Search squid archive

Re: squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tested same thing..

I noticed it does have the default when I ran squid -k parse see below


I restored lines:
http_access deny !safeports
http_access deny CONNECT !sslports
http_access allow localhost manager
http_access deny manager
cachemgr_passwd disable offline_toggle reconfigure shutdown
cachemgr_passwd redacted password all
eui_lookup on
acl no_miss url_regex -i gateway\.facebook\.com\/ws\/realtime\?
acl no_miss url_regex -i web-chat-e2ee\.facebook\.com\/ws\/chat
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
http_access allow CONNECT wuCONNECT localnet
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate localnet
http_access allow windowsupdate localhost
http_access allow HttpAccess localnet
http_access allow HttpAccess localhost
http_access deny manager
http_access deny to_ipv6
http_access deny from_ipv6

acl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken"
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

acl splice_only src 192.168.1.8 #Tasha iPhone
acl splice_only src 192.168.1.10 #Jon iPhone
acl splice_only src 192.168.1.11 #Amazon Fire
acl splice_only src 192.168.1.15 #Tasha HP
acl splice_only src 192.168.1.16 #iPad

acl splice_only_mac arp redactedmac
acl splice_only_mac arp redactedmac
acl splice_only_mac arp redactedmac
acl splice_only_mac arp redactedmac
acl splice_only_mac arp redactedmac

acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/reg.url.nobump"
acl NoBumpDNS dstdomain "/usr/local/pkg/dns.nobump"

acl markBumped annotate_client bumped=true
acl active_use annotate_client active=true
acl bump_only src 192.168.1.3 #webtv
acl bump_only src 192.168.1.4 #toshiba
acl bump_only src 192.168.1.5 #imac
acl bump_only src 192.168.1.9 #macbook
acl bump_only src 192.168.1.13 #dell

acl bump_only_mac arp redactedmac
acl bump_only_mac arp redactedmac
acl bump_only_mac arp redactedmac
acl bump_only_mac arp redactedmac
acl bump_only_mac arp redactedmac
sslproxy_cert_sign signTrusted bump_only_mac

ssl_bump peek step1
miss_access deny no_miss active_use
ssl_bump splice https_login active_use
ssl_bump splice splice_only_mac splice_only active_use
ssl_bump splice NoBumpDNS active_use
ssl_bump splice NoSSLIntercept active_use
ssl_bump bump bump_only_mac bump_only active_use
acl activated note active_use true
ssl_bump terminate !activated

shutdown_lifetime 1 seconds
negative_dns_ttl 5 minutes

Output same

Shell Output - squidclient -v -U admin -W redactedpassword mgr:info

Request:
GET http://localhost:3128/squid-internal-mgr/info HTTP/1.0
Host: localhost:3128
User-Agent: squidclient/6.6
Accept: */*
Authorization: Basic redactedQ==
Connection: close


.
HTTP/1.1 403 Forbidden
Server: squid
Mime-Version: 1.0
Date: Thu, 11 Jul 2024 21:06:49 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3788
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Cache-Status: Lee_Family.home.arpa
Cache-Status: Lee_Family.home.arpa;detail=no-cache
Connection: close
same thing tested with -h 127.0.0.1
Request:
GET http://127.0.0.1:3128/squid-internal-mgr/info HTTP/1.0
Host: 127.0.0.1:3128
User-Agent: squidclient/6.6
Accept: */*
Authorization: Basic redacted==
Connection: close


.
HTTP/1.1 403 Forbidden
Server: squid
Mime-Version: 1.0
Date: Thu, 11 Jul 2024 21:18:48 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3788
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Cache-Status: Lee_Family.home.arpa
Cache-Status: Lee_Family.home.arpa;detail=no-cache
Connection: close

squid -k parse shows 
2024/07/11 14:09:27| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2024/07/11 14:09:27| Processing: http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
2024/07/11 14:09:27| WARNING: UPGRADE: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in http_port. Use 'tls-cafile=' instead.
2024/07/11 14:09:27| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'
    OpenSSL-saved error #1: 0x1e08010c
2024/07/11 14:09:27| ERROR: Unsupported TLS option SINGLE_DH_USE
2024/07/11 14:09:27| ERROR: Unsupported TLS option SINGLE_ECDH_USE
2024/07/11 14:09:27| Processing: http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
2024/07/11 14:09:27| Starting Authentication on port 127.0.0.1:3128
2024/07/11 14:09:27| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2024/07/11 14:09:27| WARNING: UPGRADE: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in http_port. Use 'tls-cafile=' instead.
2024/07/11 14:09:27| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'
    OpenSSL-saved error #1: 0x1e08010c
2024/07/11 14:09:27| ERROR: Unsupported TLS option SINGLE_DH_USE
2024/07/11 14:09:27| ERROR: Unsupported TLS option SINGLE_ECDH_USE
2024/07/11 14:09:27| Processing: https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
2024/07/11 14:09:27| Starting Authentication on port 127.0.0.1:3129
2024/07/11 14:09:27| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
2024/07/11 14:09:27| WARNING: UPGRADE: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in https_port. Use 'tls-cafile=' instead.
2024/07/11 14:09:27| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'
    OpenSSL-saved error #1: 0x1e08010c
2024/07/11 14:09:27| ERROR: Unsupported TLS option SINGLE_DH_USE
2024/07/11 14:09:27| ERROR: Unsupported TLS option SINGLE_ECDH_USE
2024/07/11 14:09:27| Processing: tcp_outgoing_address 207.231.82.182
2024/07/11 14:09:27| Processing: icp_port 0
2024/07/11 14:09:27| Processing: digest_generation off
2024/07/11 14:09:27| Processing: dns_v4_first on
2024/07/11 14:09:27| ERROR: Directive 'dns_v4_first' is obsolete.
2024/07/11 14:09:27| dns_v4_first : Remove this line. Squid no longer supports preferential treatment of DNS A records.
2024/07/11 14:09:27| Processing: pid_filename /var/run/squid/squid.pid
2024/07/11 14:09:27| Processing: cache_effective_user squid
2024/07/11 14:09:27| Processing: cache_effective_group proxy
2024/07/11 14:09:27| Processing: error_default_language en
2024/07/11 14:09:27| Processing: icon_directory /usr/local/etc/squid/icons
2024/07/11 14:09:27| Processing: visible_hostname Lee_Family.home.arpa
2024/07/11 14:09:27| Processing: cache_mgr jonathanlee571@xxxxxxxxx
2024/07/11 14:09:27| Processing: access_log /var/squid/logs/access.log
2024/07/11 14:09:27| Processing: cache_log /var/squid/logs/cache.log
2024/07/11 14:09:27| Processing: cache_store_log none
2024/07/11 14:09:27| Processing: netdb_filename /var/squid/logs/netdb.state
2024/07/11 14:09:27| Processing: pinger_enable on
2024/07/11 14:09:27| Processing: pinger_program /usr/local/libexec/squid/pinger
2024/07/11 14:09:27| Processing: sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/lib/ssl_db -M 4MB -b 2048
2024/07/11 14:09:27| Processing: tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt
2024/07/11 14:09:27| Processing: tls_outgoing_options capath=/usr/local/share/certs/
2024/07/11 14:09:27| Processing: tls_outgoing_options options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
2024/07/11 14:09:27| ERROR: Unsupported TLS option SINGLE_DH_USE
2024/07/11 14:09:27| ERROR: Unsupported TLS option SINGLE_ECDH_USE
2024/07/11 14:09:27| Processing: tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS
2024/07/11 14:09:27| Processing: sslcrtd_children 10
2024/07/11 14:09:27| Processing: logfile_rotate 7
2024/07/11 14:09:27| Processing: debug_options rotate=7
2024/07/11 14:09:27| Processing: shutdown_lifetime 3 seconds
2024/07/11 14:09:27| Processing: acl localnet src  192.168.1.0/27
2024/07/11 14:09:27| Processing: forwarded_for delete
2024/07/11 14:09:27| Processing: via off
2024/07/11 14:09:27| Processing: httpd_suppress_version_string on
2024/07/11 14:09:27| Processing: uri_whitespace strip
2024/07/11 14:09:27| Processing: acl block_hours time 00:30-05:00
2024/07/11 14:09:27| Processing: ssl_bump terminate all block_hours
2024/07/11 14:09:27| Processing: http_access deny all block_hours
2024/07/11 14:09:27| Processing: acl getmethod method GET
2024/07/11 14:09:27| Processing: acl to_ipv6 dst ipv6
2024/07/11 14:09:27| Processing: acl from_ipv6 src ipv6
2024/07/11 14:09:27| Processing: acl HttpAccess dstdomain "/usr/local/pkg/http.access"
2024/07/11 14:09:27| Processing: acl windowsupdate dstdomain "/usr/local/pkg/windowsupdate"
2024/07/11 14:09:27| Processing: acl rewritedoms dstdomain "/usr/local/pkg/desdom"
2024/07/11 14:09:27| Processing: always_direct allow all
2024/07/11 14:09:27| Processing: refresh_all_ims on
2024/07/11 14:09:27| Processing: reload_into_ims on
2024/07/11 14:09:27| Processing: max_stale 20 years
2024/07/11 14:09:27| Processing: minimum_expiry_time 0
2024/07/11 14:09:27| Processing: refresh_pattern -i ^http.*squid\.internal.* 43200 100% 79900 override-expire override-lastmod ignore-reload ignore-no-store ignore-must-revalidate ignore-private ignore-auth
2024/07/11 14:09:27| UPGRADE: refresh_pattern option 'ignore-must-revalidate' is obsolete. Remove it.
2024/07/11 14:09:27| UPGRADE: refresh_pattern option 'ignore-auth' is obsolete. Remove it.
2024/07/11 14:09:27| Processing: refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
2024/07/11 14:09:27| Processing: refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
2024/07/11 14:09:27| Processing: refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
2024/07/11 14:09:27| Processing: refresh_pattern -i microsoft.com.akadns.net/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
2024/07/11 14:09:27| Processing: refresh_pattern -i deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
2024/07/11 14:09:27| Processing: refresh_pattern -i windowsupdate.com/..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200  refresh-ims
2024/07/11 14:09:27| Processing: acl https_login url_regex -i ^https.*(login|Login).*
2024/07/11 14:09:27| Processing: cache deny https_login
2024/07/11 14:09:27| Processing: range_offset_limit 512 MB windowsupdate
2024/07/11 14:09:27| Processing: range_offset_limit 4 MB
2024/07/11 14:09:27| Processing: quick_abort_min -1 KB
2024/07/11 14:09:27| Processing: cache_mem 64 MB
2024/07/11 14:09:27| Processing: maximum_object_size_in_memory 256 KB
2024/07/11 14:09:27| Processing: memory_replacement_policy heap GDSF
2024/07/11 14:09:27| Processing: cache_replacement_policy heap LFUDA
2024/07/11 14:09:27| Processing: minimum_object_size 0 KB
2024/07/11 14:09:27| Processing: maximum_object_size 512 MB
2024/07/11 14:09:27| Processing: cache_dir diskd /var/squid/cache 64000 256 256
2024/07/11 14:09:27| Processing: offline_mode off
2024/07/11 14:09:27| Processing: cache_swap_low 90
2024/07/11 14:09:27| Processing: cache_swap_high 95
2024/07/11 14:09:27| Processing: acl donotcache dstdomain "/var/squid/acl/donotcache.acl"
2024/07/11 14:09:27| Processing: cache deny donotcache
2024/07/11 14:09:27| Processing: cache allow all
2024/07/11 14:09:27| Processing: refresh_pattern ^ftp:    1440  20%  10080
2024/07/11 14:09:27| Processing: refresh_pattern ^gopher:  1440  0%  1440
2024/07/11 14:09:27| Processing: refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
2024/07/11 14:09:27| Processing: refresh_pattern .    0  20%  4320
2024/07/11 14:09:27| Processing: acl allsrc src all
2024/07/11 14:09:27| Processing: acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 3128 3129 1025-65535
2024/07/11 14:09:27| Processing: acl sslports port 443 563 8080 5223 2197
2024/07/11 14:09:27| Processing: acl purge method PURGE
