Dear bests I have this network configuration OpenVPN client -> Squid Proxy in transparent mode -> Internet -> APACHE Proxy 80 -> OpenVPN 127.0.0.1:1194 When the OpenVPN client try to send a CONNECT 127.0.0.1:1194 to the Apache Proxy the Squid Proxy in the LAN (in Transparent mode) trap the command and kill the connection. Which kind of acl i can set in order to force squid allowing this connection ? OpenVPN events when connecting to the remote Apache proxy. ----------------------------------------------------------- Tue Sep 13 10:08:21 2011 TCP connection established with [AF_INET]1xx.1xx.2xx.2xx:80 Tue Sep 13 10:08:21 2011 Send to HTTP proxy: 'CONNECT 127.0.0.1:1194 HTTP/1.0' Tue Sep 13 10:08:22 2011 HTTP proxy returned: 'HTTP/1.0 403 Forbidden' Tue Sep 13 10:08:22 2011 HTTP proxy returned bad status Tue Sep 13 10:08:22 2011 TCP/UDP: Closing socket Squid proxy event ----------------------------------------------------------- 192.168.1.157 - - [13/Sep/2011:10:08:27 +0200] "CONNECT 127.0.0.1:1194 HTTP/1.0" 403 12459 TCP_DENIED:NONE 192.168.1.157 - - [13/Sep/2011:10:08:34 +0200] "CONNECT 127.0.0.1:1194 HTTP/1.0" 403 12459 TCP_DENIED:NONE 192.168.1.157 - - [13/Sep/2011:10:08:41 +0200] "CONNECT 127.0.0.1:1194 HTTP/1.0" 403 12459 TCP_DENIED:NONE 192.168.1.157 - - [13/Sep/2011:10:08:48 +0200] "CONNECT 127.0.0.1:1194 HTTP/1.0" 403 12459 TCP_DENIED:NONE 192.168.1.157 - - [13/Sep/2011:10:08:55 +0200] "CONNECT 127.0.0.1:1194 HTTP/1.0" 403 12459 TCP_DENIED:NONE 192.168.1.157 - - [13/Sep/2011:10:09:02 +0200] "CONNECT 127.0.0.1:1194 HTTP/1.0" 403 12459 TCP_DENIED:NONE 192.168.1.157 - - [13/Sep/2011:10:09:09 +0200] "CONNECT 127.0.0.1:1194 HTTP/1.0" 403 12459 TCP_DENIED:NONE 192.168.1.157 - - [13/Sep/2011:10:09:16 +0200] "CONNECT 127.0.0.1:1194 HTTP/1.0" 403 12459 TCP_DENIED:NONE 192.168.1.157 - - [13/Sep/2011:10:09:23 +0200] "CONNECT 127.0.0.1:1194 HTTP/1.0" 403 12459 TCP_DENIED:NONE 192.168.1.157 - - [13/Sep/2011:10:09:30 +0200] "CONNECT 127.0.0.1:1194 HTTP/1.0" 403 12459 TCP_DENIED:NONE Squid.conf acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.1/32 acl manager proto cache_object auth_param basic credentialsttl 2 hour authenticate_ttl 1 hour authenticate_ip_ttl 60 seconds memory_pools off quick_abort_min 0 KB quick_abort_max 0 KB log_icp_queries off client_db off buffered_logs on half_closed_clients off #--------- UfdbGuard url_rewrite_program /usr/bin/ufdbgclient -l /var/log/squid url_rewrite_children 20 startup=5 idle=1 concurrency=0 #--------- SQUID PARENTS (feature not enabled) #--------- acls acl blockedsites url_regex "/etc/squid3/squid-block.acl" acl CONNECT method CONNECT acl purge method PURGE acl FTP proto FTP acl multimedia_rep rep_mime_type -i ^video/x-ms-asf$ acl multimedia_rep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$ acl multimedia_rep rep_mime_type -i ^application/x-mms-framed$ acl multimedia_rep rep_mime_type -i ^image/ acl multimedia_rep rep_mime_type -i ^video acl multimedia_rep rep_mime_type -i ^audio acl multimedia_rep rep_mime_type -i ^application/x-dvi$ acl multimedia_rep rep_mime_type -i ^application/x-isoview acl multimedia_browsers browser -i ^.*player acl bigfiles_types urlpath_regex -i \.(deb|rpm|iso|tar\.gz|gz|bz|tar| cue|nrg|crf|bwi|bwt|lcd|ccd|mdf|mds|vcd|cif|vdi|img)((\?|&).*)?$ acl office_network src 192.168.1.0/24 #--------- MAIN RULES... always_direct allow FTP # --------- SAFE ports acl Safe_ports port 80 #http acl Safe_ports port 22 #ssh acl Safe_ports port 443 563 #https, snews acl Safe_ports port 1863 #msn acl Safe_ports port 70 #gopher acl Safe_ports port 210 #wais acl Safe_ports port 1025-65535 #unregistered ports acl Safe_ports port 280 #http-mgmt acl Safe_ports port 488 #gss-http acl Safe_ports port 591 #filemaker acl Safe_ports port 777 #multiling http acl Safe_ports port 631 #cups acl Safe_ports port 873 #rsync acl Safe_ports port 901 #SWAT acl Safe_ports port 20 #ftp-data acl Safe_ports port 21 #ftp# acl SSL_ports port 9000 #Artica acl SSL_ports port 443 #HTTPS acl SSL_ports port 563 #https, snews acl SSL_ports port 6667 #tchat acl whitelisted_mac_computers arp "/etc/squid3/whitelisted-computers-by-mac.acl # AOL Instant Messenger to connect to oscar.aol.com acl AIM_ports port 5190 9898 acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com acl AIM_domains dstdomain .messaging.aol.com .aim.com acl AIM_hosts dstdomain login.oscar.aol.com login.glogin.messaging.aol.com toc.oscar.aol.com acl AIM_nets dst 64.12.0.0/255.255.0.0 acl AIM_methods method CONNECT # Permit IRC acl IRC_ports port 6667 acl IRC_domains dstdomain .freenode.net acl IRC_hosts dstdomain irc.freenode.net acl IRC_methods method CONNECT # Permit Yahoo Messenger acl YIM_ports port 5050 acl YIM_domains dstdomain .yahoo.com .yahoo.co.jp acl YIM_hosts dstdomain scs.msg.yahoo.com cs.yahoo.co.jp acl YIM_methods method CONNECT # Permit Google Talk acl GTALK_ports port 5222 5050 443 acl GTALK_domains dstdomain .google.com acl GTALK_hosts dstdomain talk.google.com acl GTALK_methods method CONNECT # Permit MSN acl MSN_ports port 1863 443 1503 acl MSN_domains dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com acl MSN_methods method CONNECT acl MULTIMEDIA rep_mime_type -i ^(audio\/x-mpegurl|audio\/mpeg|video \/flv|video\/x-flv|application\/x-shockwave-flash|audio\/ogg|video\/ogg| application\/ogg)$ # --------- RULES DEFINITIONS url_rewrite_access deny localhost url_rewrite_access deny whitelisted_mac_computers url_rewrite_access allow all http_access allow whitelisted_mac_computers http_access allow AIM_methods AIM_ports AIM_nets http_access allow AIM_methods AIM_ports AIM_hosts http_access allow IRC_methods IRC_ports IRC_hosts http_access allow IRC_methods IRC_ports IRC_domains http_access allow YIM_methods YIM_ports YIM_hosts http_access allow YIM_methods YIM_ports YIM_domains http_access allow GTALK_ports GTALK_hosts GTALK_methods http_access allow GTALK_methods GTALK_ports GTALK_domains http_access allow MSN_ports MSN_domains MSN_methods http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow manager localhost http_access allow purge localhost http_access deny purge http_access deny blockedsites http_access allow office_network http_access deny to_localhost http_access deny all # --------- ICAP Services.(1 service(s)) # --------- icap_service KASPERSKY mode 3.1.1 icap_service is_kav_resp respmod_precache routing=on bypass=on icap://192.168.1.136:1344/av/respmod icap_service is_kav_req reqmod_precache routing=on bypass=on icap://192.168.1.136:1344/av/reqmod # --------- adaptation For Kaspersky Antivirus adaptation_service_set class_antivirus_kav_resp is_kav_resp adaptation_service_set class_antivirus_kav_req is_kav_req adaptation_access class_antivirus_kav_req deny MULTIMEDIA adaptation_access class_antivirus_kav_req allow all adaptation_access class_antivirus_kav_resp allow all icap_enable on icap_preview_size 128 icap_service_failure_limit -1 icap_preview_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_client_username_encode on # --------- ident_lookup_access hierarchy_stoplist cgi-bin ? # --------- General settings visible_hostname proxy-maison.touzeau.com ignore_expect_100 off # --------- time-out dead_peer_timeout 10 seconds dns_timeout 2 minutes connect_timeout 1600 seconds persistent_request_timeout 3 minutes pconn_timeout 1600 seconds maximum_object_size 300 MB minimum_object_size 0 KB maximum_object_size_in_memory 2 MB #http/https ports http_port 3128 transparent # --------- SSL Rules # --------- Caches cache_effective_user squid cache_effective_group squid #cache_replacement_policy heap LFUDA cache_mem 512 MB cache_swap_high 90 cache_swap_low 95 # --------- DNS and ip caches ipcache_size 51200 ipcache_low 90 ipcache_high 95 fqdncache_size 51200 # --------- SPECIFIC DNS SERVERS dns_nameservers 192.168.1.1 #--------- FTP specific parameters ftp_list_width 32 ftp_passive on ftp_sanitycheck on ftp_epsv on ftp_epsv_all off ftp_telnet_protocol off debug_options ALL,1 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 0 90% 260009 override-expire ignore-no-cache ignore-no-store ignore-private refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff| bz2|gz)$ 0 90% 260009 override-expire ignore-no-cache ignore-no-store ignore-private refresh_pattern -i \.(html|htm|css|js|xml)$ 1440 40% 40320 refresh_pattern -i \.kaspersky-labs\.com/.*\.(diff|exe|klz|zip)$ 1440 100% 28800 reload-into-ims ignore-no-cache refresh_pattern -i \.avast\.com/.*\.(exe|vpu)$ 1440 100% 28800 reload-into-ims ignore-no-cache refresh_pattern -i \.avira-update\.com/.*\.gz$ 1440 100% 28800 reload-into-ims ignore-no-cache refresh_pattern -i global-download\.acer\.com/.*/Driver/.*zip 1440 100% 260009 reload-into-ims ignore-no-cache refresh_pattern -i \.windowsupdate\.com/.*\.(cab|exe|dll|msi|psf) 0 80% 43200 reload-into-ims ignore-no-cache refresh_pattern http://.*\.windowsupdate\.microsoft\.com/ 1440 80% 20160 reload-into-ims refresh_pattern http://.*\.update\.microsoft\.com/ 1440 80% 20160 reload-into-ims refresh_pattern http://download\.microsoft\.com/ 1440 80% 20160 reload-into-ims refresh_pattern http://windowsupdate\.microsoft\.com/ 1440 80% 20160 reload-into-ims refresh_pattern http://office\.microsoft\.com/ 1440 80% 20160 reload-into-ims refresh_pattern http://w?xpsp[0-9]\.microsoft\.com/ 1440 80% 20160 reload-into-ims refresh_pattern http://w2ksp[0-9]\.microsoft\.com/ 1440 80% 20160 reload-into-ims refresh_pattern http://.*\.archive\.ubuntu\.com/ 1440 80% 20160 reload-into-ims refresh_pattern -i \.microsoft\.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims ignore-no-cache refresh_pattern -i ^http://.*\.gmail.*/.* 720 100% 4320 refresh_pattern -i ^http://.*\.googlesyndication.*/.* 1440 100% 4320 refresh_pattern -i ^http://notify.*dropbox\.com 1440 100% 2880 reload-into-ims ignore-no-cache refresh_pattern -i ^http://safebrowsing-cache\.google\.com/.* 1440 100% 2880 reload-into-ims ignore-no-cache refresh_pattern -i ^http://.*gmodules\.com/.* 1440 100% 2880 reload-into-ims ignore-no-cache refresh_pattern -i ^http://.*google\..*/.* 2880 100% 4320 refresh_pattern -i ^http://.*\.ubuntu\..*/.* 2880 100% 4320 refresh_pattern . 0 100% 43200 reload-into-ims override-lastmod refresh_pattern . 0 20% 4320 refresh_pattern -i (/cg-bin/|\?) 0 0% 0 icp_port 3130 #Logs------------------------------------------------- #fqdn is disabled For sarg. log_fqdn off coredump_dir /var/squid/cache cache_store_log /var/log/squid/store.log cache_log /var/log/squid/cache.log pid_filename /var/run/squid.pid access_log none manager access_log /var/log/squid/access.log common access_log /var/log/squid/sarg.log squid cache_dir ufs /var/cache/squid 2000 16 256 # --------- OTHER CACHES cache_dir ufs /home/squid-cache/cache3 20000 16 256 cache_dir ufs /home/squid-cache/cache2 8000 16 256
