hi squid community, sorry for my bad english, i french, i try do my best for explain cleary my issue. i have a pfsense with squid plugin. the plugin contain : squidclamav-6.16 squid_radius_auth-1.10 squid-3.5.27_3 c-icap-modules-0.5.3_1 my squid is config for transparent proxy for http only. for on game Star Citizen i have a issue with voip feature, when i try launch voip connection, she failed. in my squid log i see this entry 1578684384.329 237 192.168.2.2 TCP_MISS/403 270 GET http://foip-v02.robertsspaceindustries.com/ - ORIGINAL_DST/35.153.171.151 text/html 1578684385.507 165 192.168.2.2 TCP_MISS/403 270 GET http://foip-v02.robertsspaceindustries.com/ - ORIGINAL_DST/35.153.171.151 text/html when i disable squid, all working fine. my squid conf file is : ------ My conf file ------- # This file is automatically generated by pfSense # Do not edit manually ! http_port 192.168.2.1:3128 http_port 192.168.4.1:3128 http_port 192.168.8.1:3128 http_port 127.0.0.1:3128 intercept icp_port 0 digest_generation off dns_v4_first off pid_filename /var/run/squid/squid.pid cache_effective_user squid cache_effective_group proxy error_default_language fr icon_directory /usr/local/etc/squid/icons visible_hostname localhost cache_mgr xxxxxxxxxxxxxxxx access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable on pinger_program /usr/local/libexec/squid/pinger logfile_rotate 7 debug_options rotate=7 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 192.168.2.0/24 192.168.4.0/24 192.168.8.0/24 forwarded_for on httpd_suppress_version_string on uri_whitespace strip cache_mem 64 MB maximum_object_size_in_memory 256 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA minimum_object_size 0 KB maximum_object_size 10 MB cache_dir ufs /var/squid/cache 1024 16 256 offline_mode off cache_swap_low 90 cache_swap_high 95 acl donotcache dstdomain "/var/squid/acl/donotcache.acl" cache deny donotcache cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 #Remote proxies # Setup some default acls # ACLs all, manager, localhost, and to_localhost are predefined. acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 9443 3128 3129 1025-65535 acl sslports port 443 563 9443 acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS acl unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl" acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl" http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 # Do not throttle unrestricted hosts delay_access 1 deny unrestricted_hosts delay_access 1 allow allsrc # Reverse Proxy settings acl rvm_uri_proxmox url_regex -i proxmox.killpilot.fr never_direct allow rvm_uri_proxmox http_access allow rvm_uri_proxmox # Custom options before auth acl voip_rsi dstdomain .robertsspaceindustries.com always_direct allow voip_rsi cache deny voip_rsi http_access allow voip_rsi # These hosts do not have any restrictions http_access allow unrestricted_hosts # Always allow access to whitelist domains http_access allow whitelist # Setup allowed ACLs # Allow local network(s) on interface(s) http_access allow localnet # Default block all to be sure http_access deny allsrc icap_enable on icap_send_client_ip off icap_send_client_username off icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squid_clamav bypass=off adaptation_access service_avi_req allow all icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squid_clamav bypass=on adaptation_access service_avi_resp allow all ------ END My conf file ------- i try to add this block acl voip_rsi dstdomain .robertsspaceindustries.com always_direct allow voip_rsi cache deny voip_rsi http_access allow voip_rsi but, not resolved my issue, i also try add this conf into this file : my file /var/squid/acl/donotcache.acl contain : robertsspaceindustries.com my file /var/squid/acl/unrestricted_hosts.acl contain my pc IP 192.168.2.2/32 my file /var/squid/acl/whitelist.acl contain ^.*\.robertsspaceindustries.com same result, failed.... i don't understand why the request are denied ..... from my pc i try with curl command the result is : curl -vvv -x http://192.168.2.1:3128 -I http://foip-v02.robertsspaceindustries.com Trying 192.168.2.1... TCP_NODELAY set Connected to 192.168.2.1 (192.168.2.1) port 3128 (#0) HEAD http://foip-v02.robertsspaceindustries.com/ HTTP/1.1 Host: foip-v02.robertsspaceindustries.com User-Agent: curl/7.64.1 Accept: / Proxy-Connection: Keep-Alive HTTP/1.1 403 Forbidden Date: Fri, 10 Jan 2020 19:46:03 GMT Content-Type: text/html Content-Length: 38 X-Cache: MISS from localhost X-Cache-Lookup: MISS from localhost:3128 Via: 1.1 localhost (squid) Connection: keep-alive someone can help for fix this issue ? i don't find the right configuration. i try give some help in pfsense forum, but for the moment the issue is not solved, i try here, may be i be more lucky ;) thank for your help. have a good day, regards, _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