2024/07/11 14:09:27| Processing: acl connect method CONNECT
2024/07/11 14:09:27| Processing: acl HTTP proto HTTP
2024/07/11 14:09:27| Processing: acl HTTPS proto HTTPS
2024/07/11 14:09:27| Processing: acl step1 at_step SslBump1
2024/07/11 14:09:27| Processing: acl step2 at_step SslBump2
2024/07/11 14:09:27| Processing: acl step3 at_step SslBump3
2024/07/11 14:09:27| Processing: acl banned_hosts src "/var/squid/acl/banned_hosts.acl"
2024/07/11 14:09:27| Processing: acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
2024/07/11 14:09:27| Processing: acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl"
2024/07/11 14:09:27| Processing: http_access allow manager localhost
2024/07/11 14:09:27| Processing: http_access deny manager
2024/07/11 14:09:27| Processing: http_access allow purge localhost
2024/07/11 14:09:27| Processing: http_access deny purge
2024/07/11 14:09:27| Processing: http_access deny !safeports
2024/07/11 14:09:27| Processing: http_access deny CONNECT !sslports
2024/07/11 14:09:27| Processing: http_access allow localhost
2024/07/11 14:09:27| Processing: quick_abort_min 0 KB
2024/07/11 14:09:27| Processing: quick_abort_max 0 KB
2024/07/11 14:09:27| Processing: quick_abort_pct 95
2024/07/11 14:09:27| Processing: request_body_max_size 0 KB
2024/07/11 14:09:27| Processing: delay_pools 1
2024/07/11 14:09:27| Processing: delay_class 1 2
2024/07/11 14:09:27| Processing: delay_parameters 1 -1/-1 -1/-1
2024/07/11 14:09:27| Processing: delay_initial_bucket_level 100
2024/07/11 14:09:27| Processing: delay_access 1 allow allsrc
2024/07/11 14:09:27| Processing: deny_info TCP_RESET allsrc
2024/07/11 14:09:27| Processing: url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
2024/07/11 14:09:27| Processing: url_rewrite_bypass off
2024/07/11 14:09:27| Processing: url_rewrite_children 32 startup=8 idle=4 concurrency=0
2024/07/11 14:09:27| Processing: http_access deny banned_hosts
2024/07/11 14:09:27| Processing: http_access allow whitelist
2024/07/11 14:09:27| Processing: http_access deny blacklist
2024/07/11 14:09:27| Processing: request_header_access X-GoogApps-Allowed-Domains deny all
2024/07/11 14:09:27| Processing: request_header_add X-GoogApps-Allowed-Domains consumer_accounts
2024/07/11 14:09:27| Processing: acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com
2024/07/11 14:09:27| Processing: request_header_access YouTube-Restrict deny all
2024/07/11 14:09:27| Processing: request_header_add YouTube-Restrict none youtubedst
2024/07/11 14:09:27| Processing: acl sglog url_regex -i sgr=ACCESSDENIED
2024/07/11 14:09:27| Processing: http_access deny sglog
2024/07/11 14:09:27| Processing: http_access deny !safeports
2024/07/11 14:09:27| Processing: http_access deny CONNECT !sslports
2024/07/11 14:09:27| Processing: http_access allow localhost manager
2024/07/11 14:09:27| Processing: http_access deny manager
2024/07/11 14:09:27| Processing: cachemgr_passwd disable offline_toggle reconfigure shutdown
2024/07/11 14:09:27| Processing: cachemgr_passwd redacted all
2024/07/11 14:09:27| Processing: eui_lookup on
2024/07/11 14:09:27| Processing: acl no_miss url_regex -i gateway\.facebook\.com\/ws\/realtime\?
2024/07/11 14:09:27| Processing: acl no_miss url_regex -i web-chat-e2ee\.facebook\.com\/ws\/chat
2024/07/11 14:09:27| Processing: acl CONNECT method CONNECT
2024/07/11 14:09:27| Processing: acl wuCONNECT dstdomain www.update.microsoft.com
2024/07/11 14:09:27| Processing: acl wuCONNECT dstdomain sls.microsoft.com
2024/07/11 14:09:27| Processing: http_access allow CONNECT wuCONNECT localnet
2024/07/11 14:09:27| Processing: http_access allow CONNECT wuCONNECT localhost
2024/07/11 14:09:27| Processing: http_access allow windowsupdate localnet
2024/07/11 14:09:27| Processing: http_access allow windowsupdate localhost
2024/07/11 14:09:27| Processing: http_access allow HttpAccess localnet
2024/07/11 14:09:27| Processing: http_access allow HttpAccess localhost
2024/07/11 14:09:27| Processing: http_access deny manager
2024/07/11 14:09:27| Processing: http_access deny to_ipv6
2024/07/11 14:09:27| Processing: http_access deny from_ipv6
