Hi All, I installed squid on Debian Etch, and I although the ACL rules allow localhost, I still get an Access Denied message with a transparent setup. My squid.conf is: ----------------------------------------------------------- # grep -v '^#\|^$' squid.conf http_port 3128 transparent hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache access_log /var/log/squid/access.log squid hosts_file /etc/hosts refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 # https acl SSL_ports port 563 # snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all cache_effective_group proxy coredump_dir /var/spool/squid ----------------------------------------------------------- It's a default Debian Etch config, I only changed the first non-commented line: http_port 3128 to this: http_port 3128 transparent ...since I want a transparent setup. The weird thing is, if I manually configure Firefox to access the Web via localhost:3128, it works fine, no matter whether I use the "transparent" keyword or not. The ACL rule that allows localhost is in effect in this case, since if I change http_access allow localhost to: http_access deny localhost I get an Access Denied. But when I try to setup a simple iptables rule to intercept traffic at port 80 and redirect it to 3128 without configuring Firefox to use a proxy: /sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128 ...I ALWAYS get an Access Denied in Squid. The firewall is allowing traffic to port 3128, I can see it in the logs. So it *looks* like for some reason Squid is not recognizing this traffic as coming from localhost, since the message says access control setup does not allow me to view the page I requested. In /var/log/squid/access.log I can see that the denied connections are not coming from 127.0.0.1, but from my host's public IP, 1.2.3.4 However, adding a rule like this: acl ME src 1.2.3.4 http_access allow ME doesn't help at all. Even adding "http_access allow all" doesn't help. I read through the Wiki, and googled the problem, but to no avail. Any pointers about how I can diagnose or fix the problem will therefore be very much appreciated. Thanks, Andrei PS: Almost forgot, my squid is: ----------------------------------------------------------- # squid -v Squid Cache: Version 2.6.STABLE5 configure options: '--prefix=/usr' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--sysconfdir=/etc/squid' '--localstatedir=/var/spool/squid' '--datadir=/usr/share/squid' '--enable-async-io' '--with-pthreads' '--enable-storeio=ufs,aufs,coss,diskd,null' '--enable-linux-netfilter' '--enable-arp-acl' '--enable-epoll' '--enable-removal-policies=lru,heap' '--enable-snmp' '--enable-delay-pools' '--enable-htcp' '--enable-cache-digests' '--enable-underscores' '--enable-referer-log' '--enable-useragent-log' '--enable-auth=basic,digest,ntlm' '--enable-carp' '--with-large-files' 'i386-debian-linux' 'build_alias=i386-debian-linux' 'host_alias=i386-debian-linux' 'target_alias=i386-debian-linux' -----------------------------------------------------------
