FreeBSD 9.1 installation with Squid installed from ports and using transparent mode results in "Access Denied" messages when trying to browse regular HTTP. Log files fill up with: *** LOGFILE *** 1359013451.945 0 XXX.XXX.XXX.25 TCP_MISS/403 4272 GET http://www.facebook.com/ - HIER_NONE/- text/html 1359013451.946 139 XXX.XXX.XXX.137 TCP_MISS/403 4369 GET http://www.facebook.com/ - HIER_DIRECT/XXX.XXX.XXX.25 text/html 1359013451.966 0 XXX.XXX.XXX.25 TCP_MISS/403 4071 GET http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html 1359013451.967 1 XXX.XXX.XXX.137 TCP_MISS/403 4168 GET http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/XXX.XXX.XXX.25 text/html 1359013451.992 0 XXX.XXX.XXX.25 TCP_MISS/403 4179 GET http://www.facebook.com/favicon.ico - HIER_NONE/- text/html 1359013451.992 1 XXX.XXX.XXX.137 TCP_MISS/403 4276 GET http://www.facebook.com/favicon.ico - HIER_DIRECT/XXX.XXX.XXX.25 text/html *** END *** Squid.conf file is: *** SQUID.CONF *** visible_hostname XXXXXXXXXXXXXXXXXXXXX acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl localnet src XXXX:XXXX:ffff::/48 # More IPv6 ... acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl cacti src XXX.XXX.0.154/32 acl snmpstats snmp_community tainROcacti acl sliema_net_fine src XXX.XXX.0.0/25 acl sliema_net_core src XXX.XXX.0.128/25 acl sliema_net_gnet src XXX.XXX.1.0/25 acl sliema_net_norm src XXX.XXX.1.128/25 acl topsites dstdomain "/usr/local/etc/squid/squid-topsites.text" acl youtube dstdomain .youtube.com acl youtube dstdomain .youtu.be acl youtube dstdomain .googlevideo.com acl cdners dstdomain .akamai.com acl cdners dstdomain .llnwd.net acl facebook dstdomain .facebook.com tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_norm tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_fine tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_core snmp_port 3401 snmp_access allow snmpstats cacti snmp_access deny all http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all http_port 3128 intercept http_port 80 cache_dir ufs /var/squid/cache/squid 100 16 256 cache_mem 256 MB coredump_dir /var/squid/cache/squid refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 43200 90% 432000 refresh_pattern -i \.index.(html|htm)$ 0 40% 10080 refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320 refresh_pattern -i youtube.com/.* 43200 90% 432000 refresh_pattern -i youtu.be/.* 43200 90% 432000 refresh_pattern -i ytimg.com/.* 43200 90% 432000 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 *** END *** And squid compile options are: *** SQUID VERSION *** Squid Cache: Version 3.2.6 configure options: '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var/squid' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip unix_group' '--enable-auth-negotiate=none' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=diskd rock ufs aufs' '--enable-disk-io=AIO Blocking DiskDaemon IpcIo Mmapped DiskThreads' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-icmp' '--enable-htcp' '--disable-forw-via-db' '--disable-cache-digests' '--enable-wccp' '--enable-wccpv2' '--disable-eui' '--enable-ipfw-transparent' '--enable-pf-transparent' '--enable-ipf-transparent' '--disable-follow-x-forwarded-for' '--enable-ecap' '--disable-icap-client' '--disable-esi' '--enable-kqueue' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd9.1' 'build_alias=amd64-portbld-freebsd9.1' 'CC=cc' 'CFLAGS=-O2 -pipe -I/usr/local/include -fno-strict-aliasing' 'LDFLAGS= -pthread -L/usr/local/lib' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -fno-strict-aliasing' 'CPP=cpp' 'PKG_CONFIG=pkgconf' --enable-ltdl-convenience *** END *** This is basically a working 2.7 installation config that has been moved onto a 3.2 box with some minor tweaks in the new config. Any help appreciated. Iain.
