Amos Jeffries wrote > "allow" is not a valid action for this directive. > <https://wiki.squid-cache.org/Features/SslPeekAndSplice#Actions> I don't know what I was thinking, thank you I deleted the ssl_bump line, I try splicing too with ssl_bump peek all and ssl_bump splice all, but it also didn't work too. Amos Jeffries wrote >> http_access deny blocksitelist >> http_access allow whitelist >> http_access allow CONNECT whitelist > > Complex access controls being done before even the most > simple/fast/basic security check to prevent DOS attacks. > > Move the above http_access lines ... > >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow localhost manager >> http_access deny manager > > ... down to here where custom access controls should be. > > Except for the "allow CONNECT whitelist" line which you can delete > completely. It is pointless behind "allow whitelist". Fixed it. Thanks! Amos Jeffries wrote > This is now an "open proxy" - not a good idea. Of course is not a good idea. In my desperation I tried to keep the proxy open as much as possible after the rules but it didn't work either. This is not a long term configuration. I just need to bypass this issue just because it could happen with other websites (funny think i couldn't find another one). When this is solved I'll cap the proxy as much as possible. Amos Jeffries wrote > So port 3128 is simultaneously receiving TLS and non-TLS (plain-text) > traffic syntax? > > That is not possible. With the above settings, Squid should log a > complaint in cache.log and only open the first (http_port) to use the > specific IP:port value. > > To work at all port directives need unique IP:port settings. It turns out the cert line and the rest of it wasn't working at all. I just left "http_port 0.0.0.0:3128". My concern was how about squid proxy manages 443 conections with the same port but all websites works just fine and in the access.log I can see a lot TCP_TUNNEL/200 like: TCP_TUNNEL/200 1093 CONNECT www.cisco.com:443 - HIER_DIRECT/104.126.39.51 TCP_TUNNEL/200 11488 CONNECT www.ultratools.com:443 - HIER_DIRECT/156.154.208.10 Amos Jeffries wrote > "403 Forbidden" can be sent by any HTTP agent. It was 503, sorry. Amos Jeffries wrote > You are missing the rest of the access.log line. The parts which tell > you (and us) what was being done that got forbidden, which agent was > doing it, what other agents were involved with the decision, and when > all this happened. The rest of the access.log file? Sure 1559122901.583 16384 192.168.0.51 TCP_TUNNEL/200 4048 CONNECT gum.criteo.com:443 - HIER_DIRECT/178.250.2.146 - 1559122902.462 40211 192.168.0.51 TCP_TUNNEL/200 68725 CONNECT secure-ds.serving-sys.com:443 - HIER_DIRECT/184.25.40.188 - 1559122902.726 15313 192.168.0.51 TCP_TUNNEL/200 3277 CONNECT gem.gbc.criteo.com:443 - HIER_DIRECT/185.235.84.183 - 1559122902.804 15595 192.168.0.51 TCP_TUNNEL/200 918 CONNECT smetrics.el-mundo.net:443 - HIER_DIRECT/185.34.188.24 - 1559122904.127 17686 192.168.0.51 TCP_TUNNEL/200 135863 CONNECT pixel.adsafeprotected.com:443 - HIER_DIRECT/199.166.0.26 - 1559122904.498 12987 192.168.0.51 TCP_TUNNEL/200 1177 CONNECT dt.adsafeprotected.com:443 - HIER_DIRECT/104.244.36.20 - 1559122904.507 12996 192.168.0.51 TCP_TUNNEL/200 1177 CONNECT dt.adsafeprotected.com:443 - HIER_DIRECT/104.244.36.20 - 1559122904.629 10142 192.168.0.51 TCP_TUNNEL/200 6787 CONNECT secure.adnxs.com:443 - HIER_DIRECT/185.33.223.83 - 1559122904.746 1865256 192.168.0.60 TCP_TUNNEL/200 12205 CONNECT manage.mediashuttle.com:443 - HIER_DIRECT/52.21.207.90 - 1559122904.872 10736 192.168.0.51 TCP_TUNNEL/200 847 CONNECT dt.adsafeprotected.com:443 - HIER_DIRECT/104.244.36.20 - 1559122905.083 10999 192.168.0.51 TCP_TUNNEL/200 7364 CONNECT x.bidswitch.net:443 - HIER_DIRECT/18.153.11.1 - 1559122905.676 13345 192.168.0.51 TCP_TUNNEL/200 7176 CONNECT bs.serving-sys.com:443 - HIER_DIRECT/80.252.91.53 - 1559122906.414 19991 192.168.0.51 TCP_TUNNEL/200 9138 CONNECT bs.serving-sys.com:443 - HIER_DIRECT/80.252.91.53 - 1559122906.716 11341 192.168.0.51 TCP_TUNNEL/200 3252 CONNECT csm.fr.eu.criteo.net:443 - HIER_DIRECT/178.250.0.162 - 1559122906.917 18429 192.168.0.51 TCP_MISS/200 360 GET http://192.168.0.15/v3/api/backchannel? - HIER_DIRECT/192.168.0.15 application/json 1559122907.774 130868 192.168.0.60 TCP_TUNNEL/200 1534 CONNECT ps6.pubnub.com:443 - HIER_DIRECT/54.93.254.233 - 1559122914.376 19351 192.168.0.51 TCP_TUNNEL/200 6695 CONNECT farm.plista.com:443 - HIER_DIRECT/176.9.103.51 - 1559122914.665 30180 192.168.0.51 TCP_TUNNEL/200 833 CONNECT prisacom.sc.omtrdc.net:443 - HIER_DIRECT/172.82.228.19 - 1559122914.780 18976 192.168.0.51 TCP_MISS/200 360 GET http://192.168.0.16/v3/api/backchannel? - HIER_DIRECT/192.168.0.16 application/json 1559122915.099 66824 192.168.0.51 TCP_TUNNEL/200 286551 CONNECT newchat-001.servers.prgn.misp.co.uk:443 - HIER_DIRECT/185.52.25.72 - 1559122915.172 65116 192.168.0.51 TCP_TUNNEL/200 4392 CONNECT newchat-001.servers.prgn.misp.co.uk:443 - HIER_DIRECT/185.52.25.72 - 1559122917.919 0 192.168.0.51 TAG_NONE/503 0 CONNECT www.mediavida.com:443 - HIER_NONE/- - 1559122918.298 60477 192.168.0.51 TCP_TUNNEL/200 5691 CONNECT mpc.nicequest.com:443 - HIER_DIRECT/34.224.49.39 - All TCP_TUNNEL, TCP_MISS allows me to reach the web. The TCP_NONE doesn't. This all is happening right now. 29/05/2019 at 11:40 pm. Thank you for your dedicated efforts Amos! -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
