Re: Chat Apps getting blocked

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

g f wrote:
> I have a question about your reply:
> http_access deny CONNECT !SSL_ports
> Shouldnt this deny access to all but SSL_ports 443 and 563?
>
> but wouldnt this:
>  acl Safe_ports port 1025-65535  # unregistered ports
>  http_access deny !Safe_ports
>
> allow access on port 5222 (normally default xmpp port).
>
> I am curious if I understand the acls properly.

They are all run top-to-bottom with first-match-wins.

So the ...
  http_access deny !Safe_ports

... does not stop port 5222 access, merely lets it continue down to a 
later ACL check. Which in this case is ...

  http_access deny CONNECT !SSL_Ports

... which matches and denies it (CONNECT is being done and 5222 is not 
in SSL_Ports)

Amos

> Thanks.
>
>
>
>
> On Mon, Apr 21, 2008 at 8:13 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx 
> <mailto:squid3@xxxxxxxxxxxxx>> wrote:
>
>     Odhiambo Washington wrote:
>
>         Hello List,
>
>         I copycat(ed) a squid.conf from this list a few days ago and did
>         minimal config mods just to allow my network to use it. It works
>         great
>         with youtube caching, but stranegly, it blocks MSN/Yahoo chats,
>         but I
>         sincerely cannot see where this is happening. The file can be access
>         from the following URL:
>
>         https://212.22.160.35/~wash/squid.conf.txt
>         <https://212.22.160.35/%7Ewash/squid.conf.txt>
>         (I use a self-signed certificate, so please just accept it)
>
>         I get the following in the access log:
>
>         1208510066.248   7255 192.168.0.106 <http://192.168.0.106>
>         TCP_DENIED/403 1422 CONNECT
>         207.46.110.28:1863 <http://207.46.110.28:1863> - NONE/- text/html
>         1208510066.726   7850 192.168.0.150 <http://192.168.0.150>
>         TCP_DENIED/403 1422 CONNECT
>         207.46.110.89:1863 <http://207.46.110.89:1863> - NONE/- text/html
>         1208510100.571    847 192.168.0.106 <http://192.168.0.106>
>         TCP_DENIED/403 1422 CONNECT
>         207.46.110.94:1863 <http://207.46.110.94:1863> - NONE/- text/html
>         1208510119.339     28 192.168.0.150 <http://192.168.0.150>
>         TCP_DENIED/403 1422 CONNECT
>         207.46.110.94:1863 <http://207.46.110.94:1863> - NONE/- text/html
>         1208510173.114    853 192.168.0.106 <http://192.168.0.106>
>         TCP_DENIED/403 1422 CONNECT
>         207.46.108.13:1863 <http://207.46.108.13:1863> - NONE/- text/html
>         1208510216.270    668 192.168.0.150 <http://192.168.0.150>
>         TCP_DENIED/403 1422 CONNECT
>         207.46.108.85:1863 <http://207.46.108.85:1863> - NONE/- text/html
>         1208510300.314    852 192.168.0.106 <http://192.168.0.106>
>         TCP_DENIED/403 1422 CONNECT
>         207.46.108.97:1863 <http://207.46.108.97:1863> - NONE/- text/html
>         1208510347.723    853 192.168.0.106 <http://192.168.0.106>
>         TCP_DENIED/403 1422 CONNECT
>         207.46.108.86:1863 <http://207.46.108.86:1863> - NONE/- text/html
>         1208510371.584    823 192.168.0.106 <http://192.168.0.106>
>         TCP_DENIED/403 1422 CONNECT
>         207.46.108.66:1863 <http://207.46.108.66:1863> - NONE/- text/html
>         1208510408.981     20 192.168.0.150 <http://192.168.0.150>
>         TCP_DENIED/403 1422 CONNECT
>         207.46.108.97:1863 <http://207.46.108.97:1863> - NONE/- text/html
>         1208510413.535   1673 192.168.0.106 <http://192.168.0.106>
>         TCP_DENIED/403 1422 CONNECT
>         207.46.108.93:1863 <http://207.46.108.93:1863> - NONE/- text/html
>         1208510488.270     19 192.168.0.106 <http://192.168.0.106>
>         TCP_DENIED/403 1438 CONNECT
>         messenger.hotmail.com:1863 <http://messenger.hotmail.com:1863> -
>         NONE/- text/html
>         1208510609.843      0 192.168.0.117 <http://192.168.0.117>
>         TCP_DENIED/403 1426 CONNECT
>         talk.google.com:5222 <http://talk.google.com:5222> - NONE/-
>         text/html
>         1208510609.844      0 192.168.0.117 <http://192.168.0.117>
>         TCP_DENIED/403 1430 CONNECT
>         scs.msg.yahoo.com:5050 <http://scs.msg.yahoo.com:5050> - NONE/-
>         text/html
>         1208510616.495      0 192.168.0.117 <http://192.168.0.117>
>         TCP_DENIED/403 1426 CONNECT
>         talk.google.com:5222 <http://talk.google.com:5222> - NONE/-
>         text/html
>         1208510617.057      1 192.168.0.117 <http://192.168.0.117>
>         TCP_DENIED/403 1430 CONNECT
>         scs.msg.yahoo.com:5050 <http://scs.msg.yahoo.com:5050> - NONE/-
>         text/html
>         1208510637.734     20 192.168.0.106 <http://192.168.0.106>
>         TCP_DENIED/403 1438 CONNECT
>         messenger.hotmail.com:1863 <http://messenger.hotmail.com:1863> -
>         NONE/- text/html
>         1208510643.865     31 192.168.0.106 <http://192.168.0.106>
>         TCP_DENIED/403 1438 CONNECT
>         messenger.hotmail.com:1863 <http://messenger.hotmail.com:1863> -
>         NONE/- text/html
>         1208510676.014      0 192.168.0.117 <http://192.168.0.117>
>         TCP_DENIED/403 1430 CONNECT
>         scs.msg.yahoo.com:5050 <http://scs.msg.yahoo.com:5050> - NONE/-
>         text/html
>
>     <snip>
>
>
>         Where in the acls is this coming from?
>
>
>     You have:
>      http_access deny CONNECT !SSL_ports
>
>     If you really want to allow the chat programs out, then you will
>     need to add an acl for their domain/ports and allow CONNECT for them.
>
>     Amos
>     -- 
>     Please use Squid 2.6.STABLE19 or 3.0.STABLE4


--
Please use Squid 2.6.STABLE19 or 3.0.STABLE4