On Wed, 10 Mar 2010 15:51:18 +0000, Nick Cairncross <Nick.Cairncross@xxxxxxxxxxxxxxx> wrote: > Hi All, > > I have some Mac clients/services that require internet via my Squid. Two > such programs are Evernote and VMWare. Both are requesting access and both > are being denied. The errors I see in the access.log are as follows and > nothing else: > > 268234226.935 0 172.16.0.38 TCP_DENIED/407 2117 CONNECT > www.evernote.com:443 - NONE/- text/html > 1268234226.938 0 172.16.0.38 TCP_DENIED/407 2117 CONNECT > www.evernote.com:443 - NONE/- text/html > 1268234228.667 0 172.16.0.38 TCP_DENIED/407 2134 CONNECT > softwareupdate.vmware.com:443 - NONE/- text/html > > I've tried all sorts of the acls (browser, dstdomain, IP) but I still get > denied. Even http_access allow all doesn't work. Something in your config requires authentication. > > Thanks in advance, > > Nick > == > > My configuration is as follows: > ... > #### ACCESS CONTROL LISTS ##### > ## USER-AGENT (Browser-type) ACLs > acl Java_jvm browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_JAVA.txt" > acl iTunes browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_ITUNES.txt" > > ## URL DESTINATION ACLs > > ## USER AUTHENTICATION ACLs > acl AuthenticatedUsers proxy_auth REQUIRED > acl BandwidthUserExceptions proxy_auth_regex -i > "/etc/squid/ACL/BANDWIDTH/BANDWIDTH_NOLIMIT_USER.txt" > > ## LAN IP ACLs > acl 172SUBNETS src 172.16.0.0/255.255.0.0 > acl SERVERSUBNETS src 172.16.10.0/255.255.255.0 > acl DoNotAuthenticateIP src "/etc/squid/ACL/IPADDRESSES/IP_NOAUTH.txt" > > ## LOCALHOST ACLs > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > > ## QUERY ACLs > acl QUERY urlpath_regex cgi-bin \? > acl apache rep_header Server ^Apache > > ## SEND DIRECT ACLs > acl SENDDIRECT_DstDomains dstdomain > "/etc/squid/ACL/SENDDIRECT/SENDDIRECT_DSTDOMAINS.txt" > acl SENDDIRECT_Users proxy_auth_regex -i > "/etc/squid/ACL/SENDDIRECT/SENDDIRECT_USERS.txt" > acl SENDDIRECT_IPAddresses src > "/etc/squid/ACL/SENDDIRECT/SENDDIRECT_IPADDRESSES.txt" > > ## BLACKLISTED (Deny) ACLs > acl BLACKLIST_DstDomains dstdomain > "/etc/squid/ACL/BLACKLIST/BLACKLIST_DSTDOMAINS.txt" > acl BLACKLIST_Users proxy_auth_regex -i > "/etc/squid/ACL/BLACKLIST/BLACKLIST_USERS.txt" > acl BLACKLIST_IPAddresses src > "/etc/squid/ACL/BLACKLIST/BLACKLIST_IPADDRESSES.txt" > > ## FILE TYPE ACLs > acl FILEEXT_EXE urlpath_regex .exe$ > acl FILEEXT_EXE_Users proxy_auth_regex -i > "/etc/squid/ACL/FILES/FILEEXT_EXE_ALLOWUSERS.txt" > acl FILEEXT_EXE_DstDomains dstdomain > "/etc/squid/ACL/FILES/FILEEXT_EXE_ALLOWDSTDOMAINS.txt" > acl FILEEXT_EXE_IPAddresses src > "/etc/squid/ACL/FILES/FILEEXT_EXE_ALLOWIPADDRESSES.txt" > ... > # CONNECTION METHOD ACL > acl CONNECT method CONNECT > acl POST method POST > > ###### ACCESS RULES ##### > > ### GLOBAL BLACKLIST RULES ### > http_access deny BLACKLIST_Users The above rule requires login to work. It will challenge. > http_access deny BLACKLIST_IPAddresses > http_access deny BLACKLIST_DstDomains > ############################ > ... > # USER AGENTS # > http_access allow iTunes > http_access allow Java_jvm > > # URL DESTINATIONS ... > ## POST and CONNECT ALLOW ## > http_access allow POST Why is post being allowed to unrestricted? I think there might be some additional restrictions you want to add there. Perhapse the LAN IP range or something. > http_access allow CONNECT I really do recommend "deny CONNECT !SSL_ports" to prevent malicious or infected clients abusing things. Malware can do login too. > > ## USERS ACL ALLOW ## > # Emergency Allow All unhash this for instant access to all without > authentication > #http_access allow all > http_access allow DoNotAuthenticateIP > http_access allow AuthenticatedUsers > http_reply_access allow AuthenticatedUsers > > ## LOCAL HOST ALLOW ## > http_access allow localhost > ... > ###### CATCH ALL DENY ###### > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access deny to_localhost The above are not catch-all. They are basic security foundations/blanket that need to be checked as early as possible to prevent major causes of abuse. > http_access deny 172SUBNETS The real catch-all is this: http_access deny all Amos
