On 12/01/2017 5:32 a.m., roadrage27 wrote: > Built out Squid 3.5 on ubuntu 14.04 logs showing 403 denied when accessing > any resources, any help is appreciated > > here is my conf file for reference. > > > acl localhost src 127.0.0.1/32 > > acl to_localhost dst 127.0.0.0/8 > Remove the above two lines, they are built-in ACLs. Please run 'squid -k parse' it will tell you about these things and maybe more. > acl localnet src 0.0.0.0/8 10.145.68.0/24 > > acl myip src 10.145.68.148/32 > > acl to_localnet dst 10.145.68.0/24 > > acl search_engines dstdomain .yahoo.com .google.com > > acl SSL_ports port 443 > > acl Safe_ports port 80 # http > > acl Safe_ports port 21 # ftp > > acl Safe_ports port 443 # https > > acl Safe_ports port 70 # gopher > > acl Safe_ports port 210 # wais > > acl Safe_ports port 1025-65535 # unregistered ports > > acl Safe_ports port 280 # http-mgmt > > acl Safe_ports port 488 # gss-http > > acl Safe_ports port 591 # filemaker > > acl Safe_ports port 777 # multiling http > > > > acl CONNECT method CONNECT > > never_direct allow all > As others mentioned, remove the above line - it is preventing Squid contacting any web server. > http_access allow search_engines > > http_access allow manager localhost > > http_access deny manager > > http_access deny !Safe_ports > > http_access allow localnet > > http_access allow to_localnet > > http_access allow myip > > http_access allow all > > http_access deny to_localhost > > icp_access deny all You can remove the above line, you dont have ICP ports open in this proxy. > > http_access deny all > Your http_access lines should look like this: # default security checks http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow manager localhost http_access deny manager # local network policy http_access allow localnet # default action for unidentified traffic http_access deny all NOTE 1: the 'myip' ACL is not used. That is because the 'allow locanet' already accepts the 'allow myip' traffic. NOTE 2: the search_engines ACL is dropped. It was being used to allow anyone anywhere on the Intenret to use your proxy to access those domains. Which is very bad for a forward proxy to do. - Also, the 'allow localnet' line already allows any LAN machines to access those domains without having to name them. NOTE 3: the to_localnet ACL is removed because it makes your proxy an open-proxy. Anyone on the Internet who can reach your proxy can attack your network. - If you are tring to setup a CDN proxy / reverse-proxy then this is absolutely the worst way to do it. > > > http_port 3128 > > hierarchy_stoplist cgi-bin ? > Also remove the above line. It is no longer good. > access_log /var/log/squid3/access.log squid > > > > > > #Suggested default: > > refresh_pattern ^ftp: 1440 20% 10080 > > refresh_pattern ^gopher: 1440 0% 1440 > > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > > refresh_pattern . 0 20% 4320 > > # Leave coredumps in the first cache dir > > coredump_dir /var/spool/squid3 > Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
