Search squid archive

Re: TAG_NONE/403 on www.mediavida.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 25/05/19 1:45 am, Enrique Calatayud wrote:
> Hello everyone!
> 
> I'm getting a TAG_NONE/403 error with the basic configuration on my
> squid proxy server. I've been working on this since the last week but
> still no positive results.
> 
> I tried several things, even a whitelist. Here is my squid.conf.

...

> ssl_bump allow all

"allow" is not a valid action for this directive.

<https://wiki.squid-cache.org/Features/SslPeekAndSplice#Actions>

...
> http_access deny blocksitelist
> http_access allow whitelist
> http_access allow CONNECT whitelist

Complex access controls being done before even the most
simple/fast/basic security check to prevent DOS attacks.

Move the above http_access lines ...

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager

... down to here where custom access controls should be.

Except for the "allow CONNECT whitelist" line which you can delete
completely. It is pointless behind "allow whitelist".


> http_access allow localnet
> http_access allow localhost
> http_access allow all

This is now an "open proxy" - not a good idea.


> http_port 0.0.0.0:3128 
> https_port 0.0.0.0:3128 ssl-bump
> cert=/etc/squid/squid-cert/cert.pem generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB

So port 3128 is simultaneously receiving TLS and non-TLS (plain-text)
traffic syntax?

That is not possible. With the above settings, Squid should log a
complaint in cache.log and only open the first (http_port) to use the
specific IP:port value.

To work at all port directives need unique IP:port settings.


...
> 
> I tried not using certs, using "http_access allow all" on top of the
> rules and disabling others, decrypting ssl...
> Is not happening with other websites. I'm starting to think that this is
> not my problem...

"403 Forbidden" can be sent by any HTTP agent.


> 
> So, any of you have troubles with www.mediavida.com
> <http://www.mediavida.com> under your squid proxy server? Or any of  you
> have any clue about what I am missing here?

You are missing the rest of the access.log line. The parts which tell
you (and us) what was being done that got forbidden, which agent was
doing it, what other agents were involved with the decision, and when
all this happened.


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux