Here's my squid.conf. For what it's worth, shellinabox can be made to use only HTTP if that's the issue.
auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwdauth_param digest realm myrealmauth_param digest children 2acl auth_users proxy_auth REQUIREDacl SSL_ports port 443acl SSL_ports port SHELLINABOX_PORTacl Safe_ports port SHELLINABOX_PORTacl Safe_ports port 80 # httpacl Safe_ports port 21 # ftpacl Safe_ports port 443 # httpsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # wais#acl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling httpacl CONNECT method CONNECThttp_access deny !Safe_portshttp_access deny CONNECT !SSL_portshttp_access allow auth_usershttp_access allow allhttps_port SQUID_PORT cert=/etc/squid/squid.pemcache deny allnetdb_filename none
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Sent: Friday, May 26, 2017 12:29 PM
Subject: Re: TCP_DENIED/407 accessing webserver on same machine as squid
On 27/05/17 04:17, j m wrote:
> I have a webserver and squid 3.5 running on the same Linux machine. > The webserver is actually part of shellinabox, so it's only for me
to > access. Shellinabox simply presents a terminal and login in a web
> browser. I want it to be accessible only through squid for more >
security. > > shellinabox works fine if I access it directly, but
through squid I > see this in access.log: > > 1495813953.860 79
204.155.22.30 TCP_TUNNEL/200 1440 CONNECT > IP:PORT USER HIER_DIRECT/IP
> > > 1495813962.001 0 204.155.22.30 TCP_DENIED/407 4397 CONNECT >
IP:PORT USER HIER_NONE/- text/html > > > I've replaced the real IP,
PORT, and USER with those words, however > the real PORT is a
nonstandard port number.There are some other > posts I found mentioning
a 407 error and it was said it occurs when > the webpage is asking for
authentication. However I don't understand > this, since shellinabox
only display a login prompt which I wouldn't > think would be a
problem. Another post said a 407 is when squid auth > is failing, but I
can get to external websites through squid. > > Does it matter that what
I'm trying to access is HTTPS instead of > HTTP?
Yes it does. Beyond the obvious encryption there are messaging
differences that directly effect what the proxy can do.
The first log entry indicates that something has already been done to
let the port "work", so your config is already non-standard and probably
doing something weird. The presence of a USER value other than "-"
indicates that the proxy-auth is working at least for that transaction.
Yes the 407 is login to *Squid*. Nothing to do with the shellinabox
software, the HEIR_NONE/- on the second line says shellinabox is not
even being contacted yet for that transaction.
It is not possible to say why anything is happening here without knowing
your config structure and intended policy. You will need to provide your
squid.conf details to get much help.
If you need to obfuscate IP's please map them as if you were using the
10/8 or 192.168/16 ranges so we can still identify any subtle things
like TCP connections going wrong without revealing your public addresses.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
