Search squid archive

Unable to access a device over port 4434

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Squid users,

 

I’m running into an issue wherein, when using Squid proxy, I’m unable to get to one of our management devices from port 4434.

 

I’ve already verified that this device is not blocking access from the proxy directly, and should be allowed to get to the access page.

-          When reviewing the access logs, I can see that we’re running into a generic 503 error

-          When browsing to this page, it will attempt to load for about 30 seconds, and then fail

-          The webpage response is a generic “The system returned: (110) Connection timed out”

-          When we forgo the proxy, we can access it without an issue

 

This device is located on a 172.0.0.0/8 internal network.

-          Other devices which do NOT use this port are accessible

-          Changing the access port is not an option (not up to me)

 

Access Log entry:

09/Oct/2024:15:54:21 -0400.758 10.46.49.190 TCP_MISS/503 4448 GET http://172.27.46.253:4434/ jpiana \ HIER_DIRECT/172.27.46.253 text/html ERR_CONNECT_FAIL/WITH_SERVER

 

Please see below for relevant squid.conf rules:

 

auth_param basic program /usr/lib64/squid/basic_pam_auth

auth_param negotiate children 10

auth_param negotiate keep_alive on

auth_param basic credentialsttl 1 week

acl kerb-auth proxy_auth REQUIRED

 

acl src_self src 10.46.11.69            # proxy IP Address

acl localnet src 10.0.0.0/8              # hexcel networks

acl localnet src 172.0.0.0/8           # internal management network

 

acl SSL_ports port 443

acl Safe_ports port 21                    # ftp

acl Safe_ports port 22                    # ssh

acl Safe_ports port 80                    # http

acl Safe_ports port 443                  # https

acl Safe_ports port 4434                # firewall management port

acl Safe_ports port 8080                # http alternative

acl Safe_ports port 8443                # https alternative

acl Safe_ports port 1025-65535  # unregistered ports

 

# deny requests to certain unsafe ports

http_access deny !Safe_ports

 

# deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

 

# only allow cachemgr access from localhost

http_access allow localhost manager

http_access deny manager

 

# this only allows changes to be made on the host itself

http_access allow localhost

 

# keep this deny here because other ACL's may unintentionally allow access

http_access deny to_localhost

 

# allow safe ports to CONNECT

http_access allow Safe_ports

 

# allow localnet parameter to CONNECT

http_access allow localnet

 

# allow authenticated users

http_access allow kerb-auth

 

# deny any request we missed in the above

http_access deny all

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux