Search squid archive

Re: Unable to access local addresses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2024-08-23 12:07, Piana, Josh wrote:

The problem we’re having now is that we’re unable to access local resources on different subnets. For instance, our “main” networks are 10.46.x.x and 10.47.x.x, but the proxy is blocking us when we try to get to 172.26.x.x as well as 10.96.x.x.

Blocking how? What kind of error page does the client get? What does Squid log to access.log (consider adding %err_code/%err_detail to your custom logformat definition if you have not already).

If access is blocked by an "http_access deny" rule you do not expect to match, then which "http_access allow" rule (located above the matched deny rule[^1]) do you expect to match those blocked transactions? If access is prevented due to connection establishment errors, then you may need to adjust your IP routing rules/etc. outside of Squid. And there are many other possibilities here...

[1]: If access is blocked by an "http_access deny" rule, you may be able to figure out which deny rule has matched by enabling ALL,2 debugging (see debug_options in squid.conf.documented), reproducing the problem using a single transaction, and searching cache.log for "last ACL checked". Older Squids have more bugs in determining that ACL name, but, if you are lucky, you will get the right answer.


When comparing our current config to the old, they are very nearly identical, and the old config works with no issue. Is there some change from 2.5 -> 5.5 that would stop some of our allow/deny rules from working as expected?

There are too many corner cases for me to give a reliable answer to that question, especially without knowing which http_access rule is denying access (assuming it is one of those rules). I recommend focusing on a specific matching/mismatching ACL/rule instead of trying to make a general statement regarding numerous v2-vs-v5 differences.


Or maybe I need to open up the ACL’s a bit more or define those subnets explicitly now?

If your existing rules already reflect your business logic and do not trigger any Squid configuration errors/warnings in cache.log, then it is unlikely that you will need to add explicit rules for previously working subnets. On the other hand, you are upgrading from an ancient Squid version that most do not remember much about to an already unsupported Squid version, so all bets are off.

> acl from_arc src 10.46.0.0/16
> acl from_arc src 10.46.0.0/15

Remove the line you do not need (I do not know which one, but the combination does not make sense because one subnet includes the other).


> dsacl methods_std method GET HEAD POST PUT DELETE

If this is not a copy-paste typo, then edit this line to use a supported directive name like "acl". "dsacl" is not a supported directive name.


HTH,

Alex.


I can post our config below, I’ll skip the sections that most likely don’t pertain to the issue.

##############################################################################

# Authentication

##############################################################################

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/HTTP.keytab -s HTTP/<domain>.ad.<domain>.com@AD.<domain>.COM

auth_param negotiate children 10

auth_param negotiate keep_alive on

acl kerb-auth proxy_auth REQUIRED

##############################################################################

# Access control - shared/common ACL definitions

##############################################################################

# acl all src all

acl src_self src 127.0.0.0/8

acl src_self src 10.46.11.69

acl dst_self dst 127.0.0.0/8

acl dst_self dst 10.46.11.69

acl from_arc src 10.46.0.0/16

acl from_arc src 10.46.0.0/15

acl local_dst_addr dst 10.0.0.0/8

acl local_dst_addr dst bldg3.<domain>.com

acl local_dst_addr dst bldg5.<domain>.com

# not sure what this does

acl local_dst_dom dstdomain <proxy hostname>

# protocols

acl proto_FTP proto FTP

acl proto_HTTP proto HTTP

# TCP ports for HTTP

acl http_ports port 80

acl http_ports port 81

# TCP ports for HTTPS

acl ssl_ports port 443

acl ssh_ports port 22

acl ftp_ports port 21

# HTTP methods

acl method_CONNECT method CONNECT

# what are these used for?

dsacl methods_std method GET HEAD POST PUT DELETE

acl methods_std method TRACE OPTIONS

#############################################################################

# Access control - general proxy

##############################################################################

http_access deny dst_self

http_access deny src_self

http_access deny !from_arc

http_access       allow local_dst_dom

http_reply_access           allow local_dst_dom

http_access       allow local_dst_addr

http_reply_access           allow local_dst_addr

acl authless_src src "/etc/squid/authless_src"

