONNECT !SSL_ports


 Can someone explain me this behaviour?

 CONNECT requests to SSL ports (aka HTTPS) will get past that security
 barrier and move on to checkig your other rules. One of those other
rules
 involves proxy authentication.

 All requests which require authentication but do not provide it get a
407 or
 401 response challenging the browser to provided some credentials.
This is
 true for all authentication types.

 Working browsers with access to the required credentials will send
them on a
 followup request and get past that challenge.

 Amos
 --
 Please be using
 Current Stable Squid 2.7.STABLE9 or 3.1.7
 Beta testers wanted for 3.2.0.1



 The information contained in this e-mail is of a confidential nature
and is intended only for the addressee.  If you are not the intended
addressee, any disclosure, copying or distribution by you is prohibited
and may be unlawful.  Disclosure to any party other than the addressee,
whether inadvertent or otherwise, is not intended to waive privilege or
confidentiality.  Internet communications are not secure and therefore
Conde Nast does not accept legal responsibility for the contents of this
message.  Any views or opinions expressed are those of the author.

 The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover
Square, London W1S 1JU



The information contained in this e-mail is of a confidential nature and is 

Re: [squid-users] TCP_DENIED/407 with SSL-Sites, but the site is accessible...

[Tom Tux]

Hi Nick

Thank you for this explanation. I think, you're right. Could this
eventually be a security-problem, to allow unauthenticated
https-traffic with http_access allow CONNECT SSL_ports? Might be
yes, might be no. Is this behaviour part of a fact with SSL/HTTPS or
could this be eventually solved with a future release of squid? Do you
allow the CONNECT-method in your setup?

Regards,
Tom

2010/8/28 Nick Cairncross nick.cairncr...@condenast.co.uk:
 Tom,

 Just to say what I think (since you have almost the same setup as me I 
 think): you will always get that 407 at the moment. Squid requires an 
 authenticated user before allowing the page but you can't authenticate every 
 method (at least that is what I have found) in my setup.

 Regardless of whether it is ntlm or Kerberos etc. Your rule about connect I 
 think needs an allow connect ssl_ports ABOVE your allow INTERNET_ACCESS 
 because you're just disallowing the CONNECT method (not the same as the GET 
 method) using non-ssl ports otherwise. There's nothing talking about allowing 
 it.



 I think that's right
 Nick



 On 27 Aug 2010, at 10:09, Tom Tux tomtu...@gmail.com wrote:

 Hi Amos

 Thanks a lot for this informations.

 Is it usual/normal, that all https-requests have this error?
 1282899033.246      0 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT
 mail.google.com:443 - NONE/- text/html

 As I already mentioned: The sites, which are denied in the access.log,
 are normal accessible and appears correctly (this is, what I don't
 understandmmmh).
 I think, that I don't have rules, which explicitly require another
 authentication instead of kerberos. Here is an extract of my
 squid.conf:

 The ACL INTERNET_ACCESS is an external_acl with squid_kerb_ldap:
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports

 # Block invalid Users
 http_access deny !INTERNET_ACCESS
 http_access allow INTERNET_ACCESS
 http_access deny all

 When I trace the http/https-traffic with httpfox (firefox-addon), then
 I got also no errors or denies back.

 Thanks a lot for all helps.
 Tom


 2010/8/27 Amos Jeffries squ...@treenet.co.nz:
 Tom Tux wrote:

 Hi

 For every HTTPS-Site I have the following tcp_denied/407-entry in the
 access.log:
 282895826.492      1 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT
 mail.google.com:443 - NONE/- text/html
 1282896033.320      1 xx.xx.xx.xx TCP_DENIED/407 3744 CONNECT
 secure-www.novell.com:443 - NONE/- text/html

 The sites, which are denied in the access.log, are though accessible,
 but I have this errors. For me it seems, that squid needs a user
 authentication. But this should be given with kerberos-authentication,
 which works fine.

 I have the following directives configured (as default):
 acl SSL_ports port 443
 acl CONNECT method CONNECT
 http_access deny CONNECT !SSL_ports


 Can someone explain me this behaviour?

 CONNECT requests to SSL ports (aka HTTPS) will get past that security
 barrier and move on to checkig your other rules. One of those other rules
 involves proxy authentication.

 All requests which require authentication but do not provide it get a 407 or
 401 response challenging the browser to provided some credentials. This is
 true for all authentication types.

 Working browsers with access to the required credentials will send them on a
 followup request and get past that challenge.

 Amos
 --
 Please be using
 Current Stable Squid 2.7.STABLE9 or 3.1.7
 Beta testers wanted for 3.2.0.1



 The information contained in this e-mail is of a confidential nature and is 
 intended only for the addressee.  If you are not the intended addressee, any 
 disclosure, copying or distribution by you is prohibited and may be unlawful. 
  Disclosure to any party other than the addressee, whether inadvertent or 
 otherwise, is not intended to waive privilege or confidentiality.  Internet 
 communications are not secure and therefore Conde Nast does not accept legal 
 responsibility for the contents of this message.  Any views or opinions 
 expressed are those of the author.

 The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, 
 London W1S 1JU

Re: [squid-users] TCP_DENIED/407 with SSL-Sites, but the site is accessible...

[Nick Cairncross]

Tom,

Just to say what I think (since you have almost the same setup as me I think): 
you will always get that 407 at the moment. Squid requires an authenticated 
user before allowing the page but you can't authenticate every method (at least 
that is what I have found) in my setup. 

Regardless of whether it is ntlm or Kerberos etc. Your rule about connect I 
think needs an allow connect ssl_ports ABOVE your allow INTERNET_ACCESS because 
you're just disallowing the CONNECT method (not the same as the GET method) 
using non-ssl ports otherwise. There's nothing talking about allowing it. 
 


I think that's right
Nick 



On 27 Aug 2010, at 10:09, Tom Tux tomtu...@gmail.com wrote:

 Hi Amos
 
 Thanks a lot for this informations.
 
 Is it usual/normal, that all https-requests have this error?
 1282899033.246  0 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT
 mail.google.com:443 - NONE/- text/html
 
 As I already mentioned: The sites, which are denied in the access.log,
 are normal accessible and appears correctly (this is, what I don't
 understandmmmh).
 I think, that I don't have rules, which explicitly require another
 authentication instead of kerberos. Here is an extract of my
 squid.conf:
 
 The ACL INTERNET_ACCESS is an external_acl with squid_kerb_ldap:
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 
 # Block invalid Users
 http_access deny !INTERNET_ACCESS
 http_access allow INTERNET_ACCESS
 http_access deny all
 
 When I trace the http/https-traffic with httpfox (firefox-addon), then
 I got also no errors or denies back.
 
 Thanks a lot for all helps.
 Tom
 
 
 2010/8/27 Amos Jeffries squ...@treenet.co.nz:
 Tom Tux wrote:
 
 Hi
 
 For every HTTPS-Site I have the following tcp_denied/407-entry in the
 access.log:
 282895826.492  1 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT
 mail.google.com:443 - NONE/- text/html
 1282896033.320  1 xx.xx.xx.xx TCP_DENIED/407 3744 CONNECT
 secure-www.novell.com:443 - NONE/- text/html
 
 The sites, which are denied in the access.log, are though accessible,
 but I have this errors. For me it seems, that squid needs a user
 authentication. But this should be given with kerberos-authentication,
 which works fine.
 
 I have the following directives configured (as default):
 acl SSL_ports port 443
 acl CONNECT method CONNECT
 http_access deny CONNECT !SSL_ports
 
 
 Can someone explain me this behaviour?
 
 CONNECT requests to SSL ports (aka HTTPS) will get past that security
 barrier and move on to checkig your other rules. One of those other rules
 involves proxy authentication.
 
 All requests which require authentication but do not provide it get a 407 or
 401 response challenging the browser to provided some credentials. This is
 true for all authentication types.
 
 Working browsers with access to the required credentials will send them on a
 followup request and get past that challenge.
 
 Amos
 --
 Please be using
 Current Stable Squid 2.7.STABLE9 or 3.1.7
 Beta testers wanted for 3.2.0.1
 


The information contained in this e-mail is of a confidential nature and is 
intended only for the addressee.  If you are not the intended addressee, any 
disclosure, copying or distribution by you is prohibited and may be unlawful.  
Disclosure to any party other than the addressee, whether inadvertent or 
otherwise, is not intended to waive privilege or confidentiality.  Internet 
communications are not secure and therefore Conde Nast does not accept legal 
responsibility for the contents of this message.  Any views or opinions 
expressed are those of the author.

The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, 
London W1S 1JU

Re: [squid-users] TCP_DENIED/407 with SSL-Sites, but the site is accessible...

[Amos Jeffries]

Tom Tux wrote:

Hi

For every HTTPS-Site I have the following tcp_denied/407-entry in the
access.log:
282895826.492  1 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT
mail.google.com:443 - NONE/- text/html
1282896033.320  1 xx.xx.xx.xx TCP_DENIED/407 3744 CONNECT
secure-www.novell.com:443 - NONE/- text/html

The sites, which are denied in the access.log, are though accessible,
but I have this errors. For me it seems, that squid needs a user
authentication. But this should be given with kerberos-authentication,
which works fine.

I have the following directives configured (as default):
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports


Can someone explain me this behaviour?


CONNECT requests to SSL ports (aka HTTPS) will get past that security 
barrier and move on to checkig your other rules. One of those other 
rules involves proxy authentication.


All requests which require authentication but do not provide it get a 
407 or 401 response challenging the browser to provided some 
credentials. This is true for all authentication types.


Working browsers with access to the required credentials will send them 
on a followup request and get past that challenge.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.7
  Beta testers wanted for 3.2.0.1

Re: [squid-users] TCP_DENIED/407 with SSL-Sites, but the site is accessible...

[Tom Tux]

Hi Amos

Thanks a lot for this informations.

Is it usual/normal, that all https-requests have this error?
1282899033.246  0 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT
mail.google.com:443 - NONE/- text/html

As I already mentioned: The sites, which are denied in the access.log,
are normal accessible and appears correctly (this is, what I don't
understandmmmh).
I think, that I don't have rules, which explicitly require another
authentication instead of kerberos. Here is an extract of my
squid.conf:

The ACL INTERNET_ACCESS is an external_acl with squid_kerb_ldap:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Block invalid Users
http_access deny !INTERNET_ACCESS
http_access allow INTERNET_ACCESS
http_access deny all

When I trace the http/https-traffic with httpfox (firefox-addon), then
I got also no errors or denies back.

Thanks a lot for all helps.
Tom


2010/8/27 Amos Jeffries squ...@treenet.co.nz:
 Tom Tux wrote:

 Hi

 For every HTTPS-Site I have the following tcp_denied/407-entry in the
 access.log:
 282895826.492      1 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT
 mail.google.com:443 - NONE/- text/html
 1282896033.320      1 xx.xx.xx.xx TCP_DENIED/407 3744 CONNECT
 secure-www.novell.com:443 - NONE/- text/html

 The sites, which are denied in the access.log, are though accessible,
 but I have this errors. For me it seems, that squid needs a user
 authentication. But this should be given with kerberos-authentication,
 which works fine.

 I have the following directives configured (as default):
 acl SSL_ports port 443
 acl CONNECT method CONNECT
 http_access deny CONNECT !SSL_ports


 Can someone explain me this behaviour?

 CONNECT requests to SSL ports (aka HTTPS) will get past that security
 barrier and move on to checkig your other rules. One of those other rules
 involves proxy authentication.

 All requests which require authentication but do not provide it get a 407 or
 401 response challenging the browser to provided some credentials. This is
 true for all authentication types.

 Working browsers with access to the required credentials will send them on a
 followup request and get past that challenge.

 Amos
 --
 Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.7
  Beta testers wanted for 3.2.0.1

Re: [squid-users] TCP_DENIED/407 with SSL-Sites, but the site is accessible...

[Amos Jeffries]

Tom Tux wrote:

Hi Amos

Thanks a lot for this informations.

Is it usual/normal, that all https-requests have this error?


100% depends on your configuration file.


1282899033.246  0 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT
mail.google.com:443 - NONE/- text/html

As I already mentioned: The sites, which are denied in the access.log,
are normal accessible and appears correctly (this is, what I don't
understandmmmh).
I think, that I don't have rules, which explicitly require another
authentication instead of kerberos. Here is an extract of my


407 does not mean try other authentication.

It means send me your login or go away.

The browser is failing to send kerberos login details so gets sent a 
407. It reacts by:

   (a) sending the credentials and being allowed,
or (b) doing a popup for the user,
or (c) showing the user an error page.



squid.conf:

The ACL INTERNET_ACCESS is an external_acl with squid_kerb_ldap:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Block invalid Users
http_access deny !INTERNET_ACCESS


 * requires login details to be supplied before it can be tested.

If login is not provided already Squid sends 407.


http_access allow INTERNET_ACCESS


 * requires login details to be supplied before it can be tested.


http_access deny all

When I trace the http/https-traffic with httpfox (firefox-addon), then
I got also no errors or denies back.

Thanks a lot for all helps.
Tom



The configuration you have displayed requires login details to be 
supplied before *ANY* web request is permitted.



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.7
  Beta testers wanted for 3.2.0.1

Re: [squid-users] TCP_DENIED/407 with JAVA-Applets

[Nick Cairncross]

Tom, 

What does useragent.log say when you use FF?

Nick

On 26/08/2010 09:27, Tom Tux tomtu...@gmail.com wrote:

Hi

I recognised, that for some Java-Applets
(http://java.sun.com/applets/jdk/1.4/demo/applets/BarChart/example1.html)
I got TCP_DENIED/407-errors in the access.log. Depending on the
browser, I got an authentication window or a simple java-error (a x
in the browser-window).

I searched the forum and found a valid solution for all IE's 6.0
(because I'm authentication with kerberos):

acl JAVA browser Java/1.3 Java/1.4 Java/1.5 Java/1.6
http_access allow JAVA

But with firefox this will not works. Is there a way (perhaps with
useragent) to get also the firefox running with the rule above? Or is
there also another way to allow java applets instead of allowing the
whole java?

Thanks a lot.
Tom


The information contained in this e-mail is of a confidential nature and is 
intended only for the addressee.  If you are not the intended addressee, any 
disclosure, copying or distribution by you is prohibited and may be unlawful.  
Disclosure to any party other than the addressee, whether inadvertent or 
otherwise, is not intended to waive privilege or confidentiality.  Internet 
communications are not secure and therefore Conde Nast does not accept legal 
responsibility for the contents of this message.  Any views or opinions 
expressed are those of the author.

The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, 
London W1S 1JU

Re: [squid-users] TCP_DENIED/407 with JAVA-Applets

[Tom Tux]

Hi Nick

With IE, I have the following log-entry (useragent.log)

xx.xx.xx.xx [27/Aug/2010:07:15:29 +0200] Mozilla/4.0 (Windows Vista
6.1) Java/1.6.0_12



With FF, I got these one:
xx.xx.xx.xx [27/Aug/2010:07:15:51 +0200] Mozilla/5.0 (Windows; U;
Windows NT 5.0; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

So, with FF, there's nothing visible which contains Java. It seems,
that's the reason, why this won't work with FF.
Regards
Tom


2010/8/26 Nick Cairncross nick.cairncr...@condenast.co.uk:
 Tom,

 What does useragent.log say when you use FF?

 Nick

 On 26/08/2010 09:27, Tom Tux tomtu...@gmail.com wrote:

Hi

I recognised, that for some Java-Applets
(http://java.sun.com/applets/jdk/1.4/demo/applets/BarChart/example1.html)
I got TCP_DENIED/407-errors in the access.log. Depending on the
browser, I got an authentication window or a simple java-error (a x
in the browser-window).

I searched the forum and found a valid solution for all IE's 6.0
(because I'm authentication with kerberos):

acl JAVA browser Java/1.3 Java/1.4 Java/1.5 Java/1.6
http_access allow JAVA

But with firefox this will not works. Is there a way (perhaps with
useragent) to get also the firefox running with the rule above? Or is
there also another way to allow java applets instead of allowing the
whole java?

Thanks a lot.
Tom


 The information contained in this e-mail is of a confidential nature and is 
 intended only for the addressee.  If you are not the intended addressee, any 
 disclosure, copying or distribution by you is prohibited and may be unlawful. 
  Disclosure to any party other than the addressee, whether inadvertent or 
 otherwise, is not intended to waive privilege or confidentiality.  Internet 
 communications are not secure and therefore Conde Nast does not accept legal 
 responsibility for the contents of this message.  Any views or opinions 
 expressed are those of the author.

 The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, 
 London W1S 1JU

Re: [squid-users] TCP_DENIED/407 when using NCSA-AUTH and video streaming

[Amos Jeffries]

Werner Opriel wrote:
We are using a debian-Package of Squid 2.7 Stable3 on a Debian Lenny machine 
with ncsa-auth configured, acting as a central Internet-Proxy.


All Users/Passwords are stored in /etc/squid/passwd on localhost and only 
authenticated users are allowed to surf on sites outside the intranet.

There are no problems with authentication so far.

But we have a problem playing videos from the side http://www.wdr.de, they do 
provide media-streams based on flash, for example:

http://www.wdr.de/mediathek/html/regional/2009/07/30/aktuelle-stunde-kuendigung.xml

Those pages can be accessed without problems and the starting picture of the 
video is displayed. When we try to play the video we are receiving network 
error and file not found within the flasharea-window after a few seconds.
There is no problem playing an audio stream from this site or flash-videos for 
example from youtube.com or golem.de 


Our Clients, always with flashplugin installed:
Firefox 3.5 (Win), Firefox 3.6 (Linux) and Chrome (Linux) .

In the access.log we can see an authenticated user test surfin on 
www.wdr.de.
When starting the video it would seem that he lost his authentication 
information and then ends in tcp-denied/407.
When disabling NCSA-AUTH in squid, we can play the videos without any 
problems.



snip

It's clear the flash player is making it's own background HTTP requests 
and not sending credentials. This is a flash player problem.


You have a choice of putting up with it or letting the player through 
your Squid without authentication. The headers you log show a few things 
like User-Agent, source website and Content-Type you could match on to 
identify its requests.


Either way, complain and let the players authors and the website authors 
know about the problem. Maybe one day they will fix it.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.5

Re: [squid-users] TCP_DENIED/407 when using NCSA-AUTH and video streaming

[Werner Opriel]

Am Sonntag, 11. Juli 2010 schrieb Amos Jeffries:
 Werner Opriel wrote:
  We are using a debian-Package of Squid 2.7 Stable3 on a Debian Lenny
  machine with ncsa-auth configured, acting as a central Internet-Proxy.
 
  All Users/Passwords are stored in /etc/squid/passwd on localhost and only
  authenticated users are allowed to surf on sites outside the intranet.
  There are no problems with authentication so far.
 
  But we have a problem playing videos from the side http://www.wdr.de,
  they do provide media-streams based on flash, for example:
  http://www.wdr.de/mediathek/html/regional/2009/07/30/aktuelle-stunde-kuen
 digung.xml
 
  Those pages can be accessed without problems and the starting picture of
  the video is displayed. When we try to play the video we are receiving
  network error and file not found within the flasharea-window after a
  few seconds. There is no problem playing an audio stream from this site
  or flash-videos for example from youtube.com or golem.de
 
  Our Clients, always with flashplugin installed:
  Firefox 3.5 (Win), Firefox 3.6 (Linux) and Chrome (Linux) .
 
  In the access.log we can see an authenticated user test surfin on
  www.wdr.de.
  When starting the video it would seem that he lost his authentication
  information and then ends in tcp-denied/407.
  When disabling NCSA-AUTH in squid, we can play the videos without any
  problems.

 snip

 It's clear the flash player is making it's own background HTTP requests
 and not sending credentials. This is a flash player problem.

 You have a choice of putting up with it or letting the player through
 your Squid without authentication. The headers you log show a few things
 like User-Agent, source website and Content-Type you could match on to
 identify its requests.

Thanks Amos. 
But can you give me a hint how i have to configure squid for letting the 
flashplayer through it without authentication?

Re: [squid-users] TCP_DENIED/407 when using NCSA-AUTH and video streaming

[Amos Jeffries]

Werner Opriel wrote:

Am Sonntag, 11. Juli 2010 schrieb Amos Jeffries:

Werner Opriel wrote:

We are using a debian-Package of Squid 2.7 Stable3 on a Debian Lenny
machine with ncsa-auth configured, acting as a central Internet-Proxy.

All Users/Passwords are stored in /etc/squid/passwd on localhost and only
authenticated users are allowed to surf on sites outside the intranet.
There are no problems with authentication so far.

But we have a problem playing videos from the side http://www.wdr.de,
they do provide media-streams based on flash, for example:
http://www.wdr.de/mediathek/html/regional/2009/07/30/aktuelle-stunde-kuen
digung.xml

Those pages can be accessed without problems and the starting picture of
the video is displayed. When we try to play the video we are receiving
network error and file not found within the flasharea-window after a
few seconds. There is no problem playing an audio stream from this site
or flash-videos for example from youtube.com or golem.de

Our Clients, always with flashplugin installed:
Firefox 3.5 (Win), Firefox 3.6 (Linux) and Chrome (Linux) .

In the access.log we can see an authenticated user test surfin on
www.wdr.de.
When starting the video it would seem that he lost his authentication
information and then ends in tcp-denied/407.
When disabling NCSA-AUTH in squid, we can play the videos without any
problems.

snip

It's clear the flash player is making it's own background HTTP requests
and not sending credentials. This is a flash player problem.

You have a choice of putting up with it or letting the player through
your Squid without authentication. The headers you log show a few things
like User-Agent, source website and Content-Type you could match on to
identify its requests.


Thanks Amos. 
But can you give me a hint how i have to configure squid for letting the 
flashplayer through it without authentication?


Already did. The third sentence I wrote says The headers you log show a 
few things like ... you could match on.


http://www.squid-cache.org/Doc/config/acl/  see req_header ACL type.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.5

Re: [squid-users] TCP_DENIED/407 with NTLM-Authentication

[Jakob Curdes]

Hi

I've implemented a NTLM-authentication against a w2k3-domain.
Everything seems to work, but I've a lot of TCP_DENIED/407-errors in
my squid-access-log. Is this normal or what could be wrong here? Why
do I have so many TCP_DENIED/407 although every page is accessible?

   

This is normal and by design of the NTLM protocol.

JC

Re: [squid-users] TCP_DENIED/407 CONNECT www,ever note.com:443

[Amos Jeffries]

On Wed, 10 Mar 2010 15:51:18 +, Nick Cairncross
nick.cairncr...@condenast.co.uk wrote:
 Hi All,
 
 I have some Mac clients/services that require internet via my Squid. Two
 such programs are Evernote and VMWare. Both are requesting access and
both
 are being denied. The errors I see in the access.log are as follows and
 nothing else:
 
 268234226.935  0 172.16.0.38 TCP_DENIED/407 2117 CONNECT
 www.evernote.com:443 - NONE/- text/html
 1268234226.938  0 172.16.0.38 TCP_DENIED/407 2117 CONNECT
 www.evernote.com:443 - NONE/- text/html
 1268234228.667  0 172.16.0.38 TCP_DENIED/407 2134 CONNECT
 softwareupdate.vmware.com:443 - NONE/- text/html
 
 I've tried all sorts of the acls (browser, dstdomain, IP) but I still
get
 denied. Even http_access allow all doesn't work.

