On 25/05/19 1:45 am, Enrique Calatayud wrote: > Hello everyone! > > I'm getting a TAG_NONE/403 error with the basic configuration on my > squid proxy server. I've been working on this since the last week but > still no positive results. > > I tried several things, even a whitelist. Here is my squid.conf. ... > ssl_bump allow all "allow" is not a valid action for this directive. <https://wiki.squid-cache.org/Features/SslPeekAndSplice#Actions> ... > http_access deny blocksitelist > http_access allow whitelist > http_access allow CONNECT whitelist Complex access controls being done before even the most simple/fast/basic security check to prevent DOS attacks. Move the above http_access lines ... > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost manager > http_access deny manager ... down to here where custom access controls should be. Except for the "allow CONNECT whitelist" line which you can delete completely. It is pointless behind "allow whitelist". > http_access allow localnet > http_access allow localhost > http_access allow all This is now an "open proxy" - not a good idea. > http_port 0.0.0.0:3128 > https_port 0.0.0.0:3128 ssl-bump > cert=/etc/squid/squid-cert/cert.pem generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB So port 3128 is simultaneously receiving TLS and non-TLS (plain-text) traffic syntax? That is not possible. With the above settings, Squid should log a complaint in cache.log and only open the first (http_port) to use the specific IP:port value. To work at all port directives need unique IP:port settings. ... > > I tried not using certs, using "http_access allow all" on top of the > rules and disabling others, decrypting ssl... > Is not happening with other websites. I'm starting to think that this is > not my problem... "403 Forbidden" can be sent by any HTTP agent. > > So, any of you have troubles with www.mediavida.com > <http://www.mediavida.com> under your squid proxy server? Or any of you > have any clue about what I am missing here? You are missing the rest of the access.log line. The parts which tell you (and us) what was being done that got forbidden, which agent was doing it, what other agents were involved with the decision, and when all this happened. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users