On 2 January 2016 at 12:23, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 2016-01-02 13:19, Alex Samad wrote: >> >> On 2 January 2016 at 09:22, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >>> >>> On 2016-01-01 23:28, Alex Samad wrote: >>>> >>>> >>>> Hi >>>> >>>> I installed 3.5.12 and when I try and get to a page that is blocked. I >>>> used to get an message page that said contact the admin person. >>>> >>>> trying to get to >>>> http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png >>>> >>>> >>>> This is part of the error generated >>>> The following error was encountered while trying to retrieve the URL: >>>> http://alcdmz1:3128/squid-internal-static/icons/SN.png >>>> >>>> alcdmz1 is the proxy server >>>> >>>> I seemed to have blocked access to all error messages. not sure how as >>>> I haven't made any changes except upgrading to .12 from .11 >>> >>> >>> >>> We fixed the Host header output on CONNECT requests to cache_peer between >>> those versions. That is likely the reason it has started being visible. >> >> >> Sorry not sure how that is related to this. > > > It is the only Squid change between those versions that seems related to the > issue. > > okay >> >>> >>> The above URL is just an icon being served up by your Squid as part of >>> the >>> page display. The main error page text should have been sent as the body >>> of >>> the original 403 message itself. >>> >> >> agree >> >>> Your http_access rules are the things rejecting it. Note that it contains >>> the squid listening domain:port (alcdmz1:3128 or bcp.crwdcntrl.net:80) >>> which >>> your proxy machine is configured to announce publicly as its contain >>> domain >>> / FQDN. >>> >> >> The original url was bcp.crwdcntrl.net:80, the page I got back >> included the text >> http://alcdmz1:3128/squid-internal-static/icons/SN.png >> >> >>> The squid service needs to be publicly accessible at that domain:port >>> that >>> it is advertising as its public FQDN for this icon request to succeed. >>> That >>> means making the server hostname, or visible_hostname something that >>> clients >>> can access directly - and unique_hostname the private internal name the >>> Squid instance uses to distinguish itself from other peers on the proxy >>> farm. >> >> >> so they can connect to alcdmz1:3128 >> >> >> >> conf >> auth_param negotiate program /usr/bin/ntlm_auth >> --helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid >> auth_param negotiate children 20 startup=0 idle=3 >> auth_param negotiate keep_alive on >> auth_param ntlm program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-ntlmssp --configfile >> /etc/samba/smb.conf-squid >> auth_param ntlm children 20 startup=0 idle=3 >> auth_param ntlm keep_alive on >> auth_param basic program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-basic --configfile >> /etc/samba/smb.conf-squid >> auth_param basic children 5 >> auth_param basic realm Squid proxy-caching web server >> auth_param basic credentialsttl 2 hours >> acl sblMal dstdomain -i "/etc/squid/lists/squid-malicious.acl" >> acl sblPorn dstdomain -i "/etc/squid/lists/squid-porn.acl" >> acl localnet src 10.3.8.0/24 >> acl localnet_auth src 10.1.0.0/14 >> acl localnet_auth src 10.2.0.0/16 >> acl localnet_auth src 10.2.2.1/32 > > > NP: 10.1.0.0/14 contains and matches all of 10.2.*.*, therefore the other > localnet_auth entries are all redundant and can be removed. > > (squid -k parse should be warning you about that) > > >> acl localnet_guest src 10.1.22.0/24 >> acl localnet_appproxy src 10.172.23.3/32 > > > NP: localnet and localnet_appproxy are both of the same type and both only > used to allow http_access within the same block of allows. > > You should simplify by adding 10.172.23.3 to the localnet definition and > drop localnet_appproxy entirely. I have change some of the ip addressing for the email > >> acl sblYBOveride dstdomain -i "/etc/squid/lists/yb-nonsquidblacklist.acl" >> acl nonAuthDom dstdomain -i "/etc/squid/lists/nonAuthDom.lst" >> acl nonAuthSrc src "/etc/squid/lists/nonAuthServer.lst" >> acl FTP proto FTP >> acl DMZSRV src 10.3.2.110 >> acl DMZSRV src 10.3.2.111 >> always_direct allow FTP >> always_direct allow DMZSRV >> ftp_passive off >> ftp_epsv_all off >> acl SSL_ports port 443 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https > > > Aha. You have restricted the Safe_ports to exclude 3128. Thus > "http://alcdmz1:3128/..."; are rejected even if the remote client could > resolve domains within the TLD "alcdmz1". so obvious once pointed out ! Wonder why it worked before though ! > > >> acl CONNECT method CONNECT >> acl AuthorizedUsers proxy_auth REQUIRED >> acl icp_allowed src 10.3.2.110/32 >> acl icp_allowed src 10.3.2.111/32 >> acl icp_allowed src 10.172.23.0/32 >> acl icp_allowed src 10.172.23.4/32 > > > NP: you do not need to put /32 on IPv4 addresses. > >> http_access allow manager localhost >> http_access allow manager icp_allowed >> http_access deny manager >> http_access allow icp_allowed > > > All the manager and icp_allowed stuff above should be down ... > >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports > > > ... here. > > I would also restructure the manager tests as: > http_access allow icp_allowed > http_access allow localhost > http_access deny manager > > ... which avoids repeated checking of the (relatively) slow regex manager > ACL, and allows removal of the lines checking "allow localhost" and "allow > icp_allowed". > > >> http_access allow localnet >> http_access allow localhost >> http_access allow localnet_appproxy >> http_access deny !localnet_auth >> http_access allow localnet_guest sblYBOveride >> http_access deny localnet_guest sblMal >> http_access deny localnet_guest sblPorn >> http_access allow localnet_guest >> http_access allow nonAuthSrc >> http_access allow nonAuthDom > > > Instead of repeating allows for FTP and Authorized users twice you could > replace all these: > >> http_access allow sblYBOveride FTP >> http_access allow sblYBOveride AuthorizedUsers >> http_access deny sblMal >> http_access deny sblPorn > > > ... with these: >> >> http_access deny !sblYBOveride sblMal >> http_access deny !sblYBOveride sblPorn I will looking to this ! > > > >> http_access allow FTP >> http_access allow AuthorizedUsers >> http_access deny all >> http_port 3128 >> http_port 8080 >> cache_mem 40960 MB >> cache_mgr operations.manager@xxxxxxx >> cache_dir aufs /var/spool/squid 550000 16 256 >> coredump_dir /var/spool/squid >> range_offset_limit 200 MB >> maximum_object_size 200 MB >> quick_abort_min -1 >> refresh_pattern -i >> microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% >> 43200 reload-into-ims >> refresh_pattern -i >> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 >> 80% 43200 reload-into-ims >> refresh_pattern -i >> windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% >> 43200 reload-into-ims >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >> refresh_pattern . 0 20% 4320 >> cache_peer gsdmz1.abc.com sibling 3128 4827 proxy-only htcp no-query >> standby=10 >> icp_port 0 >> icp_access allow icp_allowed >> icp_access deny all >> htcp_port 4827 >> htcp_access allow icp_allowed >> htcp_access deny all >> acl nonCacheDom dstdomain -i "/etc/squid/lists/nonCacheDom.lst" >> cache deny nonCacheDom >> acl nonCacheURL urlpath_regex /x86_64/repodata/repomd.xml$ >> cache deny nonCacheURL >> icap_enable on >> icap_send_client_ip on >> icap_send_client_username on >> icap_client_username_header X-Authenticated-User >> icap_service service_req reqmod_precache bypass=1 >> icap://127.0.0.1:1344/srv_clamav >> adaptation_access service_req allow all >> icap_service service_resp respmod_precache bypass=1 >> icap://127.0.0.1:1344/srv_clamav >> adaptation_access service_resp allow all >> ipcache_size 10240 >> forwarded_for delete >> cache_swap_low 90 >> cache_swap_high 95 >> log_icp_queries off >> icap_preview_enable on >> icap_preview_size 1024 >> httpd_suppress_version_string on >> max_filedesc 8192 >> >> >> >> I'm not sure what I have to allow >> >> So if I understand rightly >> client makes request for http://bcp.crwdcntrl.net/ >> squid sends back a 403 >> >> client gets response text that includes a link to >> http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png from this >> code >> background: url('/squid-internal-static/icons/SN.png') no-repeat left; >> >> browser / client make request for >> http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png >> >> squid returns 403 .. >> >> which ACL or access_allow do I need to allow this. > > > Either add 3128 back into your Safe_ports ACL, or add an ACL " urlpath_regex > ^/squid-internal-static/ " and permit requests that match it. > > The second way is better because it should allow the > "http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png"; request to > succeed, which is both faster and avoiding the proxy hostname:port exposure. yes like the second method. > > Amos > Thanks _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
![http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png"](http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png"){kind=link}