Something in your config requires authentication.

 
 Thanks in advance,
 
 Nick
 ==
 
 My configuration is as follows:
 
...
  ACCESS CONTROL LISTS #
 ## USER-AGENT (Browser-type) ACLs
 acl Java_jvm browser /etc/squid/ACL/USERAGENTS/USER-AGENTS_JAVA.txt
 acl iTunes browser /etc/squid/ACL/USERAGENTS/USER-AGENTS_ITUNES.txt
 
 ## URL DESTINATION ACLs
 
 ## USER AUTHENTICATION ACLs
 acl AuthenticatedUsers proxy_auth REQUIRED
 acl BandwidthUserExceptions proxy_auth_regex -i
 /etc/squid/ACL/BANDWIDTH/BANDWIDTH_NOLIMIT_USER.txt
 
 ## LAN IP ACLs
 acl 172SUBNETS src 172.16.0.0/255.255.0.0
 acl SERVERSUBNETS src 172.16.10.0/255.255.255.0
 acl DoNotAuthenticateIP src /etc/squid/ACL/IPADDRESSES/IP_NOAUTH.txt
 
 ## LOCALHOST ACLs
 acl localhost src 127.0.0.1/255.255.255.255
 acl to_localhost dst 127.0.0.0/8
 
 ## QUERY ACLs
 acl QUERY urlpath_regex cgi-bin \?
 acl apache rep_header Server ^Apache
 
 ## SEND DIRECT ACLs
 acl SENDDIRECT_DstDomains dstdomain
 /etc/squid/ACL/SENDDIRECT/SENDDIRECT_DSTDOMAINS.txt
 acl SENDDIRECT_Users proxy_auth_regex -i
 /etc/squid/ACL/SENDDIRECT/SENDDIRECT_USERS.txt
 acl SENDDIRECT_IPAddresses src
 /etc/squid/ACL/SENDDIRECT/SENDDIRECT_IPADDRESSES.txt
 
 ## BLACKLISTED (Deny) ACLs
 acl BLACKLIST_DstDomains dstdomain
 /etc/squid/ACL/BLACKLIST/BLACKLIST_DSTDOMAINS.txt
 acl BLACKLIST_Users proxy_auth_regex -i
 /etc/squid/ACL/BLACKLIST/BLACKLIST_USERS.txt
 acl BLACKLIST_IPAddresses src
 /etc/squid/ACL/BLACKLIST/BLACKLIST_IPADDRESSES.txt
 
 ## FILE TYPE ACLs
 acl FILEEXT_EXE urlpath_regex .exe$
 acl FILEEXT_EXE_Users proxy_auth_regex -i
 /etc/squid/ACL/FILES/FILEEXT_EXE_ALLOWUSERS.txt
 acl FILEEXT_EXE_DstDomains dstdomain
 /etc/squid/ACL/FILES/FILEEXT_EXE_ALLOWDSTDOMAINS.txt
 acl FILEEXT_EXE_IPAddresses src
 /etc/squid/ACL/FILES/FILEEXT_EXE_ALLOWIPADDRESSES.txt
 
...
 # CONNECTION METHOD ACL
 acl CONNECT method CONNECT
 acl POST method POST
 
 ##  ACCESS RULES  #
 
 ### GLOBAL BLACKLIST RULES ###
 http_access deny BLACKLIST_Users

The above rule requires login to work. It will challenge.

 http_access deny BLACKLIST_IPAddresses
 http_access deny BLACKLIST_DstDomains
 
 
...
 # USER AGENTS #
 http_access allow iTunes
 http_access allow Java_jvm
 
 # URL DESTINATIONS
...
 ## POST and CONNECT ALLOW ##
 http_access allow POST

Why is post being allowed to unrestricted? I think there might be some
additional restrictions you want to add there. Perhapse the LAN IP range or
something.

 http_access allow CONNECT

I really do recommend deny CONNECT !SSL_ports to prevent malicious or
infected clients abusing things. Malware can do login too.

 
 ## USERS ACL ALLOW ##
 # Emergency Allow All unhash this for instant access to all without
 authentication
 #http_access allow all
 http_access allow DoNotAuthenticateIP
 http_access allow AuthenticatedUsers
 http_reply_access allow AuthenticatedUsers
 
 ## LOCAL HOST ALLOW ##
 http_access allow localhost

...
 ## CATCH ALL DENY ##
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 http_access deny to_localhost

The above are not catch-all. They are basic security foundations/blanket
that need to be checked as early as possible to prevent major causes of
abuse.

 http_access deny 172SUBNETS

The real catch-all is this:
  http_access deny all



Amos

Re: [squid-users] TCP_Denied for when requesting IP as URL over SSL using squid proxy server.

[kevin band]

I've managed to get this working, but I'm not happy because in doing
so I've created a different issue.

My problems all started a few weeks ago when I was trying to tighten
up the rules.
Basically we have two squid proxy servers which are supposed to
contain the same configuration.
I noticed that on one of the servers, there was an extra rule that
wasn't there on the other :-

http_access allow CONNECT SSL_ports

The net effect of this rule was that anyone requesting any URL via
https would be allowed through the squid proxy server regardless of
the settings in my whitelist files.

I've now put this rule back in place and I now can get to the
63.130.82.113 address using https.
The problem is that I can now get to any URL via https, even though I
have rules in place which are supposed to only allow access to the
websites that I have put into my whitelist files.

Is this a bug in the way squid is handling the CONNECT method?

Any suggestions as to how I can tighten things up again but still
allow through the 63.130.82.113 request via https?  As I've said
before the rules work OK for http.

Re: [squid-users] TCP_Denied for when requesting IP as URL over SSL using squid proxy server.

[Amos Jeffries]

kevin band wrote:

I've managed to get this working, but I'm not happy because in doing
so I've created a different issue.

My problems all started a few weeks ago when I was trying to tighten
up the rules.
Basically we have two squid proxy servers which are supposed to
contain the same configuration.
I noticed that on one of the servers, there was an extra rule that
wasn't there on the other :-

http_access allow CONNECT SSL_ports

The net effect of this rule was that anyone requesting any URL via
https would be allowed through the squid proxy server regardless of
the settings in my whitelist files.

I've now put this rule back in place and I now can get to the
63.130.82.113 address using https.
The problem is that I can now get to any URL via https, even though I
have rules in place which are supposed to only allow access to the
websites that I have put into my whitelist files.

Is this a bug in the way squid is handling the CONNECT method?

Any suggestions as to how I can tighten things up again but still
allow through the 63.130.82.113 request via https?  As I've said
before the rules work OK for http.


The IP pattern you had was off:
  .*.63.130.82.113

Redux:

  ** regex assumes all patterns not beginning with ^ have an implicit 
.* prefix.

Therefore:  .*.63.130.82.113   ==  .63.130.82.113

 ** regex '.' means any character.

Therefore:  .63.130.82.113  == 
[a-zA-Z0-9\.]163[a-zA-Z0-9\.]130[a-zA-Z0-9\.]82[a-zA-Z0-9\.]113


 ** you have that pattern seeking IP addresses
Therefore:  .63.130.82.113  ==  [0-9\.]63\.130\.82\.113


IMO you need to write the regex as:   ^63\.130\.82\.113

I'm not sure why the raw-IP got through in regular requests. Possibly 
some other pattern or ACL matched and permitted it.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
  Current Beta Squid 3.1.0.15

Re: [squid-users] TCP_Denied for when requesting IP as URL over SSL using squid proxy server.

[kevin band]

No, the point is, when the rule :
http_access allow CONNECT SSL_ports
is in the configuration, ALL SSL requests are permitted, regardless of
any other restrictions.  HTTP is restricted correctly.

2009/12/8 Amos Jeffries squ...@treenet.co.nz:
 kevin band wrote:

 I've managed to get this working, but I'm not happy because in doing
 so I've created a different issue.

 My problems all started a few weeks ago when I was trying to tighten
 up the rules.
 Basically we have two squid proxy servers which are supposed to
 contain the same configuration.
 I noticed that on one of the servers, there was an extra rule that
 wasn't there on the other :-

    http_access allow CONNECT SSL_ports

 The net effect of this rule was that anyone requesting any URL via
 https would be allowed through the squid proxy server regardless of
 the settings in my whitelist files.

 I've now put this rule back in place and I now can get to the
 63.130.82.113 address using https.
 The problem is that I can now get to any URL via https, even though I
 have rules in place which are supposed to only allow access to the
 websites that I have put into my whitelist files.

 Is this a bug in the way squid is handling the CONNECT method?

 Any suggestions as to how I can tighten things up again but still
 allow through the 63.130.82.113 request via https?  As I've said
 before the rules work OK for http.

 The IP pattern you had was off:
  .*.63.130.82.113

 Redux:

  ** regex assumes all patterns not beginning with ^ have an implicit .*
 prefix.
 Therefore:  .*.63.130.82.113   ==  .63.130.82.113

  ** regex '.' means any character.

 Therefore:  .63.130.82.113  ==
 [a-zA-Z0-9\.]163[a-zA-Z0-9\.]130[a-zA-Z0-9\.]82[a-zA-Z0-9\.]113

  ** you have that pattern seeking IP addresses
 Therefore:  .63.130.82.113  ==  [0-9\.]63\.130\.82\.113


 IMO you need to write the regex as:   ^63\.130\.82\.113

 I'm not sure why the raw-IP got through in regular requests. Possibly some
 other pattern or ACL matched and permitted it.

 Amos
 --
 Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
  Current Beta Squid 3.1.0.15

Re: [squid-users] TCP_Denied for when requesting IP as URL over SSL using squid proxy server.

[Amos Jeffries]

kevin band wrote:

Hi,

I'm hoping somebody can help me here, because I'm at a loss about what
to do next.

Basically we have squid running as a proxy server to restrict access
to just those sites which we've included in our ACL's
I have noticed recently that it isn't handling HTTPS reqests properly
if the URL contains an IP address instead of a domain name.

The reason this is a particular problem is that although the users can
connect to the page using the domain name, something within that
domain is then forwarding requests to the same web-server using its IP
address.
I'm sure I have my ACL's setup correctly because squid will forward
the request using either URL if I send the requests using HTTP.  It
then times out on the web-server because it only allows https, but at
least the request is being forwarded to the web-server rather than
being denied in squid


The remote web server(s) is rejecting the connections. Probably because 
the SSL certificates require a domain name as part of their 
authentication validation.


It's probably a broken client browser or maybe the website itself 
sending funky page URLs with the raw-IP inside. If you care you need to 
find out which and complain to whoever made the broken bits. Squid is 
just an innocent middleman here.




Here's an extract from the logs that might explain it better :-

158.41.4.44 - - [04/Dec/2009:15:56:47 +] GET
http://stpaccess.marksandspencer.com/ HTTP/1.1 504 1024 TCP_MISS:NONE
158.41.4.44 - - [04/Dec/2009:15:57:02 +] CONNECT
stpaccess.marksandspencer.com:443 HTTP/1.0 200 7783 TCP_MISS:DIRECT
158.41.4.44 - - [04/Dec/2009:16:01:53 +] GET
http://63.130.82.113/Citrix/MetaFrameXP/default/login.asp HTTP/1.1
504 1064 TCP_MISS:NONE
158.41.4.44 - - [04/Dec/2009:16:03:13 +] CONNECT
63.130.82.113:443 HTTP/1.0 403 980 TCP_DENIED:NONE


And config extracts:

acl SSL_ports port 443 563 444
acl Safe_ports port 80 8002 23142 5481 5181 5281 5381 5481 5581
5400 5500   # http
acl Safe_ports port 23142   # OPEL project
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 444 563 # https, snew#s

acl CONNECT method CONNECT

acl regex_ms dstdom_regex   -i /home/security/regex_marksandspencer.txt
acl urlregex_mands url_regex -i
/home/security/regex_marksandspencer_ip.txt
acl mands_allowed_nets  src  /home/security/mands_allowed_nets.txt

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow regex_ms  mands_allowed_nets
http_access allow urlregex_mands mands_allowed_nets
http_access deny all

There are actually a lot more ACL's than this, but these are the only
ones I think are relevant

relevant extracts from files linked to ACLs:
  regex_marksandspencer.txt
  .*marksandspencer.*com

  regex_marksandspencer_ip.txt
  .*.63.130.82.113


Thanks for any help.

Kevin,


Kevin, meet dstdomain:

  acl markandspencer dstdomain .marksandspencer.com 63.130.82.113
  http_access allow markandspencer mands_allowed_nets

10x or more faster than regex. Matching marksandspencer.com, all 
sub-domains and the raw-IP address form.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
  Current Beta Squid 3.1.0.15

Re: [squid-users] TCP_DENIED on youtube

[Stefan Jensen]

Hi,...

Am Montag, den 13.04.2009, 17:50 +0300 schrieb Mehmet ÇELiK:

 you have specified .com$ in Squid. You must use mimetype instead  of 
 urlregex_path.

Thanks. I've now switch to mimetype blocking and it seems to works
really great. Much better suitable for me, instead of blocking hole
sites.

I'm now faced with a little problem on windows update of course,
because now i block ^application/octet-stream$.

How i the best way to exlude download.windowsupdate.com and
update.microsoft.com from my acl?

Can i simply setting up a acl for these hostnames _before_ my mimetype
acl? Will this work, or is there a smarter way for this?

Thank you

best regards

Stefan
--
sorry for my bad english ;-)

 

Re: [squid-users] TCP_DENIED on youtube

[Chris Robertson]

Stefan Jensen wrote:

Hi,...

Am Montag, den 13.04.2009, 17:50 +0300 schrieb Mehmet ÇELiK:

  
you have specified .com$ in Squid. You must use mimetype instead  of 
urlregex_path.



Thanks. I've now switch to mimetype blocking and it seems to works
really great. Much better suitable for me, instead of blocking hole
sites.

I'm now faced with a little problem on windows update of course,
because now i block ^application/octet-stream$.

How i the best way to exlude download.windowsupdate.com and
update.microsoft.com from my acl?
  


acl microsoft dstdomain .microsoft.com .windowsupdate.com
http_access deny !microsoft blockfiles


Can i simply setting up a acl for these hostnames _before_ my mimetype
acl? Will this work, or is there a smarter way for this?

Thank you

best regards

Stefan
--
sorry for my bad english ;-)
  


Chris

Re: [squid-users] TCP_DENIED on youtube

[Stefan Jensen]

Am Donnerstag, den 16.04.2009, 12:52 -0800 schrieb Chris Robertson:

 acl microsoft dstdomain .microsoft.com .windowsupdate.com
 http_access deny !microsoft blockfiles

That was easy! :-) Thank you very much.

best regards

Stefan
--

Re: [squid-users] TCP_DENIED on youtube

[Amos Jeffries]

Stefan Jensen wrote:

Am Donnerstag, den 16.04.2009, 12:52 -0800 schrieb Chris Robertson:


acl microsoft dstdomain .microsoft.com .windowsupdate.com
http_access deny !microsoft blockfiles


That was easy! :-) Thank you very much.



The full currently known list of WU sites is listed at:
  http://wiki.squid-cache.org/SquidFaq/WindowsUpdate

(if you know of others, please lets us now, or amend the wiki, 
remembering the list is a specific as possible)



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
  Current Beta Squid 3.1.0.7

Re: [squid-users] TCP_DENIED on youtube

[Mehmet ÇELiK]

Hi..

You should turn off  strip_query_terms in squid.conf..  Thus, full URL 
is logged and you can see details.


Additionaly, you can get error as 
http://googleads.g.doubleclick.net/pagead/ads?referer=example.com  Because 
you have specified .com$ in Squid. You must use mimetype instead  of 
urlregex_path.


Regards.


- Original Message - 
From: Amos Jeffries squ...@treenet.co.nz

To: Stefan Jensen sjen...@versanet.de
Cc: squid-users@squid-cache.org
Sent: Sunday, April 12, 2009 6:12 AM
Subject: Re: [squid-users] TCP_DENIED on youtube



Stefan Jensen wrote:

Hi,...

i got some TCP_DENIED on youtube.com:

 TCP_DENIED/403 3446 GET http://googleads.g.doubleclick.net/pagead/ads?
- NONE/- text/html

It is an embedded ad page on youtube in the upper right. (e.g:
http://www.youtube.com/browse)

I have this in my squid.conf:

 acl blockfiles urlpath_regex -i /etc/squid/blockfiles.acl
 http_access deny blockfiles

$ cat /etc/squid/blockfiles.acl

.com$
.exe$
.vb$
.vbs$
.vbe$
.cmd$
.bat$
.ws$
.wsf$
.scr$
.shs$
.pif$
.hta$
.jar$
.jse$
.lnk$
.rar$
.zip$
.tar$
.tar.gz$
.gz$
.tgz$
.Z$
.torrent$

Why is squid blocking this? I've no idea. Please can anyone give me a
hint? When i comment out the acl blockfiles lines, it worked, so i
think no other rule or redirector is involved:

 TCP_MISS/200 2052 GET http://googleads.g.doubleclick.net/pagead/ads? -
DIRECT/74.125.77.157 text/html

I'm using squid-3.0.STABLE13-1.fc10.x86_64

best regards

Stefan


Because there is a part of the URL-path following the ? which is
included in the match.

In this case I believe its probably the advert site including the domain
name as its last query-string option:  ... /ads?referer=example.com

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.6








No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.238 / Virus Database: 270.11.54/2056 - Release Date: 04/13/09
05:51:00

Re: [squid-users] TCP_DENIED on youtube

[Amos Jeffries]

Stefan Jensen wrote:

Hi,...

i got some TCP_DENIED on youtube.com:

 TCP_DENIED/403 3446 GET http://googleads.g.doubleclick.net/pagead/ads?
- NONE/- text/html

It is an embedded ad page on youtube in the upper right. (e.g:
http://www.youtube.com/browse)

I have this in my squid.conf:

 acl blockfiles urlpath_regex -i /etc/squid/blockfiles.acl
 http_access deny blockfiles

$ cat /etc/squid/blockfiles.acl

.com$
.exe$
.vb$
.vbs$
.vbe$
.cmd$
.bat$
.ws$
.wsf$
.scr$
.shs$
.pif$
.hta$
.jar$
.jse$
.lnk$
.rar$
.zip$
.tar$
.tar.gz$
.gz$
.tgz$
.Z$
.torrent$

Why is squid blocking this? I've no idea. Please can anyone give me a
hint? When i comment out the acl blockfiles lines, it worked, so i
think no other rule or redirector is involved:

 TCP_MISS/200 2052 GET http://googleads.g.doubleclick.net/pagead/ads? -
DIRECT/74.125.77.157 text/html

I'm using squid-3.0.STABLE13-1.fc10.x86_64

best regards

Stefan


Because there is a part of the URL-path following the ? which is 
included in the match.


In this case I believe its probably the advert site including the domain 
name as its last query-string option:  ... /ads?referer=example.com


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.6

Re: [squid-users] tcp_denied

[Amos Jeffries]

Jigar Raval wrote:

Hello,

We have observed that on our system there is a link of
dss1.siteadvisor.com generating background request and
hence we were getting error in access.log file.
Error was TCP_DENIED/400 error:invalid reuqest. 
Our proxy server is configured with authentication.

When we enable transparent setting in http_port, the
log was showing lots of request going to
http://dss1.siteadvisor.com:3128/DSS/Ping? etc.. When
we disable transparent it was showing error as
mentioned above. 


I could not find out why squid generates such error.
We stopped siteadvisor service on system and
everything is fine. 


Any idea why squid generates such error? How to
overcome from this?


HTTP messages through a proxy is slightly different to raw HTTP.

You are sending transparently intercepted raw HTTP traffic at squid.
Squid needs the 'http_port ... transparent' setting in order to 
understand and handle the URI formats of raw HTTP.


You can either stop intercepting the packets, or configure squid 
properly to handle them.


SiteAdvisor is a good and useful service providing security for many 
people. I'd advise you to configure your squid properly rather than 
turning it off.


Amos
--
Please use Squid 2.6.STABLE19 or 3.0.STABLE4

Re: [squid-users] tcp_denied

[Henrik Nordstrom]

tor 2008-04-17 klockan 04:59 -0700 skrev Jigar Raval:
 Hello,
 
 Squid log flooded with TCP_DENIED/400 1521 GET
 error:invalid-request. Around 20lacs entry in file.
 What could be the problem? Can i eliminate this entry
 not to be logged in access_log file.

There probably is more details on the breakage in cache.log, so start by
looking there for any hints on what is going on.

Regards
Henrik

Re: [squid-users] tcp_denied

[Amos Jeffries]

Jigar Raval wrote:

Hello,

Squid log flooded with TCP_DENIED/400 1521 GET
error:invalid-request. Around 20lacs entry in file.
What could be the problem? Can i eliminate this entry
not to be logged in access_log file.


Better to fix the breakage.

That error usually comes up when squid is listening on a port its not 
configured properly for. ie listening on port 80 without the accelerator 
settings, or having traffic forwarded to it without the transparent 
settings.


Have a look in cache.log to see whats being requested.


Amos
--
Please use Squid 2.6.STABLE19 or 3.0.STABLE4

Re: [squid-users] TCP_DENIED/400 error:invalid-request

[Amos Jeffries]

[EMAIL PROTECTED] wrote:
I have squid 2.6stable18 on a debian sarge box in non-transparent mode. I also 
have apache web server setup on this box and it works fine - when the browser is 
pre-configured for the proxy.


I have some people come in and use their laptops from time to time so I need a 
way to automatically direct them to the proxy server. I've read about wpad.dat 
and proxy.pac and tried setting that up but I always get the TCP_DENIED/400 
error:invalid-request in the access.log.


When I pre-configure the browser for the proxy, the wpad.dat page shows me the 
javascript which from what I've read is what it's supposed to do when I put the 
URL in the address bar: http://192.168.1.1/wpad.dat.


When I configure the browser to use a automatic configuration script with that 
URL, I get the TCP_DENIED/400 errors again.


I must be missing something, but I've read everything I could find. Is it an acl 
that I'm missing?


Probably a WPAD-DNS / WPAD-DHCP muckup or something in the .PAC itself.



Can someone please help me out?

Thank you in advance.

Here is my squid.conf:

memory_pools off
httpd_suppress_version_string on
cache_effective_user squid
cache_effective_group squid


Better leave the group voodoo to the kernel. Setup the user/group on the 
OS properly and its not needed in squid.conf. effective_user is okay if 
its not built properly by the package maintainer (But it should be!).



http_port 3128

cache_access_log /usr/local/squid/var/logs/access.log


Thats now:  access_log ...


cache_log /usr/local/squid/var/logs/cache.log
mime_table /usr/local/squid/etc/mime.conf
log_mime_hdrs on
useragent_log /usr/local/squid/var/logs/useragent.log

url_rewrite_program /usr/local/squid/bin/ufdbgclient -l 
/usr/local/squid/var/logs

url_rewrite_children 16

#ACL's
acl all src 0/0


Make this:  acl all src all


no_cache deny all


Make this:  cache deny all
(or if you want things cached and bandwidth savings, remove it)


acl internal_net src 192.168.1.0/24

acl ok_downloads dstdomain /var/domains.txt

acl SSL_ports port 443
acl CONNECT method CONNECT

http_access allow internal_net


None of the other http_access will ever match after that line!


http_access allow ok_downloads internal_net !

http_reply_access allow internal_net ok_downloads


Why do this restrictive allow when the next line is a duplicate but more 
friendly one?
Better to just allow all replies. Remember Error pages and Access Denied 
etc are replies!



http_reply_access allow internal_net


And ok. Good finish.


http_access deny all


Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.

Re: [squid-users] TCP_DENIED/400 error:invalid-request

[ffredrixson]

Amos,

While I appreciate the input on my config file, do you see anything that would 
cause it to give me these errors?

Here is my wpad.dat:

function FindProxyForURL(url,host) {
  return PROXY 192.168.1.1:3128;
}

Here is what I see in the logs:

1205192406.411  0 192.168.1.99 TCP_DENIED/400 1683 GET 
error:invalid-request - NONE/- text/html [] [HTTP/1.0 400 Bad 
Request\r\nServer: squid\r\nDate: Mon, 10 Mar 2008 23:40:06 
GMT\r\nContent-Type: text/html\r\nContent-Length: 1370\r\nExpires: Mon, 10 Mar 
2008 23:40:06 GMT\r\nX-Squid-Error: ERR_INVALID_REQ 0\r\n\r]
1205192406.415  0 192.168.1.99 TCP_DENIED/400 1811 GET 
error:invalid-request - NONE/- text/html [] [HTTP/1.0 400 Bad 
Request\r\nServer: squid\r\nDate: Mon, 10 Mar 2008 23:40:06 
GMT\r\nContent-Type: text/html\r\nContent-Length: 1498\r\nExpires: Mon, 10 Mar 
2008 23:40:06 GMT\r\nX-Squid-Error: ERR_INVALID_REQ 0\r\n\r]

 -- Original message --
From: Amos Jeffries [EMAIL PROTECTED]
 [EMAIL PROTECTED] wrote:
  I have squid 2.6stable18 on a debian sarge box in non-transparent mode. I 
  also 
  have apache web server setup on this box and it works fine - when the 
  browser 
 is 
  pre-configured for the proxy.
  
  I have some people come in and use their laptops from time to time so I 
  need a 
  way to automatically direct them to the proxy server. I've read about 
  wpad.dat 
  and proxy.pac and tried setting that up but I always get the TCP_DENIED/400 
  error:invalid-request in the access.log.
  
  When I pre-configure the browser for the proxy, the wpad.dat page shows me 
  the 
  javascript which from what I've read is what it's supposed to do when I put 
 the 
  URL in the address bar: http://192.168.1.1/wpad.dat.
  
  When I configure the browser to use a automatic configuration script with 
  that 
  URL, I get the TCP_DENIED/400 errors again.
  
  I must be missing something, but I've read everything I could find. Is it 
  an 
 acl 
  that I'm missing?
 
 Probably a WPAD-DNS / WPAD-DHCP muckup or something in the .PAC itself.
 
  
  Can someone please help me out?
  
  Thank you in advance.
  
  Here is my squid.conf:
  
  memory_pools off
  httpd_suppress_version_string on
  cache_effective_user squid
  cache_effective_group squid
 
 Better leave the group voodoo to the kernel. Setup the user/group on the 
 OS properly and its not needed in squid.conf. effective_user is okay if 
 its not built properly by the package maintainer (But it should be!).
 
  http_port 3128
  
  cache_access_log /usr/local/squid/var/logs/access.log
 
 Thats now:  access_log ...
 
  cache_log /usr/local/squid/var/logs/cache.log
  mime_table /usr/local/squid/etc/mime.conf
  log_mime_hdrs on
  useragent_log /usr/local/squid/var/logs/useragent.log
  
  url_rewrite_program /usr/local/squid/bin/ufdbgclient -l 
  /usr/local/squid/var/logs
  url_rewrite_children 16
  
  #ACL's
  acl all src 0/0
 
 Make this:  acl all src all
 
  no_cache deny all
 
 Make this:  cache deny all
 (or if you want things cached and bandwidth savings, remove it)
 
  acl internal_net src 192.168.1.0/24
  
  acl ok_downloads dstdomain /var/domains.txt
  
  acl SSL_ports port 443
  acl CONNECT method CONNECT
  
  http_access allow internal_net
 
 None of the other http_access will ever match after that line!
 
  http_access allow ok_downloads internal_net !
  
  http_reply_access allow internal_net ok_downloads
 
 Why do this restrictive allow when the next line is a duplicate but more 
 friendly one?
 Better to just allow all replies. Remember Error pages and Access Denied 
 etc are replies!
 
  http_reply_access allow internal_net
 
 And ok. Good finish.
 
  http_access deny all
 
 Amos
 -- 
 Please use Squid 2.6STABLE17+ or 3.0STABLE1+
 There are serious security advisories out on all earlier releases.

Re: [squid-users] TCP_DENIED/400 error:invalid-request

[Amos Jeffries]

 Amos,

 While I appreciate the input on my config file, do you see anything that
 would cause it to give me these errors?

 Here is my wpad.dat:

 function FindProxyForURL(url,host) {
   return PROXY 192.168.1.1:3128;
 }

Okay. That makes it a problem with the request the browser is sending.

What are you typing into the address bar to get the error?
Which browser?

Amos


 Here is what I see in the logs:

 1205192406.411  0 192.168.1.99 TCP_DENIED/400 1683 GET
 error:invalid-request - NONE/- text/html [] [HTTP/1.0 400 Bad
 Request\r\nServer: squid\r\nDate: Mon, 10 Mar 2008 23:40:06
 GMT\r\nContent-Type: text/html\r\nContent-Length: 1370\r\nExpires: Mon, 10
 Mar 2008 23:40:06 GMT\r\nX-Squid-Error: ERR_INVALID_REQ 0\r\n\r]
 1205192406.415  0 192.168.1.99 TCP_DENIED/400 1811 GET
 error:invalid-request - NONE/- text/html [] [HTTP/1.0 400 Bad
 Request\r\nServer: squid\r\nDate: Mon, 10 Mar 2008 23:40:06
 GMT\r\nContent-Type: text/html\r\nContent-Length: 1498\r\nExpires: Mon, 10
 Mar 2008 23:40:06 GMT\r\nX-Squid-Error: ERR_INVALID_REQ 0\r\n\r]

  -- Original message --
 From: Amos Jeffries [EMAIL PROTECTED]
 [EMAIL PROTECTED] wrote:
  I have squid 2.6stable18 on a debian sarge box in non-transparent
 mode. I also
  have apache web server setup on this box and it works fine - when the
 browser
 is
  pre-configured for the proxy.
 
  I have some people come in and use their laptops from time to time so
 I need a
  way to automatically direct them to the proxy server. I've read about
 wpad.dat
  and proxy.pac and tried setting that up but I always get the
 TCP_DENIED/400
  error:invalid-request in the access.log.
 
  When I pre-configure the browser for the proxy, the wpad.dat page
 shows me the
  javascript which from what I've read is what it's supposed to do when
 I put
 the
  URL in the address bar: http://192.168.1.1/wpad.dat.
 
  When I configure the browser to use a automatic configuration script
 with that
  URL, I get the TCP_DENIED/400 errors again.
 
  I must be missing something, but I've read everything I could find. Is
 it an
 acl
  that I'm missing?

 Probably a WPAD-DNS / WPAD-DHCP muckup or something in the .PAC itself.

 
  Can someone please help me out?
 
  Thank you in advance.
 
  Here is my squid.conf:
 
  memory_pools off
  httpd_suppress_version_string on
  cache_effective_user squid
  cache_effective_group squid

 Better leave the group voodoo to the kernel. Setup the user/group on the
 OS properly and its not needed in squid.conf. effective_user is okay if
 its not built properly by the package maintainer (But it should be!).

  http_port 3128
 
  cache_access_log /usr/local/squid/var/logs/access.log

 Thats now:  access_log ...

  cache_log /usr/local/squid/var/logs/cache.log
  mime_table /usr/local/squid/etc/mime.conf
  log_mime_hdrs on
  useragent_log /usr/local/squid/var/logs/useragent.log
 
  url_rewrite_program /usr/local/squid/bin/ufdbgclient -l
  /usr/local/squid/var/logs
  url_rewrite_children 16
 
  #ACL's
  acl all src 0/0

 Make this:  acl all src all

  no_cache deny all

 Make this:  cache deny all
 (or if you want things cached and bandwidth savings, remove it)

  acl internal_net src 192.168.1.0/24
 
  acl ok_downloads dstdomain /var/domains.txt
 
  acl SSL_ports port 443
  acl CONNECT method CONNECT
 
  http_access allow internal_net

 None of the other http_access will ever match after that line!

  http_access allow ok_downloads internal_net !
 
  http_reply_access allow internal_net ok_downloads

 Why do this restrictive allow when the next line is a duplicate but more
 friendly one?
 Better to just allow all replies. Remember Error pages and Access Denied
 etc are replies!

  http_reply_access allow internal_net

 And ok. Good finish.

  http_access deny all

 Amos
 --
 Please use Squid 2.6STABLE17+ or 3.0STABLE1+
 There are serious security advisories out on all earlier releases.

Re: [squid-users] TCP_DENIED/400 error:invalid-request

[ffredrixson]

http://192.168.1.1/wpad.dat

IE6
 -- Original message --
From: Amos Jeffries [EMAIL PROTECTED]
  Amos,
 
  While I appreciate the input on my config file, do you see anything that
  would cause it to give me these errors?
 
  Here is my wpad.dat:
 
  function FindProxyForURL(url,host) {
return PROXY 192.168.1.1:3128;
  }
 
 Okay. That makes it a problem with the request the browser is sending.
 
 What are you typing into the address bar to get the error?
 Which browser?
 
 Amos
 
 
  Here is what I see in the logs:
 
  1205192406.411  0 192.168.1.99 TCP_DENIED/400 1683 GET
  error:invalid-request - NONE/- text/html [] [HTTP/1.0 400 Bad
  Request\r\nServer: squid\r\nDate: Mon, 10 Mar 2008 23:40:06
  GMT\r\nContent-Type: text/html\r\nContent-Length: 1370\r\nExpires: Mon, 10
  Mar 2008 23:40:06 GMT\r\nX-Squid-Error: ERR_INVALID_REQ 0\r\n\r]
  1205192406.415  0 192.168.1.99 TCP_DENIED/400 1811 GET
  error:invalid-request - NONE/- text/html [] [HTTP/1.0 400 Bad
  Request\r\nServer: squid\r\nDate: Mon, 10 Mar 2008 23:40:06
  GMT\r\nContent-Type: text/html\r\nContent-Length: 1498\r\nExpires: Mon, 10
  Mar 2008 23:40:06 GMT\r\nX-Squid-Error: ERR_INVALID_REQ 0\r\n\r]
 
   -- Original message --
  From: Amos Jeffries [EMAIL PROTECTED]
  [EMAIL PROTECTED] wrote:
   I have squid 2.6stable18 on a debian sarge box in non-transparent
  mode. I also
   have apache web server setup on this box and it works fine - when the
  browser
  is
   pre-configured for the proxy.
  
   I have some people come in and use their laptops from time to time so
  I need a
   way to automatically direct them to the proxy server. I've read about
  wpad.dat
   and proxy.pac and tried setting that up but I always get the
  TCP_DENIED/400
   error:invalid-request in the access.log.
  
   When I pre-configure the browser for the proxy, the wpad.dat page
  shows me the
   javascript which from what I've read is what it's supposed to do when
  I put
  the
   URL in the address bar: http://192.168.1.1/wpad.dat.
  
   When I configure the browser to use a automatic configuration script
  with that
   URL, I get the TCP_DENIED/400 errors again.
  
   I must be missing something, but I've read everything I could find. Is
  it an
  acl
   that I'm missing?
 
  Probably a WPAD-DNS / WPAD-DHCP muckup or something in the .PAC itself.
 
  
   Can someone please help me out?
  
   Thank you in advance.
  
   Here is my squid.conf:
  
   memory_pools off
   httpd_suppress_version_string on
   cache_effective_user squid
   cache_effective_group squid
 
  Better leave the group voodoo to the kernel. Setup the user/group on the
  OS properly and its not needed in squid.conf. effective_user is okay if
  its not built properly by the package maintainer (But it should be!).
 
   http_port 3128
  
   cache_access_log /usr/local/squid/var/logs/access.log
 
  Thats now:  access_log ...
 
   cache_log /usr/local/squid/var/logs/cache.log
   mime_table /usr/local/squid/etc/mime.conf
   log_mime_hdrs on
   useragent_log /usr/local/squid/var/logs/useragent.log
  
   url_rewrite_program /usr/local/squid/bin/ufdbgclient -l
   /usr/local/squid/var/logs
   url_rewrite_children 16
  
   #ACL's
   acl all src 0/0
 
  Make this:  acl all src all
 
   no_cache deny all
 
  Make this:  cache deny all
  (or if you want things cached and bandwidth savings, remove it)
 
   acl internal_net src 192.168.1.0/24
  
   acl ok_downloads dstdomain /var/domains.txt
  
   acl SSL_ports port 443
   acl CONNECT method CONNECT
  
   http_access allow internal_net
 
  None of the other http_access will ever match after that line!
 
   http_access allow ok_downloads internal_net !
  
   http_reply_access allow internal_net ok_downloads
 
  Why do this restrictive allow when the next line is a duplicate but more
  friendly one?
  Better to just allow all replies. Remember Error pages and Access Denied
  etc are replies!
 
   http_reply_access allow internal_net
 
  And ok. Good finish.
 
   http_access deny all
 
  Amos
  --
  Please use Squid 2.6STABLE17+ or 3.0STABLE1+
  There are serious security advisories out on all earlier releases.
 
 
 
 

Re: [squid-users] TCP_DENIED/400 error:invalid-request

[Amos Jeffries]

So let me get this straight:

 * Squid  listens on 192.168.1.1:3128
 * Apache listens on 192.168.1.1:80
 * When IE is _configured_ for startup to load http://192.168.1.1/wpad.dat
 * IE for a URI (any URI?!) it sends a request squid can't handle.

Next thing to check is that HTTP/1.1 is disabled in IE6 configuration.

If that fails too, we are stuck looking at cache.log at a
tcpdump/wireshark trace of the request to see WTF its doing.

Amos


 http://192.168.1.1/wpad.dat

 IE6
  -- Original message --
 From: Amos Jeffries [EMAIL PROTECTED]
  Amos,
 
  While I appreciate the input on my config file, do you see anything
 that
  would cause it to give me these errors?
 
  Here is my wpad.dat:
 
  function FindProxyForURL(url,host) {
return PROXY 192.168.1.1:3128;
  }

 Okay. That makes it a problem with the request the browser is sending.

 What are you typing into the address bar to get the error?
 Which browser?

 Amos

 
  Here is what I see in the logs:
 
  1205192406.411  0 192.168.1.99 TCP_DENIED/400 1683 GET
  error:invalid-request - NONE/- text/html [] [HTTP/1.0 400 Bad
  Request\r\nServer: squid\r\nDate: Mon, 10 Mar 2008 23:40:06
  GMT\r\nContent-Type: text/html\r\nContent-Length: 1370\r\nExpires:
 Mon, 10
  Mar 2008 23:40:06 GMT\r\nX-Squid-Error: ERR_INVALID_REQ 0\r\n\r]
  1205192406.415  0 192.168.1.99 TCP_DENIED/400 1811 GET
  error:invalid-request - NONE/- text/html [] [HTTP/1.0 400 Bad
  Request\r\nServer: squid\r\nDate: Mon, 10 Mar 2008 23:40:06
  GMT\r\nContent-Type: text/html\r\nContent-Length: 1498\r\nExpires:
 Mon, 10
  Mar 2008 23:40:06 GMT\r\nX-Squid-Error: ERR_INVALID_REQ 0\r\n\r]
 
   -- Original message --
  From: Amos Jeffries [EMAIL PROTECTED]
  [EMAIL PROTECTED] wrote:
   I have squid 2.6stable18 on a debian sarge box in non-transparent
  mode. I also
   have apache web server setup on this box and it works fine - when
 the
  browser
  is
   pre-configured for the proxy.
  
   I have some people come in and use their laptops from time to time
 so
  I need a
   way to automatically direct them to the proxy server. I've read
 about
  wpad.dat
   and proxy.pac and tried setting that up but I always get the
  TCP_DENIED/400
   error:invalid-request in the access.log.
  
   When I pre-configure the browser for the proxy, the wpad.dat page
  shows me the
   javascript which from what I've read is what it's supposed to do
 when
  I put
  the
   URL in the address bar: http://192.168.1.1/wpad.dat.
  
   When I configure the browser to use a automatic configuration
 script
  with that
   URL, I get the TCP_DENIED/400 errors again.
  
   I must be missing something, but I've read everything I could find.
 Is
  it an
  acl
   that I'm missing?
 
  Probably a WPAD-DNS / WPAD-DHCP muckup or something in the .PAC
 itself.
 
  
   Can someone please help me out?
  
   Thank you in advance.
  
   Here is my squid.conf:
  
   memory_pools off
   httpd_suppress_version_string on
   cache_effective_user squid
   cache_effective_group squid
 
  Better leave the group voodoo to the kernel. Setup the user/group on
 the
  OS properly and its not needed in squid.conf. effective_user is okay
 if
  its not built properly by the package maintainer (But it should be!).
 
   http_port 3128
  
   cache_access_log /usr/local/squid/var/logs/access.log
 
  Thats now:  access_log ...
 
   cache_log /usr/local/squid/var/logs/cache.log
   mime_table /usr/local/squid/etc/mime.conf
   log_mime_hdrs on
   useragent_log /usr/local/squid/var/logs/useragent.log
  
   url_rewrite_program /usr/local/squid/bin/ufdbgclient -l
   /usr/local/squid/var/logs
   url_rewrite_children 16
  
   #ACL's
   acl all src 0/0
 
  Make this:  acl all src all
 
   no_cache deny all
 
  Make this:  cache deny all
  (or if you want things cached and bandwidth savings, remove it)
 
   acl internal_net src 192.168.1.0/24
  
   acl ok_downloads dstdomain /var/domains.txt
  
   acl SSL_ports port 443
   acl CONNECT method CONNECT
  
   http_access allow internal_net
 
  None of the other http_access will ever match after that line!
 
   http_access allow ok_downloads internal_net !
  
   http_reply_access allow internal_net ok_downloads
 
  Why do this restrictive allow when the next line is a duplicate but
 more
  friendly one?
  Better to just allow all replies. Remember Error pages and Access
 Denied
  etc are replies!
 
   http_reply_access allow internal_net
 
  And ok. Good finish.
 
   http_access deny all
 
  Amos
  --
  Please use Squid 2.6STABLE17+ or 3.0STABLE1+
  There are serious security advisories out on all earlier releases.
 
 

RE: [squid-users] TCP_DENIED for www2 address

[Rebecca Pakish Crum]

 Rebecca Pakish Crum wrote:
  Hi all - I'm running an older version of squid 
 (squid/2.5.STABLE10) on 
  a Fedora Core box. Usually I have no problems, but one of 
 my end-users 
  is clicking on a link on a county website that takes them 
 (or tries to 
  take
  them) to www2.madisoncountyindiana.org:450/..
  
  I'm getting TCP_DENIED:NONE in my access.log
  I tried adding
  acl madison dst www2.madisoncountyindiana.org
  
  I also tried adding
  acl madisoncounty dstdomain www2.madisoncountyindiana.org 
  always_direct allow madisoncounty
  
  I didn't install or configure this squid, and the person 
 who did is no 
  longer with us. I'm newbie at best. Any ideas...
 
 It's usually the non-standard port at fault when this happens.
 
 Check that the list of Safe_Ports contains 450
 
 Amos

Thank you, thank you, thank you. This was absolutely the answer.

 
 
CONFIDENTIALITY NOTICE: The information contained in this e-mail message is 
from the law firm of Unterberg  Associates, P.C. and may be privileged, 
confidential, and protected from disclosure. This e-mail message may not be 
forwarded without the written permission of the sender. If you are not the 
intended recipient, any further disclosure or use, dissemination, distribution, 
or copying of this message or any attachment is strictly prohibited. If you 
think that you have received this e-mail message in error, please delete the 
e-mail, and either e-mail the sender at the above address or notify us at our 
telephone number 219-736-5579. Receipt of this electronic mail message by 
anyone other than the named recipient(s) is not a waiver of any 
attorney-client, work product, or other applicable privilege. 

IRS CIRCULAR 230 DISCLOSURE NOTICE: If this e-mail communication or any 
attachments, contain any tax advice, such advice is not intended or written to 
be used, and it cannot be used, for the purposes of avoiding tax penalties that 
may be imposed on a taxpayer. Furthermore, if this e-mail communication or any 
attachments, contain any tax advice, such advice may not be used or referred to 
in promoting, marketing or recommending a partnership or other entity, 
investment plan or arrangement, and a taxpayer receiving such information under 
such circumstances should seek advice from an independent tax advisor. 

Re: [squid-users] TCP_DENIED for www2 address

[Amos Jeffries]

Rebecca Pakish Crum wrote:

Hi all - I'm running an older version of squid (squid/2.5.STABLE10) on a
Fedora Core box. Usually I have no problems, but one of my end-users is
clicking on a link on a county website that takes them (or tries to take
them) to www2.madisoncountyindiana.org:450/..

I'm getting TCP_DENIED:NONE in my access.log
I tried adding
acl madison dst www2.madisoncountyindiana.org

I also tried adding
acl madisoncounty dstdomain www2.madisoncountyindiana.org always_direct
allow madisoncounty

I didn't install or configure this squid, and the person who did is no
longer with us. I'm newbie at best. Any ideas...


It's usually the non-standard port at fault when this happens.

Check that the list of Safe_Ports contains 450


Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.

Re: [squid-users] tcp_denied error on java applet

[Chris Robertson]

Kyle Wa wrote:

Hey guys, having trouble figuring this one out. I have a client trying to
run this java applet, but when we installed our transparent proxy last week
it stopped working. We have no ACLs running against this specific client;
the proxy is strictly for caching purposes

The java app runs against port 80 so it should be working.

Here is the error  I get in the log
10.19.110.91 TCP_DENIED/400 1564 NONE error:unsupported-request-method -
NONE/- text/html

Can anyone provide some help please


  


Check your cache.log.. You should see which request method this applet 
is trying to use.  Then you can add it with the extension_methods 
directive in your squid.conf


Chris

RE: [squid-users] tcp_denied error on java applet

[Kyle Wa]

Ok got that, added the directive, now I get this error

10.19.110.91 TCP_DENIED/400 1226 ticker 6 24491597,307616,758185,kylewa 63 -
NONE/- text/html


-Original Message-
From: Chris Robertson [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 04, 2007 2:40 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] tcp_denied error on java applet

Kyle Wa wrote:
 Hey guys, having trouble figuring this one out. I have a client trying to
 run this java applet, but when we installed our transparent proxy last
week
 it stopped working. We have no ACLs running against this specific client;
 the proxy is strictly for caching purposes

 The java app runs against port 80 so it should be working.

 Here is the error  I get in the log
 10.19.110.91 TCP_DENIED/400 1564 NONE error:unsupported-request-method -
 NONE/- text/html

 Can anyone provide some help please


   

Check your cache.log.. You should see which request method this applet 
is trying to use.  Then you can add it with the extension_methods 
directive in your squid.conf

Chris

Re: [squid-users] tcp_denied error on java applet

[Chris Robertson]

Kyle Wa wrote:

Ok got that, added the directive, now I get this error

10.19.110.91 TCP_DENIED/400 1226 ticker 6 24491597,307616,758185,kylewa 63 -
NONE/- text/html
  


Well, a 400 error is Bad Request 
(http://wiki.squid-cache.org/SquidFaq/SquidLogs#head-e0d4421694c8f3dbfbabeb029330bd478ae849b3), 
so I would have to guess that this applet is not speaking HTTP.  But 
that is just a guess.  Without knowing how your log format is set up, I 
have no idea what else that entry indicates.


Chris

Re: [squid-users] TCP_DENIED/407

[Mark Elsen]

 Hi all,

 We are running squid 2.5 stable 5 on a redhat 9 (2.4 kernel) with
 ncsa_auth. Every so often our users complian that they are not able to
 authenticate through the proxy. We I check the usernname password,
 ncsa_auth says all is OK (but from the browser I get access denied. If I
 do a squid -k reconfig, the usernames work fine (without recapturing
 or changing password). Below is a portion of the access.log file before
 I restart squid.

 1142428454.928 20 146.141.x.x TCP_DENIED/407 1705 GET
 http://www.cnn.com/ user.name NONE/- text/html
 1142428459.133 76 146.141.x.x TCP_DENIED/407 1738 GET
 http://www.cnn.com/favicon.ico user.name NONE/- text/html
 1142428459.201 51 146.141.x.x TCP_DENIED/407 1738 GET
 http://www.cnn.com/favicon.ico user.name NONE/- text/html


 - Please upgrade to the latest STABLE release; verify whether this
issue still haunts you.

  M.

Re: [squid-users] TCP_DENIED/411

[Henrik Nordstrom]

On Wed, 11 May 2005, Siew Wing Loon wrote:


And, there is an error in squid access.log file as
below.  What does this mean?

TCP_DENIED/411 1665 GET
http://www.domain.com/control/trading.dll? -


This is a bad request not complying fully with the HTTP specifications. To 
be specific the GET requests contains a request-body which is undefined 
for GET requests.


You can enable support for this kind of odd requests with the 
request_entities directive in squid.conf.


Regards
Henrik

RE: [squid-users] TCP_DENIED/407

[Ken.Thomson]

-Original Message-
From: Ronald Warner [mailto:[EMAIL PROTECTED] 
Sent: Friday, 27 May 2005 12:55
To: squid-users@squid-cache.org
Subject: [squid-users] TCP_DENIED/407

Good day.
We have recently started using squid2.5stable9 with NTML
authentication.  Authentication works fine.  However, there are times
with access to Internet websites seem slow.  I reviewed the access.log
and found the entries below:
1117161853.042  3 10.2.141.234  TCP_DENIED/407 1741 GET
http://gmail.google.com/gmail? NONE/- text/html
1117161853.081 12 10.2.141.234  TCP_DENIED/407 1768 GET
http://gmail.google.com/gmail? NONE/- text/html
For example, I logged into my gmail account and there are times when
gmail would display loading when i open new messages but nothing
happens.  this is when i'll see the above entries in the access.log.
Does squid try to reauthenticate again?  Is there anyway of preventing
this?
Thanks much.
-End Original Message-

The TCP_DENIED/407 entries in your access log are normal.  This is just
how NTLM authentication works.  We find that TCP_DENIED/407 entries take
up approximately 25% of the total number of entries in our access log.

Regards,
Ken.

Re: [squid-users] TCP_DENIED/403 1402 GET

[jorn]

On May 24, 2004, at 1:15 PM, Jose Nathaniel Nengasca wrote:
And by the way, 192.168.0.0/255.255.0.0 is correct? are you using 
class B on
192.168? instead of using class C?
I'm using more than one /24 in 192.168, so I just mask it off at /16.  
:)


smime.p7s
Description: S/MIME cryptographic signature

Re: [squid-users] TCP_DENIED/403 1402 GET

[Christoph Haas]

On Sun, May 23, 2004 at 03:35:13PM -0500, jorn wrote:
 Hello,
 
 I searched the archives, edited my ACLs, but I can't figure this one 
 out. A Version 2.5.STABLE5 that seemed to be working fine is now 
 rejecting users with an access denied message. My access log has 
 entries like the following:
 
 
   1085339278.198  2 192.168.253.14 TCP_DENIED/403 1352 GET 
 http://slashdot.org/ - NONE/- text/html
   1085340459.256  2 192.168.253.14 TCP_DENIED/403 1356 GET 
 http://macintouch.com/ - NONE/- text/html
 
 
 My squid box is sitting in a DMZ behind the firewall, so I'd like to 
 just run pretty lax security on it.  The conf file, which I'm trying to 
 keep simple, has the following ACLs:
 
   acl all src 0.0.0.0/255.255.255.255
   http_access allow src 192.168.0.0/255.255.0.0
   http_access allow all   # Added out of frustration
   http_access deny all
 
 Thoughts?

Try this:
debug_options ALL,1 33,2

and watch your cache.log to see which ACL blocks you.

 Christoph

-- 
~
~
.signature [Modified] 3 lines --100%--3,41 All

Re: [squid-users] TCP_DENIED/403 1402 GET

[jorn]

On May 23, 2004, at 3:57 PM, Christoph Haas wrote:
Try this:
debug_options ALL,1 33,2
and watch your cache.log to see which ACL blocks you.
 Christoph
--
My cache.log seemed to show no more interesting data than before, which 
is essentially startup data and nothing else. Even when I set :

debug_options ALL,7
I seem to get no more data. Odd.


smime.p7s
Description: S/MIME cryptographic signature

Re: [squid-users] TCP_DENIED/403 1402 GET

[jorn]

On May 23, 2004, at 3:57 PM, Christoph Haas wrote:
Try this:
debug_options ALL,1 33,2
and watch your cache.log to see which ACL blocks you.
 Christoph
--
My cache.log seemed to show no more interesting data than before, which 
is essentially startup data and nothing else. Even when I set :

debug_options ALL,7
I seem to get no more data. Odd.


smime.p7s
Description: S/MIME cryptographic signature

Re: [squid-users] TCP_DENIED/403 1402 GET

[Christoph Haas]

On Sun, May 23, 2004 at 04:32:23PM -0500, jorn wrote:
 On May 23, 2004, at 3:57 PM, Christoph Haas wrote:
 Try this:
 debug_options ALL,1 33,2
 
 and watch your cache.log to see which ACL blocks you.
 
  Christoph
 
 My cache.log seemed to show no more interesting data than before, which 
 is essentially startup data and nothing else. Even when I set :
 
   debug_options ALL,7
 
 I seem to get no more data. Odd.

May I assume you have restarted squid?

 Christoph

-- 
~
~
.signature [Modified] 3 lines --100%--3,41 All

Re: [squid-users] TCP_DENIED/403 1402 GET

[jorn]

On May 23, 2004, at 4:49 PM, Christoph Haas wrote:
May I assume you have restarted squid?
 Christoph
A fair question.  :)  The answer is yes, several times. I even started 
it and kept it from running in the background:

squid -N -d 9
Nothing useful came up on my console; nothing. I'm a bit confused. :-/


smime.p7s
Description: S/MIME cryptographic signature

Re: [squid-users] TCP_DENIED/403 1402 GET

[Jose Nathaniel Nengasca]

It seems that your netmask ACL on ALL is a bit messy, try not to use
255.255.255.255, use 0.0.0.0 instead...


 Hello,

 I searched the archives, edited my ACLs, but I can't figure this one
 out. A Version 2.5.STABLE5 that seemed to be working fine is now
 rejecting users with an access denied message. My access log has
 entries like the following:


 1085339278.198  2 192.168.253.14 TCP_DENIED/403 1352 GET
 http://slashdot.org/ - NONE/- text/html
 1085340459.256  2 192.168.253.14 TCP_DENIED/403 1356 GET
 http://macintouch.com/ - NONE/- text/html


 My squid box is sitting in a DMZ behind the firewall, so I'd like to
 just run pretty lax security on it.  The conf file, which I'm trying to
 keep simple, has the following ACLs:

 acl all src 0.0.0.0/255.255.255.255
 http_access allow src 192.168.0.0/255.255.0.0
 http_access allow all # Added out of frustration
 http_access deny all

 Thoughts?
 --jorn

Re: [squid-users] TCP_DENIED when auth to AD works

[Henrik Nordstrom]

On Wed, 7 Jan 2004, anders wrote:

 http://www.google.se/search? - NONE/- text/html
 1073512973.676  7 citrix13.jll.se TCP_DENIED/407 1902 GET
 http://www.google.se/search? - NONE/- text/html
 1073512975.155   1479 citrix13.jll.se TCP_MISS/200 6785 GET
 http://www.google.se/search? jll\adminanla DIRECT/216.239.59.104 text/html

This is due to how NTLM over HTTP works.

http://devel.squid-cache.org/ntlm/client_proxy_protocol.html

Regards
Henrik

Re: [squid-users] TCP_Denied

[Henrik Nordstrom]

On Fri, 12 Sep 2003, Raymond Norton wrote:

 1063418371.130 1 172.21.0.1 TCP_DENIED/407 1300 CONNECT map.nwea.org:443 -
 NONE/- -

This is Squid asking your client program (browser etc) to authenticate.

Regards
Henrik

Re: [squid-users] TCP_Denied

[Henrik Nordstrom]

On Sat, 13 Sep 2003, Adam Aube wrote:

  acl Safe_ports port 800 # Squids port (for icons)
 
 You don't need this line - Squid won't make an HTTP request to the port it is 
 listening on.

But the clients does for icons in FTP listings etc...

Regards
Henrik

Re: [squid-users] TCP_Denied

[Raymond Norton]

  1063418371.130 1 172.21.0.1 TCP_DENIED/407 1300 CONNECT
map.nwea.org:443 -
  NONE/- -

 This is Squid asking your client program (browser etc) to authenticate.

 Regards
 Henrik


That is what it seems, but I have no way of passing authentication to the
program. This site uses the link https://map.nwea.org/taa.hta . When I
launch the link I get a download box, which I select open in current
location  A program launches specific to this site. At this point I have
authenticated twice to squid. I can move around the site just fine, but
there is a link for uploading records to their file server It looks like it
will work, but then I get the above error, and the following error in the
browser Error sending request: HTTP 407 returned, etc... Is there a way to
make an exception for this site in squid? I really need to fix this, ASAP.

Thanks in advance

Re: [squid-users] TCP_Denied

[Adam Aube]

 That is what it seems, but I have no way of passing authentication to the
 program.

So you're not using a browser - you're using a brain dead program that doesn't 
understand proxy authentication. Two things you need to do:

1) Complain vigorously to the site in question - tell them their program 
doesn't understand proxy authentication and needs to be fixed.

2) Create an dst or dstdomain acl with the IP address/domain of this site, and 
allow this acl in http_access before you require authentication.

This will give you a workaround until they fix their broken program.

Adam

Re: [squid-users] TCP_Denied

[Henrik Nordstrom]

On Sat, 13 Sep 2003, Raymond Norton wrote:

 That is what it seems, but I have no way of passing authentication to the
 program. This site uses the link https://map.nwea.org/taa.hta

Then you may need to make an exception allowing this program access 
without requiring authentication, or speak to the author of this program 
to add support for authentication.

 browser Error sending request: HTTP 407 returned, etc... Is there a way to
 make an exception for this site in squid? I really need to fix this, ASAP.

Probably. If the program only accesses a specific site then an exception 
can easily be done allowing access to this site without authentication

acl special_site dstdomain ...
http_access allow special_site

before where you require authentication in your http_access rules.


If the program navigates different sites which can not be easily 
defined then you may need to identify the program as such. Enable 
log_mime_hdrs and then pay attention to the User-Agent header when using 
the program. If there is something which uniquely identifies the 
application then you can use the browser acl type in the same manner as 
dstdomain is used above to create an exception based on the application.

Regards
Henrik

Re: [squid-users] TCP_Denied

[Raymond Norton]

Thank you everyone.!

I finally got it to work.

Re: [squid-users] TCP_Denied

[Adam Aube]

 I am trying to connect to a secure site, but keep getting the following
 error. Being a novice with squid I am not sure what to change. Can anyone
 help me with this?

You didn't send your complete squid.conf (or at least I hope you didn't) - 
there's quite a bit missing.

Post your entire squid.conf, and then maybe we can help you.

Adam

Re: [squid-users] TCP_Denied

[Raymond Norton]

This is in an IPCop box. Very simple config. Here is the whole thing.

shutdown_lifetime 5 seconds

icp_port 0

http_port 172.21.0.1:800

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

cache_effective_user squid

cache_effective_group squid

pid_filename /var/run/squid.pid

cache_access_log /var/log/squid/access.log

cache_log /var/log/squid/cache.log

cache_store_log /var/log/squid/store.log

log_mime_hdrs off

forwarded_for off

authenticate_program /usr/lib/squid/ncsa_auth /home/.htpasswd

acl password proxy_auth REQUIRED

acl local-servers dstdomain bbe.k12.mn.us map.nwea.org nwea.org

acl all src 0.0.0.0/0.0.0.0

acl localhost src 127.0.0.1/255.255.255.255

acl localnet src 172.21.0.0/255.255.0.0

acl SSL_ports port 443 563

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 563 # https, snews

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl Safe_ports port 800 # Squids port (for icons)

acl Safe_ports port 1433 # skyward

acl Safe_ports port 16125 # skyward

acl Safe_ports port 26125 # skyward

acl Safe_ports port 16126 # ns1

acl Safe_ports port 36125 # extra

acl Safe_ports port 46125 # fintrain

acl Safe_ports port 56125 # stutrain

acl Safe_ports port 81 # ipcop

# acl CONNECT method CONNECT

# http_access allow localhost

http_access allow !Safe_ports

# http_access allow CONNECT !SSL_ports

# http_access allow localnet

http_access allow password

always_direct allow local-servers

http_access deny all

maximum_object_size 4096 KB

minimum_object_size 0 KB

cache_mem 2000 KB

cache_dir ufs /var/log/cache 50 16 256

request_body_max_size 0 KB

reply_body_max_size 0 KB





- Original Message - 
From: Adam Aube [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, September 12, 2003 10:28 PM
Subject: Re: [squid-users] TCP_Denied


  I am trying to connect to a secure site, but keep getting the following
  error. Being a novice with squid I am not sure what to change. Can
anyone
  help me with this?

 You didn't send your complete squid.conf (or at least I hope you didn't) -
 there's quite a bit missing.

 Post your entire squid.conf, and then maybe we can help you.

 Adam

Re: [squid-users] TCP_Denied

[Adam Aube]

 This is in an IPCop box. Very simple config. Here is the whole thing.

Okay - let's fix some issues. May/may not fix your current problem, but it 
will make the config file more sane and possibly head off problems down the 
road.

 http_access allow !Safe_ports
 # http_access allow CONNECT !SSL_ports

Make these two lines:

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

This will keep your Squid box from being exploited to do all sorts of nasty 
things (including spamming).

 acl Safe_ports port 800 # Squids port (for icons)

You don't need this line - Squid won't make an HTTP request to the port it is 
listening on.

Beyond that, I don't see anything wrong with your config. Is Squid prompting 
for a username and password as it should? Are you trying to run a transparent 
proxy (the browser doesn't know the Squid box is there)? Can Squid connect to 
port 443 on remote servers?

Adam

Re: [squid-users] TCP_Denied

[Raymond Norton]

  http_access allow !Safe_ports
  # http_access allow CONNECT !SSL_ports

 Make these two lines:

 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports

 This will keep your Squid box from being exploited to do all sorts of
nasty
 things (including spamming).

  acl Safe_ports port 800 # Squids port (for icons)



I forgot all the changes I had made because of this problem. I have changed
things back to the original config, icluding your recommendations. Here is
my present config and a tail of  /var/log/squid/access.log. I still get
denied??

1063427751.743 1420 172.21.0.1 TCP_MISS/200 3877 CONNECT map.nwea.org:443
admin DIRECT/66.45.48.119 -

1063427751.767 1032 172.21.0.1 TCP_MISS/200 1016 CONNECT map.nwea.org:443
admin DIRECT/66.45.48.119 -

1063427751.779 423 172.21.0.1 TCP_MISS/200 370 CONNECT map.nwea.org:443
admin DIRECT/66.45.48.119 -

1063427751.835 473 172.21.0.1 TCP_MISS/200 4648 CONNECT map.nwea.org:443
admin DIRECT/66.45.48.119 -

1063427753.229 1 172.21.0.1 TCP_DENIED/407 1457 GET

1063427756.930 5189 172.21.0.1 TCP_MISS/200 370 CONNECT map.nwea.org:443
admin DIRECT/66.45.48.119 -

1063427759.800 8033 172.21.0.1 TCP_MISS/200 370 CONNECT map.nwea.org:443
admin DIRECT/66.45.48.119 -

1063427760.640 8847 172.21.0.1 TCP_MISS/200 370 CONNECT map.nwea.org:443
admin DIRECT/66.45.48.119 -

1063427771.335 1 172.21.0.1 TCP_DENIED/407 1463 GET

1063427771.389 1 172.21.0.1 TCP_DENIED/407 1442

106342.160 25362 172.21.0.1 TCP_MISS/200 369 CONNECT map.nwea.org:443
admin DIRECT/66.45.48.119 -

1063427779.746 1 172.21.0.1 TCP_DENIED/407 1300 CONNECT map.nwea.org:443 -
NONE/- -





squid.conf

shutdown_lifetime 5 seconds

icp_port 0

http_port 172.21.0.1:800

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

cache_effective_user squid

cache_effective_group squid

pid_filename /var/run/squid.pid

cache_access_log /var/log/squid/access.log

cache_log /var/log/squid/cache.log

cache_store_log /var/log/squid/store.log

log_mime_hdrs off

forwarded_for off

authenticate_program /usr/lib/squid/ncsa_auth /home/.htpasswd

acl password proxy_auth REQUIRED

acl local-servers dstdomain bbe.k12.mn.us map.nwea.org nwea.org

acl all src 0.0.0.0/0.0.0.0

acl localhost src 127.0.0.1/255.255.255.255

acl localnet src 172.21.0.0/255.255.0.0

acl SSL_ports port 443 563

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 563 # https, snews

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

# acl Safe_ports port 800 # Squids port (for icons)

acl Safe_ports port 1433 # skyward

acl Safe_ports port 16125 # skyward

acl Safe_ports port 26125 # skyward

acl Safe_ports port 16126 # ns1

acl Safe_ports port 36125 # extra

acl Safe_ports port 46125 # fintrain

acl Safe_ports port 56125 # stutrain

acl Safe_ports port 81 # ipcop

acl CONNECT method CONNECT

# http_access allow localhost

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

# http_access allow localnet

http_access allow password

always_direct allow local-servers

http_access deny all

maximum_object_size 4096 KB

minimum_object_size 0 KB

cache_mem 2000 KB

cache_dir ufs /var/log/cache 50 16 256

request_body_max_size 0 KB

reply_body_max_size 0 KB

Re: [squid-users] TCP_DENIED/407 problems

[Henrik Nordstrom]

I did not ask for your access.log or configuration. It is not polite to
send huge amount of data without asking (I would have been really upset if
I was on a dialup connection).

From your cache.log it is obvious there is some problem with your 
ncsa_auth setup. Maybe the password file is not readable, no longer 
existing or something..

Regards
Henrik

On Thu, 14 Aug 2003, Evan Pierce wrote:

 Henrik
 
 Nothing obvious. Attached is my cache.log, access.log and squid.conf file.
 
 thanks
 Evan
 
  Henrik Nordstrom [EMAIL PROTECTED] 08/13/03 05:09PM 
 On Wed, 13 Aug 2003, Evan Pierce wrote:
 
  Hi all
  
  I have a squid 2.5stable5 box configured with basic NCSA authnetication
  for all users (its a little test box) however as of yesterday (and a
  reboot) I am getting TCP_DENIED/407 messages. The squid.conf file hasnt
  changed and contains the following relevant lines
 
 
 Anything in cache.log?
 
 Regards
 Henrik
 
 
 
 The information contained in this email is confidential and may be subject
 to legal privilege. The content of this email, which may include one or more 
 attachments, is strictly confidential, and is intended solely for the use of the 
 named recipient/s.
 
 If you are not the intended recipient, you cannot use, copy, distribute, disclose 
 or retain the email or any part of its contents or take any action in reliance on 
 it. 
 If you have received this email in error, please email the sender by replying to 
 this message and to permanently delete it and all attachments from your computer.
 
 All reasonable precautions have been taken to ensure that no viruses are present 
 in this email and the company cannot accept responsibility for any loss or damage 
 arising 
 from the use of this email or attachments.
 

Re: [squid-users] TCP_DENIED 403

[Henrik Nordstrom]

The request is denied by your http_access rules.

CONNECT is a request for SSL tunneling. Most likely this is a SSL site
running on a non-standard SSL port (if SSL at all...). See your
squid.conf, especially the Safe_Ports and SSL_Ports definitions..

Regards
Henrik

mån 2003-02-24 klockan 16.17 skrev Valter Brazzini:
 I've a problem with Squid Version 2.5 Stable 1.
 
 I've recently installed it on my Linux RH and I've a problem when I try to 
 access to some sites.
 I've noticed that Squid return on the log file the following error : 
 TCP_DENIED/403 1349 CONNECT server address:port - NONE/- text/html.
 
 The previous version 2.1 of Squid works properly.
 
 Could someone help me ???
 thanks
-- 
Henrik Nordstrom [EMAIL PROTECTED]
MARA Systems AB, Sweden