Search squid archive

Re: TCP_DENIED/407 accessing webserver on same machine as squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 27/05/17 04:17, j m wrote:
I have a webserver and squid 3.5 running on the same Linux machine. > The webserver is actually part of shellinabox, so it's only for me
to > access. Shellinabox simply presents a terminal and login in a web > browser. I want it to be accessible only through squid for more > security. > > shellinabox works fine if I access it directly, but through squid I > see this in access.log: > > 1495813953.860 79 204.155.22.30 TCP_TUNNEL/200 1440 CONNECT > IP:PORT USER HIER_DIRECT/IP > > > 1495813962.001 0 204.155.22.30 TCP_DENIED/407 4397 CONNECT > IP:PORT USER HIER_NONE/- text/html > > > I've replaced the real IP, PORT, and USER with those words, however > the real PORT is a nonstandard port number.There are some other > posts I found mentioning a 407 error and it was said it occurs when > the webpage is asking for authentication. However I don't understand > this, since shellinabox only display a login prompt which I wouldn't > think would be a problem. Another post said a 407 is when squid auth > is failing, but I can get to external websites through squid. > > Does it matter that what I'm trying to access is HTTPS instead of > HTTP? Yes it does. Beyond the obvious encryption there are messaging differences that directly effect what the proxy can do.
The first log entry indicates that something has already been done to let the port "work", so your config is already non-standard and probably doing something weird. The presence of a USER value other than "-" indicates that the proxy-auth is working at least for that transaction.
Yes the 407 is login to *Squid*. Nothing to do with the shellinabox software, the HEIR_NONE/- on the second line says shellinabox is not even being contacted yet for that transaction.
It is not possible to say why anything is happening here without knowing your config structure and intended policy. You will need to provide your squid.conf details to get much help.
If you need to obfuscate IP's please map them as if you were using the 10/8 or 192.168/16 ranges so we can still identify any subtle things like TCP connections going wrong without revealing your public addresses. 

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux