Nick Cairncross
Wed, 10 Mar 2010 07:53:35 -0800
Hi All, I have some Mac clients/services that require internet via my Squid. Two such programs are Evernote and VMWare. Both are requesting access and both are being denied. The errors I see in the access.log are as follows and nothing else:
268234226.935 0 172.16.0.38 TCP_DENIED/407 2117 CONNECT www.evernote.com:443 - NONE/- text/html 1268234226.938 0 172.16.0.38 TCP_DENIED/407 2117 CONNECT www.evernote.com:443 - NONE/- text/html 1268234228.667 0 172.16.0.38 TCP_DENIED/407 2134 CONNECT softwareupdate.vmware.com:443 - NONE/- text/html I've tried all sorts of the acls (browser, dstdomain, IP) but I still get denied. Even http_access allow all doesn't work. Thanks in advance, Nick == My configuration is as follows: http_port 172.16.10.195:8080 auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 40 cache_peer [upstream ISP proxy] parent 8080 7 no-query no-digest no-netdb-exchange login=* visible_hostname VHSQUID1.[my domain] dns_nameservers 172.16.10.52 172.16.10.53 172.16.40.20 # Total number of delay pools delay_pools 1 ## LOGGING SWITCHES log_fqdn on ## LOG LOCATIONS access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log squid useragent_log /var/log/squid/useragent.log squid #### ACCESS CONTROL LISTS ##### ## USER-AGENT (Browser-type) ACLs acl Java_jvm browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_JAVA.txt" acl iTunes browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_ITUNES.txt" ## URL DESTINATION ACLs ## USER AUTHENTICATION ACLs acl AuthenticatedUsers proxy_auth REQUIRED acl BandwidthUserExceptions proxy_auth_regex -i "/etc/squid/ACL/BANDWIDTH/BANDWIDTH_NOLIMIT_USER.txt" ## LAN IP ACLs acl 172SUBNETS src 172.16.0.0/255.255.0.0 acl SERVERSUBNETS src 172.16.10.0/255.255.255.0 acl DoNotAuthenticateIP src "/etc/squid/ACL/IPADDRESSES/IP_NOAUTH.txt" ## LOCALHOST ACLs acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 ## QUERY ACLs acl QUERY urlpath_regex cgi-bin \? acl apache rep_header Server ^Apache ## SEND DIRECT ACLs acl SENDDIRECT_DstDomains dstdomain "/etc/squid/ACL/SENDDIRECT/SENDDIRECT_DSTDOMAINS.txt" acl SENDDIRECT_Users proxy_auth_regex -i "/etc/squid/ACL/SENDDIRECT/SENDDIRECT_USERS.txt" acl SENDDIRECT_IPAddresses src "/etc/squid/ACL/SENDDIRECT/SENDDIRECT_IPADDRESSES.txt" ## BLACKLISTED (Deny) ACLs acl BLACKLIST_DstDomains dstdomain "/etc/squid/ACL/BLACKLIST/BLACKLIST_DSTDOMAINS.txt" acl BLACKLIST_Users proxy_auth_regex -i "/etc/squid/ACL/BLACKLIST/BLACKLIST_USERS.txt" acl BLACKLIST_IPAddresses src "/etc/squid/ACL/BLACKLIST/BLACKLIST_IPADDRESSES.txt" ## FILE TYPE ACLs acl FILEEXT_EXE urlpath_regex .exe$ acl FILEEXT_EXE_Users proxy_auth_regex -i "/etc/squid/ACL/FILES/FILEEXT_EXE_ALLOWUSERS.txt" acl FILEEXT_EXE_DstDomains dstdomain "/etc/squid/ACL/FILES/FILEEXT_EXE_ALLOWDSTDOMAINS.txt" acl FILEEXT_EXE_IPAddresses src "/etc/squid/ACL/FILES/FILEEXT_EXE_ALLOWIPADDRESSES.txt" ## PORTS ACLs acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 8080 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl RTMP_ports port 1935 # RTMP # CONNECTION METHOD ACL acl CONNECT method CONNECT acl POST method POST ###### ACCESS RULES ##### ### GLOBAL BLACKLIST RULES ### http_access deny BLACKLIST_Users http_access deny BLACKLIST_IPAddresses http_access deny BLACKLIST_DstDomains ############################ ## FILE EXTENSIONS http_reply_access deny FILEEXT_EXE !FILEEXT_EXE_Users !FILEEXT_EXE_IPAddresses !FILEEXT_EXE_DstDomains # USER AGENTS # http_access allow iTunes http_access allow Java_jvm # URL DESTINATIONS ## SEND DIRECT ALLOW always_direct allow SENDDIRECT_Users always_direct allow SENDDIRECT_DstDomains always_direct allow SENDDIRECT_IPAddresses ## POST and CONNECT ALLOW ## http_access allow POST http_access allow CONNECT ## USERS ACL ALLOW ## # Emergency Allow All unhash this for instant access to all without authentication #http_access allow all http_access allow DoNotAuthenticateIP http_access allow AuthenticatedUsers http_reply_access allow AuthenticatedUsers ## LOCAL HOST ALLOW ## http_access allow localhost ###### DELAY ACCESS RULES ###### # First delay class pool is User allocated delay_class 1 4 # First delay class pool is limited to 4mb i.e. all users not in exceptions delay_parameters 1 -1/-1 -1/-1 -1/-1 4000000/4000000 #First delay pool applied to Authenticated users except those in !BandwidthUserExceptions and !ServerSubnets delay_access 1 allow AuthenticatedUsers !BandwidthUserExceptions !SERVERSUBNETS delay_access 1 deny all ###### CATCH ALL DENY ###### http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access deny 172SUBNETS cache deny 172SUBNETS cache deny QUERY snmp_access deny 172SUBNETS ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900