http_access       allow authless_src

http_reply_access           allow authless_src

acl authless_dst dstdomain "/etc/squid/authless_dst"

http_access       allow authless_dst

http_reply_access           allow authless_dst

acl bad_domains_preauth dstdomain "/etc/squid/bad_domains_preauth"

http_access deny bad_domains_preauth

acl block_user proxy_auth_regex -i "/etc/squid/block_user"

http_access deny block_user

acl bad_exception_urls url_regex -i "/etc/squid/bad_exception_urls"

acl exec_files url_regex -i "/etc/squid/exec_files"

acl exec_users proxy_auth_regex -i "/etc/squid/exec_users"

http_access deny !bad_exception_urls !exec_users exec_files

deny_info ERR_BLOCK_TYPE exec_files

acl mmedia_users proxy_auth_regex -i "/etc/squid/mmedia_users"

acl mmedia_sites dstdomain "/etc/squid/mmedia_sites"

http_access       allow methods_std    proto_HTTP http_ports mmedia_sites mmedia_users

http_reply_access allow methods_std    proto_HTTP http_ports mmedia_sites mmedia_users

http_access       allow method_CONNECT            ssl_ports mmedia_sites mmedia_users

http_reply_access allow method_CONNECT            ssl_ports mmedia_sites mmedia_users

acl bad_domains dstdomain "/etc/squid/bad_domains"

http_access deny !bad_exception_urls bad_domains

deny_info ERR_BLOCK_DST         bad_domains

acl bad_domains_regex dstdom_regex -i "/etc/squid/bad_domains_regex"

http_access deny !bad_exception_urls bad_domains_regex

deny_info ERR_BLOCK_DST         bad_domains_regex

acl bad_urls url_regex -i "/etc/squid/bad_urls"

http_access deny !bad_exception_urls bad_urls

deny_info ERR_BLOCK_DST         bad_urls

acl bad_files urlpath_regex -i "/etc/squid/bad_files"

http_access deny !bad_exception_urls bad_files

deny_info ERR_BLOCK_TYPE bad_files

acl bad_types rep_mime_type -i "/etc/squid/bad_types"

http_reply_access deny bad_types !bad_exception_urls

deny_info ERR_BLOCK_TYPE bad_types

acl fsoguest_user proxy_auth_regex -i fsoguest

acl fsoguest_dst dstdomain .opm.gov

acl fsoguest_dst dstdomain .google-analytics.com

acl fsoguest_dst dstdomain pki.google.com

acl fsoguest_dst dstdomain ajax.googleapis.com

acl fsoguest_dst dstdomain fonts.googleapis.com

acl fsoguest_dst dstdomain html5shiv.googlecode.com

acl fsoguest_dst dstdomain fonts.gstatic.com

acl fsoguest_dst dstdomain clients1.google.com

acl fsoguest_dst dstdomain ajax.microsoft.com

acl fsoguest_dst dstdomain ajax.aspnetcdn.com

acl fsoguest_dst dstdomain .geotrust.com

acl fsoguest_dst dstdomain .akamaihd.net

acl fsoguest_dst dstdomain symcd.com

http_access allow methods_std proto_HTTP http_ports fsoguest_dst fsoguest_user

http_access allow method_CONNECT         ssl_ports  fsoguest_dst fsoguest_user

http_access deny fsoguest_user

http_access allow http_ports proto_HTTP methods_std

http_access allow method_CONNECT ssl_ports

http_access deny method_CONNECT

# catch-all

http_access allow ftp_ports proto_FTP

http_access allow kerb-auth

http_access deny all

http_reply_access allow all

##############################################################################

# END OF FILE

##############################################################################


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux