It looks like your acls are denying access to the localhost because it's trying to access the proxy using ipv6. Try to comment the "::1 localhost" line from /etc/hosts and try to see if it's the same. If it's still not working you will need to write couple rules at the top of the squid.conf files to allow manager interface access from localhost. Also since squid 3.2 you have the option to use curl or any other tool to access the info pages without squid client which can help you. Try the next: # curl http://localhost:3128/squid-internal-mgr/info
And see what happens. Also if you have some filtering solution in this squid setup you will need to make an exception from this inspection on connections for localhost(both ipv4 and ipv6) since the admin doesn't need these restrictions. Let me know about the results. Eliezer ---- http://ngtech.co.il/lmgtfy/ Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Sameh Onaissi Sent: Tuesday, December 20, 2016 4:04 PM Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] squidcliente stopped working! On Dec 19, 2016, at 11:55 PM, Amos Jeffries <mailto:squ...@treenet.co.nz> wrote: On 20/12/2016 9:52 a.m., Sameh Onaissi wrote: On Dec 19, 2016, at 1:31 PM, Antony Stone wrote: On Monday 19 December 2016 at 17:44:11, Sameh Onaissi wrote: Hello, I was using squid client to get cache stats, however this morning it completely stopped working. <center><img src="http://mydomainname.com/squid/access_denied.jpg"; alt="Acceso Denegado" style="width:704px;height:428px;"></center> the html code is the code of my redirect page whenever a client tries to access a blacklisted website. How big is your blacklist? Could you show us what's in it? Have you added the proxy itself to the whitelist? The blacklist consistes of the ads, porn, socialnet and spyware lists of the BL list. I added both LAN and WAN IPs of the server to the whitelist but didn’t help. What URL was being requested that got the above access denied response? Use -vv parameter to squidclient and "debug_options 11,2" in squid.conf to have the requests header logged and find that out. This is what shows now: verbosity level set to 2 Request: GET cache_object://localhost/info HTTP/1.0 Host: localhost User-Agent: squidclient/3.5.22 Accept: */* Connection: close . Transport detected: IPv4-mapped and IPv6 Resolving localhost ... Connecting... localhost ([::1]:3128) Connected to: localhost ([::1]:3128) Sending HTTP request ... done. HTTP/1.1 200 OK Date: Tue, 20 Dec 2016 14:03:46 GMT Server: Apache/2.4.7 (Ubuntu) Last-Modified: Fri, 25 Nov 2016 16:55:22 GMT ETag: "bd-54222fce80317" Accept-Ranges: bytes Content-Length: 189 Vary: Accept-Encoding Content-Type: text/html Age: 103 X-Cache: HIT from http://squidpxy.domain.com X-Cache-Lookup: HIT from http://squidpxy.domain.com:3128 Via: 1.1 http://squidpxy.domain.com (squid/3.5.22) Connection: close <!DOCTYPE html> <html> <body> <center><img src="http://www.domain.com/squid/access_denied.jpg"; alt="Acceso Denegado" style="width:704px;height:428px;"></center> </body> </html> And in the access log: 1482242596.513 0 ::1 TCP_MEM_HIT/200 598 GET cache_object://localhost/info - HIER_NONE/- text/html So, I changed my default acl setting in squid guard config file to pass all for now (I know it is not ideal), just to monitor the cache as I am trying to get the HIT ratio up. (currently only at 7.8%) squid guard config: http://pastebin.com/bbe8CWLE So your SG config just does basic IP, URL and time based allow or redirect decisions. I suggest you drop SG entirely and move that config into your squid.conf: # Time rules # abbrev for weekdays: # s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat acl non-working-hours time MTWHF 18:00-24:00 00:00-08:00 acl non-working-hours time MTWHF 18:00-24:00 00:00-08:00 acl non-working-hours time SA 00:00-24:00 # Source addresses acl exempt src 10.0.0.90 10.0.0.167 acl youtubers src 10.0.0.1-10.0.0.4 acl localnet src 10.0.0.0/24 # Destination classes acl blah_domains dstdomain "adv/domains" acl blah_domains dstdomain "deny/domains" acl blah_domains dstdomain "porn/domains" acl blah_domains dstdomain "spyware/domains" acl blah_domains dstdomain "socialnet/domains" acl blah_urls dstdom_regex "adv/urls" acl blah_urls dstdom_regex "deny/urls" acl blah_urls dstdom_regex "porn/urls" acl blah_urls dstdom_regex "spyware/urls" acl blah_urls dstdom_regex "socialnet/urls" acl stuff_always_blocked anyof blah_domains blah_urls acl whitelist_domains dstdomain "whitelist/domains" acl whitelist_urls dstdom_regex "whitelist/urls" acl whitelist anyof whitelist_domains whitelist_urls deny_info 302:http://example.com/squid/denegado.html whitelist acl youtubers_domains dstdomain "socialnet/domains" acl youtubers_urls dstdom_regex "adv/urls" acl youtubers anyof youtubers_domains youtubers_urls deny_info 302:http://example.com/squid/denegado.html youtubers # Policies http_access deny !localnet deny_info 302:http://example.com/squid/denegado.html localnet http_access allow exempt http_access allow youtubers !stuff_always_blocked http_access deny youtubers http_access allow non-working-hours http_access allow whitelist !stuff_always_blocked http_access deny whitelist http_access allow localnet deny_info 302:http://example.com/squid/denegado.html all http_access deny all squid.conf: http://pastebin.com/TQ8H6bRp Quote from your config: acl Safe_ports port 587 #SMTP Did you read Amos' reply "SMTP is the #1 worst protocol to let anywhere near an HTTP proxy. Preventing what you have allowed to happen is one of the primary reasons Safe_ports exists in the first place!” The reason I allow 587 is because the Squid Proxy lives on the same server as a mail server which needs this port, and several clients have their mail clientes (Outlook..etc) already configured to use this port. Bogus. You should know it is possible that two pieces of software can run on one machine without interferring with each other. Whether or not a mailserver exists on the same machine has nothing to do with Squid. Your mailserver itself should be using that port and controlling what traffic can use it. *HTTP* traffic should never be allowed to flow from the proxy software through to the mailserver software. Amos _______________________________________________ squid-users mailing list mailto:squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
![http://mydomainname.com/squid/access_denied.jpg"](http://mydomainname.com/squid/access_denied.jpg"){kind=link}
![http://www.domain.com/squid/access_denied.jpg"](http://www.domain.com/squid/access_denied.jpg"){kind=link}