Hello Amos, While the comments did say that it was just the 10.46.11.0 range, I don't think there's any other ACL forcing that. I tried adding the the two internal sites that are being blocked by their IP, restarted Squid, and tested. Still being blocked. You are right though, both of those web addresses are on a different IP scheme. Ideally we want anything on 172.0.0.0 to be allowed, and 10.96.0.0. The other question I have is, even if we specify those sites IP as "allowed", shouldn't we be able to brwose to them by their hostname as well? Currently, those internal sites ARE reachable. But only if we use IP. While this doesn't bother me, personally, the rest of our users would like to keep browsing via hostname as that's what they're used to and what many have shortcuts for. In regards to the results of /etc/resolv.conf, see below: search ad.arc-tech.com nameserver 10.46.11.67 There must be a better way to just allow internal to internal traffic without needing to authenticate through the web proxy. The old config had it, but that was part of the issue. We have no idea how that was working, it didn't make sense at all and it was a bit outdated, Version 2.5 as opposed to our current 5.5. I'm happy to post out config again here, as it's changed a bit and I have cleaned it up. # squid.conf - Squid web cache configuration ############################################################################## # General ############################################################################## # 2020MAR23 running out with just 1024 as we switch to Hexcel.com OMA max_filedesc 4096 # email address of cache administrator cache_mgr ARCITAdmin@xxxxxxxxxx # Run as... cache_effective_user squid cache_effective_group squid # squid shutdown time shutdown_lifetime 5 seconds ############################################################################## # Logging ############################################################################## # this makes the logs readable to humans logformat custom %tl.%03tu %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt access_log daemon:/var/log/squid/access.log custom # this gives better error reporting logformat custom %err_code/%err_detail access_log daemon:/var/log/squid/access.log custom # original arcgate had external logging, this setting was off # this is now enabled logfile_rotate 10 # debug_options ALL, 1-9, 1 being fatal errors only, 9 being EVERYTHING debug_options ALL,1 # Buffer logs? Yes means better performance, but crash debugging can be harder. buffered_logs off # Red Hat-ish log names cache_log /var/log/squid/cache.log cache_access_log /var/log/squid/access.log # store_log is only useful for debugging cache_store_log none # mime headers can record both the request and the response MIME headers for each HTTP transaction # currently undeeded so we have this disabled log_mime_hdrs off # turning this off allows logs to show full URL's strip_query_terms off ############################################################################## # Network - General/misc ############################################################################## # our HTTP proxy port http_port 10.46.11.69:8080 # loopback management http_port 127.0.0.1:3128 # disable ICP, port is typically 3130 icp_port 0 # if set to "on", Squid will append your client's IP address in the HTTP requests it forwards forwarded_for off ############################################################################## # Network timeout settings ############################################################################## # if connect(2) does not succeed in 30 seconds, it is not going to connect_timeout 30 seconds # if we do not get any data at all for 2 minutes, we are not going to read_timeout 2 minutes # if we do not get an HTTP response in 2 minutes, we are not going to request_timeout 2 minutes ############################################################################## # Configuration of the local cache itself ############################################################################## # default calue are 100 16 256 # first variable is disk space in MB # 10000 MB = 10 GB cache_dir ufs /var/spool/squid/ 16000 64 64 # coredump location coredump_dir /var/spool/squid/ # Replacement policies determine which objects are removed to free space: # - LRU = least recently used objects are removed first # - heap GDSF = optimizes object hit at expense of byte hit rate # - heap LFUDA = optimizes byte hit rate at expense of object hit rate cache_replacement_policy heap LFUDA memory_replacement_policy lru # cache_mem is max for total size of all objects in memory cache # this is *NOT* the max RAM Squid will use. cache_mem 256 MB # Allow larger objects to conserve bandwidth. maximum_object_size 32 MB # Allow larger objects since we have more RAM. maximum_object_size_in_memory 512 KB # allows for more leinency in requests about to be aborted quick_abort_min 16 KB quick_abort_max 1 MB quick_abort_pct 90 # if client requests to skip less than this amount of data, # we just retrieve the whole thing range_offset_limit 64 KB ############################################################################## # Authentication ############################################################################## auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/HTTP.keytab -s HTTP/ARCGATE2.ad.arc-tech.com@xxxxxxxxxxxxxxx auth_param negotiate children 10 auth_param negotiate keep_alive on acl kerb-auth proxy_auth REQUIRED ############################################################################## # Access control - shared/common ACL definitions ############################################################################## # ---------------------------------------------------------------------------- # networks and hosts (by name or IP address) # acl all src all acl src_self src 127.0.0.0/8 acl src_self src 10.46.11.69 acl dst_self dst 127.0.0.0/8 acl dst_self dst 10.46.11.69 acl from_arc src 10.46.0.0/15 acl local_dst_addr dst 10.0.0.0/8 acl local_dst_addr dst 172.0.0.0/8 # ---------------------------------------------------------------------------- # protocols (URL schemes) acl proto_FTP proto FTP acl proto_HTTP proto HTTP # ---------------------------------------------------------------------------- # TCP port numbers # TCP ports for ordinary HTTP acl http_ports port 80 # standard HTTP acl http_ports port 81 # common alternative acl http_ports port 8001 # epson.com support sub-site acl http_ports port 8080 # common alternative # TCP ports for HTTP-over-SSL acl Ssl_ports port 443 acl Ssl_ports port 9571 # lexmark.com # TCP ports for plain FTP command channel acl ftp_ports port 21 # TCP ports for SSH/SFTP (secure shell) acl ssh_ports port 22 # ---------------------------------------------------------------------------- # HTTP methods (and pseudo-methods) acl method_CONNECT method CONNECT # list of standard HTTP methods acl methods_std method GET HEAD POST PUT DELETE acl methods_std method TRACE OPTIONS ############################################################################# # Access control - general proxy ############################################################################## # This major section is about which HTTP proxy clients can use Squid # as an HTTP proxy server. As opposed to the maintenance/admin-type # stuff in the previous section. # ---------------------------------------------------------------------------- # basic deny rules # these block stuff that's never good # we put most denies after user-auth so we know *who* is trying # block attempts to connect to proxy server via proxy http_access deny dst_self # block clients which are the proxy server machine itself http_access deny src_self # deny anything not from the LAN http_access deny !from_arc # ---------------------------------------------------------------------------- # allow without authentication # these rules allow certain connects without user authentication # these allow any protocol/method/etc # ***** IMPORTANT ***** # Adding to these lists also exempts from all content filtering. # In particular, executables will be allowed to download! # ***** IMPORTANT ***** # allow connects to local destinations without authentication # by domain name from URL # acl local_dst_dom dstdomain ad.arc-tech.com # http_access allow local_dst_dom # http_reply_access allow local_dst_dom # by IP address name resolves to http_access allow local_dst_addr # http_reply_access allow local_dst_addr # allow trusted hosts without authentication # these are just ip's on the 10.46.11.x network acl authless_src src "/etc/squid/authless_src" http_access allow authless_src # http_reply_access allow authless_src # allow the following destinations without authentication # list of random approved websites # whats the advantage of not authenticating? acl authless_dst dstdomain "/etc/squid/authless_dst" http_access allow authless_dst # http_reply_access allow authless_dst # ---------------------------------------------------------------------------- # block before authentication # these rules block certain connects without user authentication # done for software which handles proxy auth requests badly # for example, popping up many auth prompts # this does mean we cannot whitelist for users # blocked destinations, by host or domain, before authentication # websites that are auto-deny acl bad_domains_preauth dstdomain "/etc/squid/bad_domains_preauth" http_access deny bad_domains_preauth # ---------------------------------------------------------------------------- # require proxy authentication # ******************************************************************** # * anything past this point requires users to authenticate to proxy * # ******************************************************************** # Uncomment these lines to disable authentication requirement for all # but a few test boxes. Useful if NTLM gets broken. # acl from_test_boxes src 10.2.1.5 # http_access allow !from_test_boxes from_arc # block clients which are not authenticated # http_access deny !authenticated # block certain user IDs from using proxy server # list of ad users and service accounts to automatically deny proxy acl block_user proxy_auth_regex -i "/etc/squid/block_user" http_access deny block_user # ---------------------------------------------------------------------------- # general whitelist # whitelist for locations/sites (override blocking) # allows complex URLs # some bad_urls patterns are generic # they block suspicous URLs or generally unwanted sites # this whitelist can make specific exceptions within those acl bad_exception_urls url_regex -i "/etc/squid/bad_exception_urls" # ---------------------------------------------------------------------------- # executable blocking # we do this separately from other content blocking # in order to allow ITLIB to still download # doing it with other blocking causes a flood of browser auth req's # for users visting sites with video # file extensions to block # don't try to block .COM files here # it will get confused with .com domain and block too many things acl exec_files url_regex -i "/etc/squid/exec_files" # usernames not to block acl exec_users proxy_auth_regex -i "/etc/squid/exec_users" # activate http_access deny !bad_exception_urls !exec_users exec_files deny_info ERR_BLOCK_TYPE exec_files # ---------------------------------------------------------------------------- # selective whitelists # these override the general blacklists by explictly allowing things # some multimedia services (I.E. YouTube) are permitted for certain users # exempts them from content blocking in this section # list of users for this acl mmedia_users proxy_auth_regex -i "/etc/squid/mmedia_users" # list of sites for this acl mmedia_sites dstdomain "/etc/squid/mmedia_sites" # if a mmedia user attempts to access a mmedia site via appropriate protocols, allow it # done for both HTTP/TCP/80 and HTTP/SSL/443 # done for both HTTP request as well as HTTP reply/response # otherwise the later bad_types Content-Type multimedia blocking rule kicks in http_access allow methods_std proto_HTTP http_ports mmedia_sites mmedia_users # tp_reply_access allow methods_std proto_HTTP http_ports mmedia_sites mmedia_users http_access allow method_CONNECT ssl_ports mmedia_sites mmedia_users # http_reply_access allow method_CONNECT ssl_ports mmedia_sites mmedia_users # ---------------------------------------------------------------------------- # general blacklists # porn, wastes of bandwidth, etc. # blocked destinations, by host or domain # sites we don't want people using acl bad_domains dstdomain "/etc/squid/bad_domains" http_access deny !bad_exception_urls bad_domains deny_info ERR_BLOCK_DST bad_domains # blocked destinations, by host or domain, regex pattern acl bad_domains_regex dstdom_regex -i "/etc/squid/bad_domains_regex" http_access deny !bad_exception_urls bad_domains_regex deny_info ERR_BLOCK_DST bad_domains_regex # blocked destinations, by complex URL # typical use: block just part of a site, by URL path # example use: block just the advertsing section of a site acl bad_urls url_regex -i "/etc/squid/bad_urls" http_access deny !bad_exception_urls bad_urls deny_info ERR_BLOCK_DST bad_urls # blocked content types, by apparent file name acl bad_files urlpath_regex -i "/etc/squid/bad_files" http_access deny !bad_exception_urls bad_files deny_info ERR_BLOCK_TYPE bad_files # blocked content types, by MIME content type, in response acl bad_types rep_mime_type -i "/etc/squid/bad_types" # http_reply_access deny bad_types !bad_exception_urls deny_info ERR_BLOCK_TYPE bad_types # ---------------------------------------------------------------------------- # standard web (HTTP PUT/GET/etc) access # We basically allow any auth'ed user to connect via HTTP to anywhere, # so long as it uses a standard port, and is not a direct CONNECT # attempt, or blocked, or any of the other stuff above. http_access allow http_ports proto_HTTP methods_std # ---------------------------------------------------------------------------- # direct CONNECT for HTTP-over-SSL (HTTPS) http_access allow method_CONNECT ssl_ports # ---------------------------------------------------------------------------- # deny any other CONNECT attempts http_access deny method_CONNECT # ---------------------------------------------------------------------------- # FTP via HTTP proxy http_access allow ftp_ports proto_FTP # ---------------------------------------------------------------------------- # catch-all defaults http_access allow kerb-auth # deny any request we missed in the above http_access deny all # If we allowed the request, allow the reply (HTTP response) as well. # Rules above many allow or deny specific reply before now. # If nothing more specific matched, we allow. # This should be OK since we filter mainly on requests. # http_reply_access allow all ############################################################################## # END OF FILE ############################################################################## -----Original Message----- From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Amos Jeffries Sent: Wednesday, September 4, 2024 9:23 PM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Unable to access internal resources via hostname Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi Josh, There are two things I can see in the original message: 1) trusted *clients* (acl authless_src src ...) are documented as being limited to the 10.46.11.0/24 range. The client testing is outside, in the 10.46.49.190 IP address. ==> Please check your authless_src list is correct. 2) The CONNECT request has zero dots in the "domain" name. Which means the /etc/resolv.conf settings other than nameserver apply to the hostname during lookup. ==> Please supply your /etc/resolv.conf contents. HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
