On 2 January 2016 at 09:22, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 2016-01-01 23:28, Alex Samad wrote: >> >> Hi >> >> I installed 3.5.12 and when I try and get to a page that is blocked. I >> used to get an message page that said contact the admin person. >> >> trying to get to >> http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png >> >> >> This is part of the error generated >> The following error was encountered while trying to retrieve the URL: >> http://alcdmz1:3128/squid-internal-static/icons/SN.png >> >> alcdmz1 is the proxy server >> >> I seemed to have blocked access to all error messages. not sure how as >> I haven't made any changes except upgrading to .12 from .11 > > > We fixed the Host header output on CONNECT requests to cache_peer between > those versions. That is likely the reason it has started being visible. Sorry not sure how that is related to this. > > The above URL is just an icon being served up by your Squid as part of the > page display. The main error page text should have been sent as the body of > the original 403 message itself. > agree > Your http_access rules are the things rejecting it. Note that it contains > the squid listening domain:port (alcdmz1:3128 or bcp.crwdcntrl.net:80) which > your proxy machine is configured to announce publicly as its contain domain > / FQDN. > The original url was bcp.crwdcntrl.net:80, the page I got back included the text http://alcdmz1:3128/squid-internal-static/icons/SN.png > The squid service needs to be publicly accessible at that domain:port that > it is advertising as its public FQDN for this icon request to succeed. That > means making the server hostname, or visible_hostname something that clients > can access directly - and unique_hostname the private internal name the > Squid instance uses to distinguish itself from other peers on the proxy > farm. so they can connect to alcdmz1:3128 conf auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid auth_param negotiate children 20 startup=0 idle=3 auth_param negotiate keep_alive on auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --configfile /etc/samba/smb.conf-squid auth_param ntlm children 20 startup=0 idle=3 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --configfile /etc/samba/smb.conf-squid auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl sblMal dstdomain -i "/etc/squid/lists/squid-malicious.acl" acl sblPorn dstdomain -i "/etc/squid/lists/squid-porn.acl" acl localnet src 10.3.8.0/24 acl localnet_auth src 10.1.0.0/14 acl localnet_auth src 10.2.0.0/16 acl localnet_auth src 10.2.2.1/32 acl localnet_guest src 10.1.22.0/24 acl localnet_appproxy src 10.172.23.3/32 acl sblYBOveride dstdomain -i "/etc/squid/lists/yb-nonsquidblacklist.acl" acl nonAuthDom dstdomain -i "/etc/squid/lists/nonAuthDom.lst" acl nonAuthSrc src "/etc/squid/lists/nonAuthServer.lst" acl FTP proto FTP acl DMZSRV src 10.3.2.110 acl DMZSRV src 10.3.2.111 always_direct allow FTP always_direct allow DMZSRV ftp_passive off ftp_epsv_all off acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl CONNECT method CONNECT acl AuthorizedUsers proxy_auth REQUIRED acl icp_allowed src 10.3.2.110/32 acl icp_allowed src 10.3.2.111/32 acl icp_allowed src 10.172.23.0/32 acl icp_allowed src 10.172.23.4/32 http_access allow manager localhost http_access allow manager icp_allowed http_access deny manager http_access allow icp_allowed http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access allow localnet_appproxy http_access deny !localnet_auth http_access allow localnet_guest sblYBOveride http_access deny localnet_guest sblMal http_access deny localnet_guest sblPorn http_access allow localnet_guest http_access allow nonAuthSrc http_access allow nonAuthDom http_access allow sblYBOveride FTP http_access allow sblYBOveride AuthorizedUsers http_access deny sblMal http_access deny sblPorn http_access allow FTP http_access allow AuthorizedUsers http_access deny all http_port 3128 http_port 8080 cache_mem 40960 MB cache_mgr operations.manager@xxxxxxx cache_dir aufs /var/spool/squid 550000 16 256 coredump_dir /var/spool/squid range_offset_limit 200 MB maximum_object_size 200 MB quick_abort_min -1 refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_peer gsdmz1.abc.com sibling 3128 4827 proxy-only htcp no-query standby=10 icp_port 0 icp_access allow icp_allowed icp_access deny all htcp_port 4827 htcp_access allow icp_allowed htcp_access deny all acl nonCacheDom dstdomain -i "/etc/squid/lists/nonCacheDom.lst" cache deny nonCacheDom acl nonCacheURL urlpath_regex /x86_64/repodata/repomd.xml$ cache deny nonCacheURL icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/srv_clamav adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/srv_clamav adaptation_access service_resp allow all ipcache_size 10240 forwarded_for delete cache_swap_low 90 cache_swap_high 95 log_icp_queries off icap_preview_enable on icap_preview_size 1024 httpd_suppress_version_string on max_filedesc 8192 I'm not sure what I have to allow So if I understand rightly client makes request for http://bcp.crwdcntrl.net/ squid sends back a 403 client gets response text that includes a link to http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png from this code background: url('/squid-internal-static/icons/SN.png') no-repeat left; browser / client make request for http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png squid returns 403 .. which ACL or access_allow do I need to allow this. Thanks Alex > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
