On 11.04.2012 03:27, Mohamed Amine Kadimi wrote:
Hello,
I'm trying to make an external helper which will be called by an acl,
so I have created one which is very simple: it takes an IP in stdin
and returns OK if it maches a predefined IP.
It works when I test it from the CLI, however when I put the relevant
directives in the squid.conf file and restart squid the connection to
internet is no longer possible.
The message displayed by FF is : "Firefox is configured to use a
proxy
server that is refusing connections".
It would seem Squid is not listening on the IP:port which Firefox is
trying to use, or a firewall is actively rejecting port 3128 TCP
connections.
1) check that squid is running okay. It should be fine if your helper
runs okay on command line, but read+execute access permission
differences between the squids user and your own user account can still
cause problems. Run "squid -k parse" or look in cache.log for message if
Squid is not starting.
2) check that port 3128 is accessible. telnet etc can be used here. A
packet dump may be needed to find which device is rejecting TCP packets
to port 3128.
Amos
Here's my squid.conf:
####################
external_acl_type src_ip_ext ttl=1 concurrency=0 %SRC /root/C/srcIP
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
acl src_ip external src_ip_ext
http_access allow manager localhost
http_access deny manager
#http_access allow localnet
http_access allow src_ip
http_access deny all
http_port 3128
####################
And the source code of the helper:
/* #################### */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define MAX_INPUT 256
HINT: input buffer from Squid is usually between 4KB-8KB, but can be
larger (~32KB for 3.1/3.2). IP address has a limited range of text
representations, but if you pass unconstrained details like URLs or HTTP
headers values to this helper it can trend towards the larger sizes. In
which case it is useful to check whether the \n was received after
fgets() and handle very long lines as a special input case.
int main()
{
char request [MAX_INPUT]; /* this is a holder for the stdin
request */
/* below file is just to track execution of the script */
FILE *fp;
fp = fopen("file.txt","a");
fprintf(fp,"%s\n","This is an execution"); /*append some text*/
fclose(fp);
while (fgets(request, MAX_INPUT, stdin) != NULL){
const char *index;
index = strtok(request, " \n"); /* this is to get rid of \n
*/
NOTE: long-term you will want to add concurrency support. It is much
faster than serial queries.
Check out the squid-3.2 session helper while() loop logics for an
example of how to pull the channel-ID (any bytes before the first " ")
from the input before processing. It then just gets sent back to Squid
unchanged in the printf before OK/ERR.
if (strcmp (index,"172.30.30.1") == 0) {
printf("OK\n");
}
else printf("ERR\n");
}
return 0;
}
/* #################### */
This is just a proof of concept not the final helper I intend to make
(I know source IP can be controlled directly via ACLs).
Amos
