On Mon, Jun 11, 2007, Jan Groenewald wrote: > <snip> > 2007/06/10 22:07:37| aclCheck: checking 'http_access deny CONNECT > !SSL_ports' > 2007/06/10 22:07:37| aclMatchAclList: checking CONNECT > 2007/06/10 22:07:37| aclMatchAcl: checking 'acl CONNECT method CONNECT' > 2007/06/10 22:07:37| aclMatchAclList: checking !SSL_ports > 2007/06/10 22:07:37| aclMatchAcl: checking 'acl SSL_ports port 443 563 > # https, snews' > 2007/06/10 22:07:37| aclMatchAclList: returning 1 > 2007/06/10 22:07:37| aclCheck: match found, returning 0 > 2007/06/10 22:07:37| cbdataUnlock: 0x82adec0 > 2007/06/10 22:07:37| aclCheckCallback: answer=0 > 2007/06/10 22:07:37| cbdataValid: 0x85e0b50 > 2007/06/10 22:07:37| The request CONNECT 209.204.61.7:4000 is DENIED, > because it matched 'SSL_ports' Thats right, because the http_access matches on method CONNECT and then finds the port isn't in the SSL_ports ACL. The behaviour is correct. There's no special meaning for the ACL name SSL_ports; its just a name. In the default squid configuration its generally for "forwarding SSL requests through a proxy" which is whats happening with the "CONNECT" method. Adrian > 2007/06/10 22:07:37| Access Denied: 209.204.61.7:4000 > 2007/06/10 22:07:37| AclMatchedName = SSL_ports > 2007/06/10 22:07:37| Proxy Auth Message = <null> > 2007/06/10 22:07:37| storeCreateEntry: '209.204.61.7:4000' > 2007/06/10 22:07:37| new_MemObject: returning 0x8ce8a68 > </snip> > > Other ports are in the range 1025-6000 and are getting the same problem. > My squid.conf below. Any tips appreciated. > > 0 root@kontiki:/etc/squid#grep -v ^\# squid.conf|grep . > http_port 10.0.0.1:3128 transparent > http_port 127.0.0.1:3128 > cache_peer proxy.aims.ac.za parent 3128 0 no-query > cache_peer_domain proxy.aims.ac.za !.aims.ac.za > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY > acl apache rep_header Server ^Apache > broken_vary_encoding allow apache > access_log /var/log/squid/access.log squid > debug_options ALL,1 > hosts_file /etc/hosts > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 563 # https, snews > acl SSL_ports port 873 # rsync > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl Safe_ports port 631 # cups > acl Safe_ports port 873 # rsync > acl Safe_ports port 901 # SWAT > acl purge method PURGE > acl CONNECT method CONNECT > http_access allow manager localhost > http_access deny manager > http_access allow purge localhost > http_access deny purge > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access deny to_localhost > acl our_networks src 10.0.0.0/8 > http_access allow our_networks > http_access allow localhost > http_access deny all > http_reply_access allow all > icp_access allow all > visible_hostname kontiki.aims.ac.za > forwarded_for off > acl aims dstdomain .aims.ac.za > no_cache deny aims > always_direct allow aims > acl kontiki dst 10.0.0.1/32 > no_cache deny kontiki > always_direct allow kontiki > never_direct allow all > coredump_dir /var/spool/squid > > regards, > Jan > > -- > .~. > /V\ Jan Groenewald > /( )\ www.aims.ac.za > ^^-^^ -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level bandwidth-capped VPSes available in WA -
