On Jan 24, 2013, at 2:41 AM, iain <expat.i...@gmail.com> wrote: > FreeBSD 9.1 installation with Squid installed from ports and using > transparent mode results in "Access Denied" messages when trying to > browse regular HTTP. > > Log files fill up with: > > *** LOGFILE *** > 1359013451.945 0 XXX.XXX.XXX.25 TCP_MISS/403 4272 GET > http://www.facebook.com/ - HIER_NONE/- text/html > 1359013451.946 139 XXX.XXX.XXX.137 TCP_MISS/403 4369 GET > http://www.facebook.com/ - HIER_DIRECT/XXX.XXX.XXX.25 text/html > 1359013451.966 0 XXX.XXX.XXX.25 TCP_MISS/403 4071 GET > http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html > 1359013451.967 1 XXX.XXX.XXX.137 TCP_MISS/403 4168 GET > http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/XXX.XXX.XXX.25 > text/html > 1359013451.992 0 XXX.XXX.XXX.25 TCP_MISS/403 4179 GET > http://www.facebook.com/favicon.ico - HIER_NONE/- text/html > 1359013451.992 1 XXX.XXX.XXX.137 TCP_MISS/403 4276 GET > http://www.facebook.com/favicon.ico - HIER_DIRECT/XXX.XXX.XXX.25 text/html > *** END *** > > Squid.conf file is: > > *** SQUID.CONF *** > visible_hostname XXXXXXXXXXXXXXXXXXXXX > acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > acl localnet src 172.16.0.0/12 # RFC1918 possible internal network > acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > acl localnet src fc00::/7 # RFC 4193 local private network range > acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) > machines > acl localnet src XXXX:XXXX:ffff::/48 # More IPv6 ... > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > acl cacti src XXX.XXX.0.154/32 > acl snmpstats snmp_community tainROcacti > acl sliema_net_fine src XXX.XXX.0.0/25 > acl sliema_net_core src XXX.XXX.0.128/25 > acl sliema_net_gnet src XXX.XXX.1.0/25 > acl sliema_net_norm src XXX.XXX.1.128/25 > acl topsites dstdomain "/usr/local/etc/squid/squid-topsites.text" > acl youtube dstdomain .youtube.com > acl youtube dstdomain .youtu.be > acl youtube dstdomain .googlevideo.com > acl cdners dstdomain .akamai.com > acl cdners dstdomain .llnwd.net > acl facebook dstdomain .facebook.com > tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_norm > tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_fine > tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_core > snmp_port 3401 > snmp_access allow snmpstats cacti > snmp_access deny all > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localnet > http_access allow localhost > http_access deny all > http_port 3128 intercept > http_port 80 > cache_dir ufs /var/squid/cache/squid 100 16 256 > cache_mem 256 MB > coredump_dir /var/squid/cache/squid > refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 > refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% > 432000 > refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ > 43200 90% 432000 > refresh_pattern -i \.index.(html|htm)$ 0 40% 10080 > refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320 > refresh_pattern -i youtube.com/.* 43200 90% 432000 > refresh_pattern -i youtu.be/.* 43200 90% 432000 > refresh_pattern -i ytimg.com/.* 43200 90% 432000 > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > *** END *** > > And squid compile options are: > > *** SQUID VERSION *** > Squid Cache: Version 3.2.6 > configure options: > '--with-default-user=squid' > '--bindir=/usr/local/sbin' > '--sbindir=/usr/local/sbin' > '--datadir=/usr/local/etc/squid' > '--libexecdir=/usr/local/libexec/squid' > '--localstatedir=/var/squid' > '--sysconfdir=/usr/local/etc/squid' > '--with-logdir=/var/log/squid' > '--with-pidfile=/var/run/squid/squid.pid' > '--enable-auth' > '--enable-build-info' > '--enable-loadable-modules' > '--enable-removal-policies=lru heap' > '--disable-epoll' > '--disable-linux-netfilter' > '--disable-linux-tproxy' > '--disable-translation' > '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS > fake getpwnam' > '--enable-auth-digest=file' > '--enable-external-acl-helpers=file_userip unix_group' > '--enable-auth-negotiate=none' > '--enable-auth-ntlm=fake smb_lm' > '--enable-storeio=diskd rock ufs aufs' > '--enable-disk-io=AIO Blocking DiskDaemon IpcIo Mmapped DiskThreads' > '--enable-log-daemon-helpers=file' > '--enable-url-rewrite-helpers=fake' > '--enable-icmp' > '--enable-htcp' > '--disable-forw-via-db' > '--disable-cache-digests' > '--enable-wccp' > '--enable-wccpv2' > '--disable-eui' > '--enable-ipfw-transparent' > '--enable-pf-transparent' > '--enable-ipf-transparent' > '--disable-follow-x-forwarded-for' > '--enable-ecap' > '--disable-icap-client' > '--disable-esi' > '--enable-kqueue' > '--prefix=/usr/local' > '--mandir=/usr/local/man' > '--infodir=/usr/local/info/' > '--build=amd64-portbld-freebsd9.1' > 'build_alias=amd64-portbld-freebsd9.1' 'CC=cc' 'CFLAGS=-O2 -pipe > -I/usr/local/include -fno-strict-aliasing' 'LDFLAGS= -pthread > -L/usr/local/lib' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe > -I/usr/local/include -fno-strict-aliasing' 'CPP=cpp' > 'PKG_CONFIG=pkgconf' --enable-ltdl-convenience > *** END *** > > This is basically a working 2.7 installation config that has been moved > onto a 3.2 box with some minor tweaks in the new config. > > Any help appreciated. > > Iain.
I'm using squid-3.2 and squid-3.3.0.3 (with a patch to fix communication with local helpers) on FreeBSD-8.3 with HTTP and HTTPS interception via ipfw, and they are working OK. I don't have PF or IPF transparent enabled, though. If you enable debug_options 28,9 or ALL,9, can you see in cache.log what ACL is causing the requests to be denied? Guy
