Search squid archive

Re: Access Denied with transparent mode on FreeBSD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Notice that you have TCP_MISS flag and 403 response which means that it's not being denied directly by squid acls but at another level.

You can see you have double entries which can indicate a forward loop.
Please provide us with yout ipfw\pf rules and also tcpdump of a single request\stream and if IP is sensitive just send it to my private EMAIL.

A great suggestion is to remove completely the http_port 80 since it's not a common proxy port and can confuse debugging.
Change it to port 81 for the time being.

Regards,
Eliezer

On 1/24/2013 10:41 AM, iain wrote:
FreeBSD 9.1 installation with Squid installed from ports and using
transparent mode results in "Access Denied" messages when trying to
browse regular HTTP.

Log files fill up with:

*** LOGFILE ***
1359013451.945      0 XXX.XXX.XXX.25 TCP_MISS/403 4272 GET
http://www.facebook.com/ - HIER_NONE/- text/html
1359013451.946    139 XXX.XXX.XXX.137 TCP_MISS/403 4369 GET
http://www.facebook.com/ - HIER_DIRECT/XXX.XXX.XXX.25 text/html
1359013451.966      0 XXX.XXX.XXX.25 TCP_MISS/403 4071 GET
http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
1359013451.967      1 XXX.XXX.XXX.137 TCP_MISS/403 4168 GET
http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/XXX.XXX.XXX.25
text/html
1359013451.992      0 XXX.XXX.XXX.25 TCP_MISS/403 4179 GET
http://www.facebook.com/favicon.ico - HIER_NONE/- text/html
1359013451.992      1 XXX.XXX.XXX.137 TCP_MISS/403 4276 GET
http://www.facebook.com/favicon.ico - HIER_DIRECT/XXX.XXX.XXX.25 text/html
*** END ***

Squid.conf file is:

*** SQUID.CONF ***
visible_hostname XXXXXXXXXXXXXXXXXXXXX
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines
acl localnet src XXXX:XXXX:ffff::/48 # More IPv6 ...
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
acl cacti src XXX.XXX.0.154/32
acl snmpstats snmp_community tainROcacti
acl sliema_net_fine src XXX.XXX.0.0/25
acl sliema_net_core src XXX.XXX.0.128/25
acl sliema_net_gnet src XXX.XXX.1.0/25
acl sliema_net_norm src XXX.XXX.1.128/25
acl topsites dstdomain "/usr/local/etc/squid/squid-topsites.text"
acl youtube dstdomain .youtube.com
acl youtube dstdomain .youtu.be
acl youtube dstdomain .googlevideo.com
acl cdners dstdomain .akamai.com
acl cdners dstdomain .llnwd.net
acl facebook dstdomain .facebook.com
tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_norm
tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_fine
tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_core
snmp_port 3401
snmp_access allow snmpstats cacti
snmp_access deny all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 intercept
http_port 80
cache_dir ufs /var/squid/cache/squid 100 16 256
cache_mem 256 MB
coredump_dir /var/squid/cache/squid
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90%
432000
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$
43200 90% 432000
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern -i youtube.com/.* 43200 90% 432000
refresh_pattern -i youtu.be/.* 43200 90% 432000
refresh_pattern -i ytimg.com/.* 43200 90% 432000
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320
*** END ***

And squid compile options are:

*** SQUID VERSION ***
Squid Cache: Version 3.2.6
configure options:
	'--with-default-user=squid'
	'--bindir=/usr/local/sbin'
	'--sbindir=/usr/local/sbin'
	'--datadir=/usr/local/etc/squid'
	'--libexecdir=/usr/local/libexec/squid'
	'--localstatedir=/var/squid'
	'--sysconfdir=/usr/local/etc/squid'
	'--with-logdir=/var/log/squid'
	'--with-pidfile=/var/run/squid/squid.pid'
	'--enable-auth'
	'--enable-build-info'
	'--enable-loadable-modules'
	'--enable-removal-policies=lru heap'
	'--disable-epoll'
	'--disable-linux-netfilter'
	'--disable-linux-tproxy'
	'--disable-translation'
	'--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS
fake getpwnam'
	'--enable-auth-digest=file'
	'--enable-external-acl-helpers=file_userip unix_group'
	'--enable-auth-negotiate=none'
	'--enable-auth-ntlm=fake smb_lm'
	'--enable-storeio=diskd rock ufs aufs'
	'--enable-disk-io=AIO Blocking DiskDaemon IpcIo Mmapped DiskThreads'
	'--enable-log-daemon-helpers=file'
	'--enable-url-rewrite-helpers=fake'
	'--enable-icmp'
	'--enable-htcp'
	'--disable-forw-via-db'
	'--disable-cache-digests'
	'--enable-wccp'
	'--enable-wccpv2'
	'--disable-eui'
	'--enable-ipfw-transparent'
	'--enable-pf-transparent'
	'--enable-ipf-transparent'
	'--disable-follow-x-forwarded-for'
	'--enable-ecap'
	'--disable-icap-client'
	'--disable-esi'
	'--enable-kqueue'
	'--prefix=/usr/local'
	'--mandir=/usr/local/man'
	'--infodir=/usr/local/info/'
	'--build=amd64-portbld-freebsd9.1'
'build_alias=amd64-portbld-freebsd9.1' 'CC=cc' 'CFLAGS=-O2 -pipe
-I/usr/local/include -fno-strict-aliasing' 'LDFLAGS= -pthread
-L/usr/local/lib' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe
-I/usr/local/include -fno-strict-aliasing' 'CPP=cpp'
'PKG_CONFIG=pkgconf' --enable-ltdl-convenience
*** END ***

This is basically a working 2.7 installation config that has been moved
onto a 3.2 box with some minor tweaks in the new config.

Any help appreciated.

Iain.


--
Eliezer Croitoru
https://www1.ngtech.co.il
sip:ngtech@xxxxxxxxxxxx
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux