On 2016-01-02 13:19, Alex Samad wrote:
On 2 January 2016 at 09:22, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 2016-01-01 23:28, Alex Samad wrote:
Hi
I installed 3.5.12 and when I try and get to a page that is blocked.
I
used to get an message page that said contact the admin person.
trying to get to
http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png
This is part of the error generated
The following error was encountered while trying to retrieve the URL:
http://alcdmz1:3128/squid-internal-static/icons/SN.png
alcdmz1 is the proxy server
I seemed to have blocked access to all error messages. not sure how
as
I haven't made any changes except upgrading to .12 from .11
We fixed the Host header output on CONNECT requests to cache_peer
between
those versions. That is likely the reason it has started being
visible.
Sorry not sure how that is related to this.
It is the only Squid change between those versions that seems related to
the issue.
The above URL is just an icon being served up by your Squid as part of
the
page display. The main error page text should have been sent as the
body of
the original 403 message itself.
agree
Your http_access rules are the things rejecting it. Note that it
contains
the squid listening domain:port (alcdmz1:3128 or bcp.crwdcntrl.net:80)
which
your proxy machine is configured to announce publicly as its contain
domain
/ FQDN.
The original url was bcp.crwdcntrl.net:80, the page I got back
included the text
http://alcdmz1:3128/squid-internal-static/icons/SN.png
The squid service needs to be publicly accessible at that domain:port
that
it is advertising as its public FQDN for this icon request to succeed.
That
means making the server hostname, or visible_hostname something that
clients
can access directly - and unique_hostname the private internal name
the
Squid instance uses to distinguish itself from other peers on the
proxy
farm.
so they can connect to alcdmz1:3128
conf
auth_param negotiate program /usr/bin/ntlm_auth
--helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid
auth_param negotiate children 20 startup=0 idle=3
auth_param negotiate keep_alive on
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --configfile
/etc/samba/smb.conf-squid
auth_param ntlm children 20 startup=0 idle=3
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic --configfile
/etc/samba/smb.conf-squid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl sblMal dstdomain -i "/etc/squid/lists/squid-malicious.acl"
acl sblPorn dstdomain -i "/etc/squid/lists/squid-porn.acl"
acl localnet src 10.3.8.0/24
acl localnet_auth src 10.1.0.0/14
acl localnet_auth src 10.2.0.0/16
acl localnet_auth src 10.2.2.1/32
NP: 10.1.0.0/14 contains and matches all of 10.2.*.*, therefore the
other localnet_auth entries are all redundant and can be removed.
(squid -k parse should be warning you about that)
acl localnet_guest src 10.1.22.0/24
acl localnet_appproxy src 10.172.23.3/32
NP: localnet and localnet_appproxy are both of the same type and both
only used to allow http_access within the same block of allows.
You should simplify by adding 10.172.23.3 to the localnet definition and
drop localnet_appproxy entirely.
acl sblYBOveride dstdomain -i
"/etc/squid/lists/yb-nonsquidblacklist.acl"
acl nonAuthDom dstdomain -i "/etc/squid/lists/nonAuthDom.lst"
acl nonAuthSrc src "/etc/squid/lists/nonAuthServer.lst"
acl FTP proto FTP
acl DMZSRV src 10.3.2.110
acl DMZSRV src 10.3.2.111
always_direct allow FTP
always_direct allow DMZSRV
ftp_passive off
ftp_epsv_all off
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
Aha. You have restricted the Safe_ports to exclude 3128. Thus
"http://alcdmz1:3128/..."; are rejected even if the remote client could
resolve domains within the TLD "alcdmz1".
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
acl icp_allowed src 10.3.2.110/32
acl icp_allowed src 10.3.2.111/32
acl icp_allowed src 10.172.23.0/32
acl icp_allowed src 10.172.23.4/32
NP: you do not need to put /32 on IPv4 addresses.
http_access allow manager localhost
http_access allow manager icp_allowed
http_access deny manager
http_access allow icp_allowed
All the manager and icp_allowed stuff above should be down ...
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
... here.
I would also restructure the manager tests as:
http_access allow icp_allowed
http_access allow localhost
http_access deny manager
... which avoids repeated checking of the (relatively) slow regex
manager ACL, and allows removal of the lines checking "allow localhost"
and "allow icp_allowed".
http_access allow localnet
http_access allow localhost
http_access allow localnet_appproxy
http_access deny !localnet_auth
http_access allow localnet_guest sblYBOveride
http_access deny localnet_guest sblMal
http_access deny localnet_guest sblPorn
http_access allow localnet_guest
http_access allow nonAuthSrc
http_access allow nonAuthDom
Instead of repeating allows for FTP and Authorized users twice you could
replace all these:
http_access allow sblYBOveride FTP
http_access allow sblYBOveride AuthorizedUsers
http_access deny sblMal
http_access deny sblPorn
... with these:
http_access deny !sblYBOveride sblMal
http_access deny !sblYBOveride sblPorn
http_access allow FTP
http_access allow AuthorizedUsers
http_access deny all
http_port 3128
http_port 8080
cache_mem 40960 MB
cache_mgr operations.manager@xxxxxxx
cache_dir aufs /var/spool/squid 550000 16 256
coredump_dir /var/spool/squid
range_offset_limit 200 MB
maximum_object_size 200 MB
quick_abort_min -1
refresh_pattern -i
microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
43200 reload-into-ims
refresh_pattern -i
windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320
80% 43200 reload-into-ims
refresh_pattern -i
windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
43200 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_peer gsdmz1.abc.com sibling 3128 4827 proxy-only htcp no-query
standby=10
icp_port 0
icp_access allow icp_allowed
icp_access deny all
htcp_port 4827
htcp_access allow icp_allowed
htcp_access deny all
acl nonCacheDom dstdomain -i "/etc/squid/lists/nonCacheDom.lst"
cache deny nonCacheDom
acl nonCacheURL urlpath_regex /x86_64/repodata/repomd.xml$
cache deny nonCacheURL
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_service service_req reqmod_precache bypass=1
icap://127.0.0.1:1344/srv_clamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1
icap://127.0.0.1:1344/srv_clamav
adaptation_access service_resp allow all
ipcache_size 10240
forwarded_for delete
cache_swap_low 90
cache_swap_high 95
log_icp_queries off
icap_preview_enable on
icap_preview_size 1024
httpd_suppress_version_string on
max_filedesc 8192
I'm not sure what I have to allow
So if I understand rightly
client makes request for http://bcp.crwdcntrl.net/
squid sends back a 403
client gets response text that includes a link to
http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png from this
code
background: url('/squid-internal-static/icons/SN.png') no-repeat left;
browser / client make request for
http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png
squid returns 403 ..
which ACL or access_allow do I need to allow this.
Either add 3128 back into your Safe_ports ACL, or add an ACL "
urlpath_regex ^/squid-internal-static/ " and permit requests that match
it.
The second way is better because it should allow the
"http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png"; request to
succeed, which is both faster and avoiding the proxy hostname:port
exposure.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
![http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png"](http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png"){kind=link}