2024/07/11 14:09:27| Processing: acl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken"
2024/07/11 14:09:27| Processing: acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
2024/07/11 14:09:27| Processing: sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
2024/07/11 14:09:27| Processing: sslproxy_cert_error deny all
2024/07/11 14:09:27| Processing: acl splice_only src 192.168.1.8 #Tasha iPhone
2024/07/11 14:09:27| Processing: acl splice_only src 192.168.1.10 #Jon iPhone
2024/07/11 14:09:27| Processing: acl splice_only src 192.168.1.11 #Amazon Fire
2024/07/11 14:09:27| Processing: acl splice_only src 192.168.1.15 #Tasha HP
2024/07/11 14:09:27| Processing: acl splice_only src 192.168.1.16 #iPad
2024/07/11 14:09:27| Processing: acl splice_only_mac arp 
2024/07/11 14:09:27| Processing: acl splice_only_mac arp 
2024/07/11 14:09:27| Processing: acl splice_only_mac arp 
2024/07/11 14:09:27| Processing: acl splice_only_mac arp 
2024/07/11 14:09:27| Processing: acl splice_only_mac arp 
2024/07/11 14:09:27| Processing: acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/reg.url.nobump"
2024/07/11 14:09:27| Processing: acl NoBumpDNS dstdomain "/usr/local/pkg/dns.nobump"
2024/07/11 14:09:27| Processing: acl markBumped annotate_client bumped=true
2024/07/11 14:09:27| Processing: acl active_use annotate_client active=true
2024/07/11 14:09:27| Processing: acl bump_only src 192.168.1.3 #webtv
2024/07/11 14:09:27| Processing: acl bump_only src 192.168.1.4 #toshiba
2024/07/11 14:09:27| Processing: acl bump_only src 192.168.1.5 #imac
2024/07/11 14:09:27| Processing: acl bump_only src 192.168.1.9 #macbook
2024/07/11 14:09:27| Processing: acl bump_only src 192.168.1.13 #dell
2024/07/11 14:09:27| Processing: acl bump_only_mac arp 
2024/07/11 14:09:27| Processing: acl bump_only_mac arp 
2024/07/11 14:09:27| Processing: acl bump_only_mac arp 
2024/07/11 14:09:27| Processing: acl bump_only_mac arp 
2024/07/11 14:09:27| Processing: acl bump_only_mac arp 
2024/07/11 14:09:27| Processing: sslproxy_cert_sign signTrusted bump_only_mac
2024/07/11 14:09:27| Processing: ssl_bump peek step1
2024/07/11 14:09:27| Processing: miss_access deny no_miss active_use
2024/07/11 14:09:27| Processing: ssl_bump splice https_login active_use
2024/07/11 14:09:27| Processing: ssl_bump splice splice_only_mac splice_only active_use
2024/07/11 14:09:27| Processing: ssl_bump splice NoBumpDNS active_use
2024/07/11 14:09:27| Processing: ssl_bump splice NoSSLIntercept active_use
2024/07/11 14:09:27| Processing: ssl_bump bump bump_only_mac bump_only active_use
2024/07/11 14:09:27| Processing: acl activated note active_use true
2024/07/11 14:09:27| Processing: ssl_bump terminate !activated
2024/07/11 14:09:27| Processing: shutdown_lifetime 1 seconds
2024/07/11 14:09:27| Processing: negative_dns_ttl 5 minutes
2024/07/11 14:09:27| Processing: http_access allow localnet
2024/07/11 14:09:27| Processing: http_access deny allsrc
2024/07/11 14:09:27| WARNING: use of 'override-expire' in 'refresh_pattern' violates HTTP
2024/07/11 14:09:27| WARNING: use of 'override-lastmod' in 'refresh_pattern' violates HTTP
2024/07/11 14:09:27| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP
2024/07/11 14:09:27| WARNING: use of 'ignore-reload' in 'refresh_pattern' violates HTTP
2024/07/11 14:09:27| WARNING: use of 'ignore-no-store' in 'refresh_pattern' violates HTTP
2024/07/11 14:09:27| WARNING: use of 'ignore-private' in 'refresh_pattern' violates HTTP
2024/07/11 14:09:27| WARNING: HTTP requires the use of Via
2024/07/11 14:09:27| Requiring client certificates.
2024/07/11 14:09:28| Loaded signing certificate: /CN=internal-ca/C=US/ST=California/L=Roseville/O=Homeuse
2024/07/11 14:09:29| Not requiring any client certificates
2024/07/11 14:09:29| Loaded signing certificate: /CN=internal-ca/C=US/ST=California/L=Roseville/O=Homeuse
2024/07/11 14:09:30| Not requiring any client certificates
2024/07/11 14:09:30| Loaded signing certificate: /CN=internal-ca/C=US/ST=California/L=Roseville/O=Homeuse
2024/07/11 14:09:30| Not requiring any client certificates

On Jul 11, 2024, at 13:16, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:


Lets see ...

>>> On Jul 11, 2024, at 11:02, Jonathan Lee wrote:
>>>     Shell Output - squidclient -h 127.0.0.1 -v -U admin -W redacted
>>>     mgr:info
>>>
>>> Request:
>>> GET http://127.0.0.1:3128/squid-internal-mgr/info HTTP/1.0
>>> Host: 127.0.0.1:3128
>>> User-Agent: squidclient/6.6
>>> Accept: */*
>>> Authorization: Basic YWRtaW4..REDACTED..Q==
>>> Connection: close


On 12/07/24 06:12, Jonathan Lee wrote:
http_access allow CONNECT wuCONNECT localnet
http_access allow CONNECT wuCONNECT localhost


... GET is not CONNECT. Skip the above.


http_access allow windowsupdate localnet
http_access allow windowsupdate localhost


... 127.0.0.1 is not in *.microsoft.com. Skip the above.


http_access allow HttpAccess localnet
http_access allow HttpAccess localhost


... 127.0.0.1 is not listed in /usr/local/pkg/http.access. Skip the above.


http_access deny manager


... /squid-internal-mgr/ matches.  DENY the request.


Problem solved.

What you should do is restore the default security settings which we ship with Squid.

Place these above your custom http_access lines:

 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 http_access allow localhost manager
 http_access deny manager


see <https://wiki.squid-cache.org/Releases/Squid-5> for the ACL details if you need them too.



Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux