stephane lepain wrote:
Hi,
I have added am acl in order for me to connect to Xchat through my
proxy. it works fine. Now, I want to use bitlbee using XChat to try to
connect to msn and everything going through my proxy. Everytime I lunch
Bitlbee and I get the error HTTP/1.0 503 Service Unavailable. Proxy
traversal failed. The way I connect to bitlbee through Xchat is "/server
127.0.0.1 and then this is when I get the error mentioned above.
I can't see the reason why I would be able to connect to XChat and not
bitlbee. When I check the access.log I do see a tcp_miss 503. Thanks for
your help
That would be because your squid is not listening on 127.0.0.1.
Lets go over your config and improve it a bit shall we?
### ACCESS CONTROLS
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl iguane src 192.168.1.8 127.0.0.1
acl heaven src 192.168.1.10
acl zongo src 192.168.1.5
acl margoullat src 192.168.1.6 192.168.1.7
acl livebox src 192.168.1.1
acl xchat port 6667 1863
http_access allow CONNECT xchat
http_access deny CONNECT xchat
The allow line above lets anyone use xchat through you.
Blocking it here or below has no effect.
http_access allow iguane
http_access allow heaven
http_access allow zongo### OPTIONS FOR X-FORWARDED-FOR
### NETWORK OPTIONS
That missing newline will be causing some problems I think.
http_access allow margoullat
http_access allow livebox
You could be creating a single ACL which contains all those machines IP
addresses (like Safe_Ports is done) instead of a seperate line each.
That would help keep his and the ICP lines below sync'd up.
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
Like I said to someone else recently. These safety controls (from the
manager down) need to be at the top of the squid http_access lines to
have any effect.
NP: If "deny CONNECT !SSL_Ports" blocks your xchat just add " !xchat" at
the end of it.
http_access deny all
icp_access allow iguane
icp_access allow heaven
icp_access allow zongo
icp_access allow margoullat
icp_access allow livebox
Again combining these machines into a single ACL wil let you use it here
too in a nice and short way.
icp_access deny ALL
Might be worth changing the case on that one ;-)
http_port 192.168.1.7:3128
And here Squid is ONLY listening on the public IP address of its
machine. If you only have one network card you can safely remove the IP
address part of that line.
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 95
negative_ttl 2 minutes
request_header_max_size 12 KB
request_header_max_size 12 KB
request_body_max_size 0 KB # 0=nolimit
via off
cache_vary off
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
refresh_stale_hit 5 seconds
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
header_access From deny all
header_access Referer deny all
header_access Server deny all
header_access User-Agent deny all
header_access WWW-Authenticate deny all
Huh? you never want to login anywhere external?
header_access Link deny all
forward_timeout 2 minutes
cache_mgr penguindeb@xxxxxxxxx
htcp_port 4827
cache_peer cache.orange.fr parent 3128 3130 default no-query
hosts_file /etc/hosts
append_domain .macitos.fr
memory_pools_limit 50 MB
forwarded_for off
client_db off
reload_into_ims on
coredump_dir /var/spool/squid
Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
