Amos Jeffries skrev 2012-11-22 13:24:
On 23/11/2012 12:28 a.m., Leslie Jensen wrote:
Pavel Bychykhin skrev 2012-11-22 12:15:
22.11.2012 12:14, Leslie Jensen пишет:
Hi list.
I just upgraded Squid from 3.1 to 3.2 on my Freebsd version 8.3
In my squid.conf I had the following lines that I got complaints from
when starting squid after the upgrade.
-------------------------------------------------------------------
Define access control lists
# acl all is defined by default in version 3.0 STABLE
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
--------------------------------------------------------------------
You should to remove all 3 entires from squid.conf, as they all are
predefined in squid 3.2
As I wrote, I did so but the users now get the error I described.
ACCESS_DENIED is an explicit ACL rejection. Your configuration details,
as well as that domain name and client IP you elided are important to
track this down.
Also, are you using a forward proxy?
interception proxy? (how?)
reverse proxy?
or a mixture of the above?
Amos
Sorry about that. With squid working with my conf file at version 3.1
but not 3.2 I didn't realise that the domain name would be important.
Here's my config file attached and the complete error message.
CacheHost: dentista01.no-ip.org
ErrPage: ERR_ACCESS_DENIED
Err: [none]
TimeStamp: Wed, 21 Nov 2012 07:47:59 GMT
ClientIP: 172.18.0.1
HTTP Request:
GET / HTTP/1.1
Host: www.praktikertjanst.se
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101
Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: sv-SE,sv;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: CP=null*; Vizzit=pn1180RxoESjRcHErLVI3Q==:1328713777
Via: 1.1 dentista01.no-ip.org (squid/3.2.3)
X-Forwarded-For: 172.18.0.101
Cache-Control: max-age=259200
Connection: keep-alive
Thanks
/Leslie
# Squid listens on the loopback and on
# the internal interface (8080 port)
# If you run Squid on a dual-homed machine with an internal
# and an external interface we recommend you to specify the
# internal address:port in http_port.
# This way Squid will only be visible on the internal address.
# transparent to work with PF
# In Squid 3.1+ the transparent option has been split.
# Use 'intercept to catch PF packets.
#
# http_port 127.0.0.1:8080 transparent
http_port 127.0.0.1:8080 intercept
# http_port 172.18.0.1:8080 transparent
http_port 172.18.0.1:8080 intercept
# Words defined in this tag when matched in the URLs,
# directs squid not to query caches.
# For example dynamic content - php or asp pages.
hierarchy_stoplist cgi-bin ? php asp
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
# Specify the amount of RAM, to be used for caching the
# so called: In-Transit objects, Hot Objects,
# Negative-Cached objects.
cache_mem 32 MB
# If a file size is less than - 100 MB,
# squid will place it in cache
maximum_object_size 100 MB
# Define the path to cache directory where all objects
# which are to be cached are stored:
# 1024 - is the amount of disk space (MB)
# to use under /usr/local/squid/cache directory
# 16 - is the number of first-level subdirectories
# which will be created under the
# /usr/local/squid/cache directory
# 256 - is the number of second-level
# subdirectories which will be created under
# each first-level directory
# Specify the amount of RAM, to be used for caching the
# so called: In-Transit objects, Hot Objects,
# Negative-Cached objects.
cache_mem 32 MB
# If a file size is less than - 100 MB,
# squid will place it in cache
maximum_object_size 100 MB
# Define the path to cache directory where all objects
# which are to be cached are stored:
# 1024 - is the amount of disk space (MB)
# to use under /usr/local/squid/cache directory
# 16 - is the number of first-level subdirectories
# which will be created under the
# /usr/local/squid/cache directory
# 256 - is the number of second-level
# subdirectories which will be created under
# each first-level directory
cache_dir ufs /usr/local/squid/cache 1024 16 256
# To disable, enter "none". There are not really
# utilities to analyze this data, so you can safely
# disable it.
cache_store_log none
# Log client request activities to the
# /usr/local/squid/logs/access.log file
# using the squid log format
access_log /usr/local/squid/logs/access.log squid
logfile_rotate 2
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Define access control lists
# acl all is defined by default in version 3.0 STABLE
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
# Don't write netmask 172.18.0.0/12 in 3.0STABLE
# RFC1918 internal network
acl localnet src 172.18.0.1-172.18.0.254
acl SSL_ports port 443
# does not work with pf rdr
# browser must be aware of proxy if 443 shall be
# proxied
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
# acl Safe_ports port 70 # gopher
# acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
# acl Safe_ports port 280 # http-mgmt
# acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
# acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl PURGE method PURGE
# Allowing or Denying access based on defined access lists
# Recommended minimum configuration:
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow PURGE localhost
http_access deny PURGE
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# If we want to block certain sites.
# acl block dstdomain "/usr/local/etc/squid/dstdomain"
# Show message when blocked
# deny_info ERR_DSTDOMAIN block
# http_access deny blockedsites
# Allow the localhost to have access by default
http_access allow localhost
# Allow access from your local network.
http_access allow localnet
# And deny all other access to this proxy
http_access deny all
# Allow ICP queries from local networks only
icp_access allow localnet
icp_access deny all
# Define the hostname that will be shown in
# error messages etc.
visible_hostname dentista01.no-ip.org
# Email-address of local cache manager who will receive
# mail if the cache dies.
cache_mgr dentista@xxxxxxx
# Speed up the writing of some log files
buffered_logs on
coredump_dir /usr/local/squid/cache
