Notice that you have TCP_MISS flag and 403 response which means that
it's not being denied directly by squid acls but at another level.
You can see you have double entries which can indicate a forward loop.
Please provide us with yout ipfw\pf rules and also tcpdump of a single
request\stream and if IP is sensitive just send it to my private EMAIL.
A great suggestion is to remove completely the http_port 80 since it's
not a common proxy port and can confuse debugging.
Change it to port 81 for the time being.
Regards,
Eliezer
On 1/24/2013 10:41 AM, iain wrote:
FreeBSD 9.1 installation with Squid installed from ports and using
transparent mode results in "Access Denied" messages when trying to
browse regular HTTP.
Log files fill up with:
*** LOGFILE ***
1359013451.945 0 XXX.XXX.XXX.25 TCP_MISS/403 4272 GET
http://www.facebook.com/ - HIER_NONE/- text/html
1359013451.946 139 XXX.XXX.XXX.137 TCP_MISS/403 4369 GET
http://www.facebook.com/ - HIER_DIRECT/XXX.XXX.XXX.25 text/html
1359013451.966 0 XXX.XXX.XXX.25 TCP_MISS/403 4071 GET
http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
1359013451.967 1 XXX.XXX.XXX.137 TCP_MISS/403 4168 GET
http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/XXX.XXX.XXX.25
text/html
1359013451.992 0 XXX.XXX.XXX.25 TCP_MISS/403 4179 GET
http://www.facebook.com/favicon.ico - HIER_NONE/- text/html
1359013451.992 1 XXX.XXX.XXX.137 TCP_MISS/403 4276 GET
http://www.facebook.com/favicon.ico - HIER_DIRECT/XXX.XXX.XXX.25 text/html
*** END ***
Squid.conf file is:
*** SQUID.CONF ***
visible_hostname XXXXXXXXXXXXXXXXXXXXX
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
acl localnet src XXXX:XXXX:ffff::/48 # More IPv6 ...
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl cacti src XXX.XXX.0.154/32
acl snmpstats snmp_community tainROcacti
acl sliema_net_fine src XXX.XXX.0.0/25
acl sliema_net_core src XXX.XXX.0.128/25
acl sliema_net_gnet src XXX.XXX.1.0/25
acl sliema_net_norm src XXX.XXX.1.128/25
acl topsites dstdomain "/usr/local/etc/squid/squid-topsites.text"
acl youtube dstdomain .youtube.com
acl youtube dstdomain .youtu.be
acl youtube dstdomain .googlevideo.com
acl cdners dstdomain .akamai.com
acl cdners dstdomain .llnwd.net
acl facebook dstdomain .facebook.com
tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_norm
tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_fine
tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_core
snmp_port 3401
snmp_access allow snmpstats cacti
snmp_access deny all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 intercept
http_port 80
cache_dir ufs /var/squid/cache/squid 100 16 256
cache_mem 256 MB
coredump_dir /var/squid/cache/squid
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90%
432000
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$
43200 90% 432000
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern -i youtube.com/.* 43200 90% 432000
refresh_pattern -i youtu.be/.* 43200 90% 432000
refresh_pattern -i ytimg.com/.* 43200 90% 432000
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
*** END ***
And squid compile options are:
*** SQUID VERSION ***
Squid Cache: Version 3.2.6
configure options:
'--with-default-user=squid'
'--bindir=/usr/local/sbin'
'--sbindir=/usr/local/sbin'
'--datadir=/usr/local/etc/squid'
'--libexecdir=/usr/local/libexec/squid'
'--localstatedir=/var/squid'
'--sysconfdir=/usr/local/etc/squid'
'--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid/squid.pid'
'--enable-auth'
'--enable-build-info'
'--enable-loadable-modules'
'--enable-removal-policies=lru heap'
'--disable-epoll'
'--disable-linux-netfilter'
'--disable-linux-tproxy'
'--disable-translation'
'--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS
fake getpwnam'
'--enable-auth-digest=file'
'--enable-external-acl-helpers=file_userip unix_group'
'--enable-auth-negotiate=none'
'--enable-auth-ntlm=fake smb_lm'
'--enable-storeio=diskd rock ufs aufs'
'--enable-disk-io=AIO Blocking DiskDaemon IpcIo Mmapped DiskThreads'
'--enable-log-daemon-helpers=file'
'--enable-url-rewrite-helpers=fake'
'--enable-icmp'
'--enable-htcp'
'--disable-forw-via-db'
'--disable-cache-digests'
'--enable-wccp'
'--enable-wccpv2'
'--disable-eui'
'--enable-ipfw-transparent'
'--enable-pf-transparent'
'--enable-ipf-transparent'
'--disable-follow-x-forwarded-for'
'--enable-ecap'
'--disable-icap-client'
'--disable-esi'
'--enable-kqueue'
'--prefix=/usr/local'
'--mandir=/usr/local/man'
'--infodir=/usr/local/info/'
'--build=amd64-portbld-freebsd9.1'
'build_alias=amd64-portbld-freebsd9.1' 'CC=cc' 'CFLAGS=-O2 -pipe
-I/usr/local/include -fno-strict-aliasing' 'LDFLAGS= -pthread
-L/usr/local/lib' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe
-I/usr/local/include -fno-strict-aliasing' 'CPP=cpp'
'PKG_CONFIG=pkgconf' --enable-ltdl-convenience
*** END ***
This is basically a working 2.7 installation config that has been moved
onto a 3.2 box with some minor tweaks in the new config.
Any help appreciated.
Iain.
--
Eliezer Croitoru
https://www1.ngtech.co.il
sip:ngtech@xxxxxxxxxxxx
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il