On 17.10.2012 09:49, Mike Muir wrote:
My acl section and http_access:
acl manager proto cache_object COAP
acl localhost src 127.0.0.1/32 ::1
acl Whitelist dstdomain "/etc/squid/whitelist_sites"
acl ncsa_users proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80
acl CONNECT method CONNECT
acl all src all
# cachemgr access
http_access allow manager localhost
http_access deny manager
# http_access Section
http_access allow ncsa_users Whitelist
http_access deny CONNECT !SSL_ports
http_access deny !Safe_ports
http_access deny all
NP: sequence of "deny" lines followed by "deny all" is equivalent to
"deny all"....
Meaning your config is effectively:
http_access allow manager localhost
http_access deny manager
http_access allow ncsa_users Whitelist
http_access deny all
... notice how there are no controls/limits on CONNECT or even port
number any more.
Squid version: 2.7
Please upgrade. 2.7 is deprecated now and has not been supported for
several years.
Squid-2.7 does not support coap:// protocol. You can remove that from
the manager ACL. If you actually want coap:// support upgrade to
squid-3.2 minimum.
Not that Squid coap://.../squid-internal-mgr/* URLs would get anywhere
near CoAP protocol anyway.
Port: 443
Browser: Chrome
Site: gmail.com (although it's denying all https requests)
"net::ERR_TUNNEL_CONNECTION_FAILED" is a 'friendly' Chrome error
message, hiding all the relevant HTTP details about the *actual* HTTP
level problem. Check the HTTP traffic (will probably require a TCP dump,
or digging into the developer tools on Chrome).
This will give you both the HTTP headers for the transaction, and the
real Squid response error page - if any HTTP took place.
Your proxy requires authentication for whitelisted sites (even if they
are used in CONNECT), so unless Chrome is sending user credentials when
trying to open a new tunnel through Squid, it will be rejected with an
auth challenge response status. Squid-2 does not support keep-alive and
authentication exchange on CONNECT - resulting in the connection closing
after the challenge. Only CONNECT with pre-sent credentials are accepted
by your Squid - Chrome is responsible for re-opening the CONNECT tunnel
with credentials if it closes after a challenge.
Amos
On Tue, Oct 16, 2012 at 5:41 PM, Eliezer Croitoru wrote:
On 10/16/2012 9:41 PM, Mike Muir wrote:
Hello,
I'm getting a TCP DENIED/403 in the access log when trying to
access
all HTTPS sites via web browser. The browser displays: Error 111
(net::ERR_TUNNEL_CONNECTION_FAILED): Unknown error.
I've included the following in my squid.conf (I'm using Squid 2.7)
which to my understanding should allow traffic on 443:
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports
I'll provide more info if necessary, but has anyone experienced
this
problem before? Any help would be appreciated.
Regards
what version of squid?
what are the allow (not deny) acls?
what ports?
what browser?
what site?
Regards,
Eliezer
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
