I’m testing Squid 4.1 and my proxy is showing TCP_DENIED when fetching certificates like this: 1531425362.414 000000 - TCP_DENIED/403 3661 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" - REP-X-CACHE: "-" Adapted-X-Store-Id: "-" 1531425364.299 000000 - TCP_DENIED/403 3661 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" - REP-X-CACHE: "-" Adapted-X-Store-Id: "-" If I’m not wrong Amos wrote that there is a special directive or ACL to allow these since there is not originating from a client IP src address. And also when I’m trying to access https://bugs.squid-cache.org/ with SSL-BUMP on I am receiving the next page: ERRORThe requested URL could not be retrievedThe following error was encountered while trying to retrieve the URL: https://bugs.squid-cache.org/* Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed. The system returned: (101) Network is unreachable The remote host or network may be down. Please try the request again. Your cache administrator is webmaster. Generated Thu, 12 Jul 2018 20:01:40 GMT by squid4-testing (squid/4.1) ##END OF PAGE With these access log lines: 1531425990.290 000000 - TCP_DENIED/403 3564 GET http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- text/html;charset=utf-8 Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" - REP-X-CACHE: "-" Adapted-X-Store-Id: "-" 1531425990.291 000355 10.0.0.28 NONE/200 0 CONNECT bugs.squid-cache.org:443 - HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed - Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" 00:00:00:00:00:00 REP-X-CACHE: "-" Adapted-X-Store-Id: "-" 1531425990.294 000000 - TCP_DENIED/403 3564 GET http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- text/html;charset=utf-8 Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" - REP-X-CACHE: "-" Adapted-X-Store-Id: "-" 1531425990.295 000359 10.0.0.28 NONE/200 0 CONNECT bugs.squid-cache.org:443 - HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed - Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" 00:00:00:00:00:00 REP-X-CACHE: "-" Adapted-X-Store-Id: "-" 1531425990.299 000000 10.0.0.28 NONE/503 4117 GET https://bugs.squid-cache.org/index.cgi - HIER_NONE/- text/html Q-CC: "no-cache" "no-cache" Q-P: "no-cache" "no-cache" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "Accept-Language" 00:00:00:00:00:00 REP-X-CACHE: "MISS from squid4-testing" Adapted-X-Store-Id: "-" 1531425990.304 000000 - TCP_DENIED/403 3564 GET http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- text/html;charset=utf-8 Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" - REP-X-CACHE: "-" Adapted-X-Store-Id: "-" 1531425990.305 000365 10.0.0.28 NONE/200 0 CONNECT bugs.squid-cache.org:443 - HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed - Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" 00:00:00:00:00:00 REP-X-CACHE: "-" Adapted-X-Store-Id: "-" 1531425990.307 000000 - TCP_DENIED/403 3564 GET http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- text/html;charset=utf-8 Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" - REP-X-CACHE: "-" Adapted-X-Store-Id: "-" 1531425990.307 000000 - TCP_DENIED/403 3564 GET http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- text/html;charset=utf-8 Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" - REP-X-CACHE: "-" Adapted-X-Store-Id: "-" 1531425990.307 000372 10.0.0.28 NONE/200 0 CONNECT bugs.squid-cache.org:443 - HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed - Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" 00:00:00:00:00:00 REP-X-CACHE: "-" Adapted-X-Store-Id: "-" 1531425990.307 000368 10.0.0.28 NONE/200 0 CONNECT bugs.squid-cache.org:443 - HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed - Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" 00:00:00:00:00:00 REP-X-CACHE: "-" Adapted-X-Store-Id: "-" 1531425990.339 000000 10.0.0.28 NONE/503 4117 GET http://squid4-testing:3128/squid-internal-static/icons/SN.png - HIER_NONE/- text/html Q-CC: "no-cache" "no-cache" Q-P: "no-cache" "no-cache" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "Accept-Language" 00:00:00:00:00:00 REP-X-CACHE: "MISS from squid4-testing" Adapted-X-Store-Id: "-" 1531425990.374 000000 10.0.0.28 NONE/503 4117 GET https://bugs.squid-cache.org/favicon.ico - HIER_NONE/- text/html Q-CC: "no-cache" "no-cache" Q-P: "no-cache" "no-cache" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "Accept-Language" 00:00:00:00:00:00 REP-X-CACHE: "MISS from squid4-testing" Adapted-X-Store-Id: "-" So the issue is a bit strange, is the remote IP is the issue or another thing? I looked at the archives and also the docs and from what I managed to make sure the next resolve both issues which are tangled to each other: ## START squid.conf addition acl internal transaction_initiator internal # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports http_access allow internal ## END squid.conf addition http://www.squid-cache.org/Versions/v4/cfgman/acl.html Clarify that there is a new type of ACL named “transaction_initiator” which does couple good things. I am not sure but it seems to me that some wiki page is missing regarding this issue. All The Bests, Eliezer ---- Eliezer Croitoru |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users