Search squid archive

Re: TAG_NONE/403 on www.mediavida.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Amos Jeffries wrote
> "allow" is not a valid action for this directive.
> <https://wiki.squid-cache.org/Features/SslPeekAndSplice#Actions>

I don't know what I was thinking, thank you
I deleted the ssl_bump line, I try splicing too with ssl_bump peek all and
ssl_bump splice all, but it also didn't work too.


Amos Jeffries wrote
>> http_access deny blocksitelist
>> http_access allow whitelist
>> http_access allow CONNECT whitelist
> 
> Complex access controls being done before even the most
> simple/fast/basic security check to prevent DOS attacks.
> 
> Move the above http_access lines ...
> 
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
> 
> ... down to here where custom access controls should be.
> 
> Except for the "allow CONNECT whitelist" line which you can delete
> completely. It is pointless behind "allow whitelist".

Fixed it. Thanks!


Amos Jeffries wrote
> This is now an "open proxy" - not a good idea.

Of course is not a good idea. In my desperation I tried to keep the proxy
open as much as possible after the rules but it didn't work either.
This is not a long term configuration. I just need to bypass this issue just
because it could happen with other websites (funny think i couldn't find
another one). When this is solved I'll cap the proxy as much as possible.


Amos Jeffries wrote
> So port 3128 is simultaneously receiving TLS and non-TLS (plain-text)
> traffic syntax?
> 
> That is not possible. With the above settings, Squid should log a
> complaint in cache.log and only open the first (http_port) to use the
> specific IP:port value.
> 
> To work at all port directives need unique IP:port settings.

It turns out the cert line and the rest of it wasn't working at all. I just
left "http_port 0.0.0.0:3128". My concern was how about squid proxy manages
443 conections with the same port but all websites works just fine and in
the access.log I can see a lot TCP_TUNNEL/200 like:
TCP_TUNNEL/200 1093 CONNECT www.cisco.com:443 - HIER_DIRECT/104.126.39.51
TCP_TUNNEL/200 11488 CONNECT www.ultratools.com:443 -
HIER_DIRECT/156.154.208.10 



Amos Jeffries wrote
> "403 Forbidden" can be sent by any HTTP agent.

It was 503, sorry.


Amos Jeffries wrote
> You are missing the rest of the access.log line. The parts which tell
> you (and us) what was being done that got forbidden, which agent was
> doing it, what other agents were involved with the decision, and when
> all this happened.

The rest of the access.log file? Sure

1559122901.583  16384 192.168.0.51 TCP_TUNNEL/200 4048 CONNECT
gum.criteo.com:443 - HIER_DIRECT/178.250.2.146 -
1559122902.462  40211 192.168.0.51 TCP_TUNNEL/200 68725 CONNECT
secure-ds.serving-sys.com:443 - HIER_DIRECT/184.25.40.188 -
1559122902.726  15313 192.168.0.51 TCP_TUNNEL/200 3277 CONNECT
gem.gbc.criteo.com:443 - HIER_DIRECT/185.235.84.183 -
1559122902.804  15595 192.168.0.51 TCP_TUNNEL/200 918 CONNECT
smetrics.el-mundo.net:443 - HIER_DIRECT/185.34.188.24 -
1559122904.127  17686 192.168.0.51 TCP_TUNNEL/200 135863 CONNECT
pixel.adsafeprotected.com:443 - HIER_DIRECT/199.166.0.26 -
1559122904.498  12987 192.168.0.51 TCP_TUNNEL/200 1177 CONNECT
dt.adsafeprotected.com:443 - HIER_DIRECT/104.244.36.20 -
1559122904.507  12996 192.168.0.51 TCP_TUNNEL/200 1177 CONNECT
dt.adsafeprotected.com:443 - HIER_DIRECT/104.244.36.20 -
1559122904.629  10142 192.168.0.51 TCP_TUNNEL/200 6787 CONNECT
secure.adnxs.com:443 - HIER_DIRECT/185.33.223.83 -
1559122904.746 1865256 192.168.0.60 TCP_TUNNEL/200 12205 CONNECT
manage.mediashuttle.com:443 - HIER_DIRECT/52.21.207.90 -
1559122904.872  10736 192.168.0.51 TCP_TUNNEL/200 847 CONNECT
dt.adsafeprotected.com:443 - HIER_DIRECT/104.244.36.20 -
1559122905.083  10999 192.168.0.51 TCP_TUNNEL/200 7364 CONNECT
x.bidswitch.net:443 - HIER_DIRECT/18.153.11.1 -
1559122905.676  13345 192.168.0.51 TCP_TUNNEL/200 7176 CONNECT
bs.serving-sys.com:443 - HIER_DIRECT/80.252.91.53 -
1559122906.414  19991 192.168.0.51 TCP_TUNNEL/200 9138 CONNECT
bs.serving-sys.com:443 - HIER_DIRECT/80.252.91.53 -
1559122906.716  11341 192.168.0.51 TCP_TUNNEL/200 3252 CONNECT
csm.fr.eu.criteo.net:443 - HIER_DIRECT/178.250.0.162 -
1559122906.917  18429 192.168.0.51 TCP_MISS/200 360 GET
http://192.168.0.15/v3/api/backchannel? - HIER_DIRECT/192.168.0.15
application/json
1559122907.774 130868 192.168.0.60 TCP_TUNNEL/200 1534 CONNECT
ps6.pubnub.com:443 - HIER_DIRECT/54.93.254.233 -
1559122914.376  19351 192.168.0.51 TCP_TUNNEL/200 6695 CONNECT
farm.plista.com:443 - HIER_DIRECT/176.9.103.51 -
1559122914.665  30180 192.168.0.51 TCP_TUNNEL/200 833 CONNECT
prisacom.sc.omtrdc.net:443 - HIER_DIRECT/172.82.228.19 -
1559122914.780  18976 192.168.0.51 TCP_MISS/200 360 GET
http://192.168.0.16/v3/api/backchannel? - HIER_DIRECT/192.168.0.16
application/json
1559122915.099  66824 192.168.0.51 TCP_TUNNEL/200 286551 CONNECT
newchat-001.servers.prgn.misp.co.uk:443 - HIER_DIRECT/185.52.25.72 -
1559122915.172  65116 192.168.0.51 TCP_TUNNEL/200 4392 CONNECT
newchat-001.servers.prgn.misp.co.uk:443 - HIER_DIRECT/185.52.25.72 -
1559122917.919      0 192.168.0.51 TAG_NONE/503 0 CONNECT
www.mediavida.com:443 - HIER_NONE/- -
1559122918.298  60477 192.168.0.51 TCP_TUNNEL/200 5691 CONNECT
mpc.nicequest.com:443 - HIER_DIRECT/34.224.49.39 -

All TCP_TUNNEL, TCP_MISS allows me to reach the web. The TCP_NONE doesn't.
This all is happening right now. 29/05/2019 at 11:40 pm.

Thank you for your dedicated efforts Amos!



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux