subject:"Re\: \[squid\-users\] Can't get squid with whitelist text file to work TCP

Re: [squid-users] Can't get squid with whitelist text file to work TCP_DENIED/403

2021-04-14 Thread Eliezer Croitoru

Did you got it working eventually?

 

Eliezer

 



Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email:   ngtech1...@gmail.com

Zoom: Coming soon

 

 

From: squid-users  On Behalf Of
Elliott Blake, Lisa Marie
Sent: Thursday, April 8, 2021 10:11 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Can't get squid with whitelist text file to work
TCP_DENIED/403

 

I am trying to get squid to work with a text file for a whitelist.  I get
TCP_DENIED/403 on every url I try.  I am using curl to test.

acl whitelist dstdomain "/etc/squid/whitelist.txt"

curl -x https://libaux-prod.lib.uic.edu:3128 -I https://arl.org 

HTTP/1.1 403 Forbidden

Server: squid/3.5.20

Mime-Version: 1.0

Date: Wed, 07 Apr 2021 17:38:58 GMT

Content-Type: text/html;charset=utf-8

Content-Length: 3521

X-Squid-Error: ERR_ACCESS_DENIED 0

Vary: Accept-Language

Content-Language: en

X-Cache: MISS from libaux-prod.lib.uic.edu

X-Cache-Lookup: NONE from libaux-prod.lib.uic.edu:3128

Via: 1.1 libaux-prod.lib.uic.edu (squid/3.5.20)

Connection: keep-alive

curl: (56) Received HTTP code 403 from proxy after CONNECT

 

However, if I change my squid.conf to just the url it works.

acl whitelist dstdomain .arl.org

curl -x https://libaux-prod.lib.uic.edu:3128 -I https://arl.org 

HTTP/1.1 200 Connection established

HTTP/1.1 301 Moved Permanently

Server: nginx

Date: Wed, 07 Apr 2021 17:40:31 GMT

Content-Type: text/html

Content-Length: 178

Connection: keep-alive

Keep-Alive: timeout=20

Location: https://www.arl.org/

Expires: Wed, 07 Apr 2021 18:40:31 GMT

Cache-Control: max-age=3600

 

I am running a centos 7 os with squid version 3.5.20, which is the most
recent yum version.

This is driving me crazy.  I have tried debugging in squid and cannot find
the answer.  I have tried changing the squid.conf file.  I always restart
squid after I change the squid.conf file.  

Any help would be appreciated.

 

My Squid.conf file:

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

acl localnet src 172.16.0.0/12  # RFC1918 possible internal network

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl localnet src fc00::/7   # RFC 4193 local private network range

acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
machines

 

acl SSL_ports port 443

acl Safe_ports port 80  # http

acl Safe_ports port 443 # https

acl Safe_ports port 591 # filemaker

acl CONNECT method CONNECT

 

http_access deny !Safe_ports

 

http_access deny CONNECT !SSL_ports

 

http_access allow localhost manager

http_access deny manager

 

acl whitelist dstdomain "/etc/squid/whitelist.txt"

#acl whitelist dstdomain .arl.org

http_access allow whitelist

#http_access allow CONNECT whitelist

 

http_access deny !whitelist

 

http_access allow localnet

http_access allow localhost

 

http_access deny all

 

# Squid normally listens to port 3128

http_port 3128

 

# port 1338 is for Front Desk Machines

http_port 1338

 

coredump_dir /var/spool/squid

 

refresh_pattern ^ftp:   144020% 10080

refresh_pattern ^gopher:14400%  1440

refresh_pattern -i (/cgi-bin/|\?) 0 0%  0

refresh_pattern .   0   20% 4320

 

Beginning of whitelist.txt

#A Page

.aacrjournals.org

.aai.org

.aaiddjournals.org

.aap.org

.aappublications.orga

.accessanesthesiology.com

.anthropology.org.uk

.archivegrid.org

.arl.org

.arlstatistics.org

.artstor.org

 

Thank you,

Lisa Blake

 

 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Can't get squid with whitelist text file to work TCP_DENIED/403

2021-04-12 Thread Alex Rousskov

On 4/11/21 12:10 AM, Elliott Blake, Lisa Marie wrote:

> I never got that error.  Wish I had.  It would have made figuring it
> out much easier.

That can be another Squid UX problem (e.g., Squid reported the error but
not where you normally look for Squid errors) OR a sign that there is
something else going on (i.e. something other than a bad link, bad link
permissions, SE Linux policy violation, etc.). Feel free to investigate
further and report, of course, but without more information, we would
not be able to understand what actually went wrong.

Needless to say, any such investigation is unlikely to benefit you at
this point -- you will only be helping future others in your situation.
I am glad you have a working setup now!


Cheers,

Alex.

> -Original Message-
> From: Alex Rousskov [mailto:rouss...@measurement-factory.com] 
> Sent: Friday, April 9, 2021 7:43 PM
> To: squid-users@lists.squid-cache.org
> Cc: Elliott Blake, Lisa Marie 
> Subject: Re: [squid-users] Can't get squid with whitelist text file to work 
> TCP_DENIED/403
> 
> On 4/9/21 4:41 PM, Elliott Blake, Lisa Marie wrote:
>> I realized that the whitelist is a symbolic link
> 
> Hi Lisa,
> 
> Glad you figured it out! IMO, it is a Squid bug that Squid starts with 
> broken symbolic links:
> 
>> 2021/04/09 20:34:52| ERROR: Can not open file /tmp/link for reading
>> 2021/04/09 20:34:52| Warning: empty ACL: acl testLink dstdomain "/tmp/link"
>> 2021/04/09 20:34:52| Accepting HTTP Socket connections
> 
> The above ERROR should be a fatal (by default).
> 
> In fact, I would make the above Warning a fatal configuration error as well, 
> with a squid.conf option to explicitly allow for empty (hopefully never 
> matching) ACLs.
> 
> Alex.
> 
> 
>> -Original Message-
>> From: Alex Rousskov [mailto:rouss...@measurement-factory.com]
>> Sent: Friday, April 9, 2021 9:52 AM
>> To: squid-users@lists.squid-cache.org
>> Cc: Elliott Blake, Lisa Marie 
>> Subject: Re: [squid-users] Can't get squid with whitelist text file to 
>> work TCP_DENIED/403
>>
>> On 4/8/21 3:11 PM, Elliott Blake, Lisa Marie wrote:
>>> I am trying to get squid to work with a text file for a whitelist.  I 
>>> get TCP_DENIED/403 on every url I try.  I am using curl to test.
>>
>>> curl -x https://libaux-prod.lib.uic.edu:3128/ -I 
>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Farl.
>>> org%2Fdata=04%7C01%7Cloleary%40uic.edu%7Cd7cfe4dfe984430c6e9108d
>>> 8
>>> fb6706c8%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637535767808134
>>> 7 
>>> 99%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>>> I 
>>> 6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=Adwdl4Cdzqutr6%2FmXhn7Dl19qt
>>> D
>>> rG8%2FZG5G%2BYdCC0cA%3Dreserved=0
>>
>> Is that the exact curl command you are using or a typo? The above command 
>> tells curl to use an HTTPS proxy (https://libaux...) and your squid.conf 
>> does not have an https_port so something does not add up.
>> Perhaps your curl version is as old and buggy as your Squid version and it 
>> just ignores the "s" in "-x https", but I would remove it anyway.
>>
>>
>>> Server: squid/3.5.20
>>
>> Could be a bug in that unsupported version, of course. If you share a link 
>> to an debug_options ALL,9 cache.log with a problematic transaction, somebody 
>> may be able to triage this further.
>>
>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki
>> .squid-cache.org%2FSquidFaq%2FBugReporting%23Debugging_a_single_transa
>> ctiondata=04%7C01%7Cloleary%40uic.edu%7C35e72a5ccd6f4f3e4ff908d8f
>> bb99128%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C63753612172678777
>> 3%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6
>> Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=J0q3V%2F3VqxVLw6C7QBY4eCrs69BH
>> pHhCLOfJErWev90%3Dreserved=0
>>
>> Alex.
>>
>>
>>> Mime-Version: 1.0
>>>
>>> Date: Wed, 07 Apr 2021 17:38:58 GMT
>>>
>>> Content-Type: text/html;charset=utf-8
>>>
>>> Content-Length: 3521
>>>
>>> X-Squid-Error: ERR_ACCESS_DENIED 0
>>>
>>> Vary: Accept-Language
>>>
>>> Content-Language: en
>>>
>>> X-Cache: MISS from libaux-prod.lib.uic.edu
>>>
>>> X-Cache-Lookup: NONE from libaux-prod.lib.uic.edu:3128
>>>
>>> Via: 1.1 libaux-prod.lib.uic.edu (squid/3.5.20)
>>>
>>> Connection: keep-alive
>>>
>>> curl: (56) Received HTTP code 403 from proxy after CO

Re: [squid-users] Can't get squid with whitelist text file to work TCP_DENIED/403

2021-04-09 Thread Alex Rousskov

On 4/9/21 4:41 PM, Elliott Blake, Lisa Marie wrote:
> I realized that the whitelist is a symbolic link

Hi Lisa,

Glad you figured it out! IMO, it is a Squid bug that Squid starts
with broken symbolic links:

> 2021/04/09 20:34:52| ERROR: Can not open file /tmp/link for reading
> 2021/04/09 20:34:52| Warning: empty ACL: acl testLink dstdomain "/tmp/link"
> 2021/04/09 20:34:52| Accepting HTTP Socket connections

The above ERROR should be a fatal (by default).

In fact, I would make the above Warning a fatal configuration error as
well, with a squid.conf option to explicitly allow for empty (hopefully
never matching) ACLs.

Alex.


> -Original Message-
> From: Alex Rousskov [mailto:rouss...@measurement-factory.com] 
> Sent: Friday, April 9, 2021 9:52 AM
> To: squid-users@lists.squid-cache.org
> Cc: Elliott Blake, Lisa Marie 
> Subject: Re: [squid-users] Can't get squid with whitelist text file to work 
> TCP_DENIED/403
> 
> On 4/8/21 3:11 PM, Elliott Blake, Lisa Marie wrote:
>> I am trying to get squid to work with a text file for a whitelist.  I 
>> get TCP_DENIED/403 on every url I try.  I am using curl to test.
> 
>> curl -x https://libaux-prod.lib.uic.edu:3128/ -I 
>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Farl.
>> org%2Fdata=04%7C01%7Cloleary%40uic.edu%7Cd7cfe4dfe984430c6e9108d8
>> fb6706c8%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C6375357678081347
>> 99%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI
>> 6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=Adwdl4Cdzqutr6%2FmXhn7Dl19qtD
>> rG8%2FZG5G%2BYdCC0cA%3Dreserved=0
> 
> Is that the exact curl command you are using or a typo? The above command 
> tells curl to use an HTTPS proxy (https://libaux...) and your squid.conf does 
> not have an https_port so something does not add up.
> Perhaps your curl version is as old and buggy as your Squid version and it 
> just ignores the "s" in "-x https", but I would remove it anyway.
> 
> 
>> Server: squid/3.5.20
> 
> Could be a bug in that unsupported version, of course. If you share a link to 
> an debug_options ALL,9 cache.log with a problematic transaction, somebody may 
> be able to triage this further.
> 
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.squid-cache.org%2FSquidFaq%2FBugReporting%23Debugging_a_single_transactiondata=04%7C01%7Cloleary%40uic.edu%7Cd7cfe4dfe984430c6e9108d8fb6706c8%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637535767808134799%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=VAmMhhAY6jdzY%2FK0tMsxbbEcS%2BB6dihOG5BWBJ%2BFAvw%3Dreserved=0
> 
> Alex.
> 
> 
>> Mime-Version: 1.0
>>
>> Date: Wed, 07 Apr 2021 17:38:58 GMT
>>
>> Content-Type: text/html;charset=utf-8
>>
>> Content-Length: 3521
>>
>> X-Squid-Error: ERR_ACCESS_DENIED 0
>>
>> Vary: Accept-Language
>>
>> Content-Language: en
>>
>> X-Cache: MISS from libaux-prod.lib.uic.edu
>>
>> X-Cache-Lookup: NONE from libaux-prod.lib.uic.edu:3128
>>
>> Via: 1.1 libaux-prod.lib.uic.edu (squid/3.5.20)
>>
>> Connection: keep-alive
>>
>> curl: (56) Received HTTP code 403 from proxy after CONNECT
>>
>>  
>>
>> However, if I change my squid.conf to just the url it works.
>>
>> acl whitelist dstdomain .arl.org
>>
>> *curl -x https://libaux-prod.lib.uic.edu:3128/
>> <https://libaux-prod.lib.uic.edu:3128/> -I 
>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Farl.
>> org%2Fdata=04%7C01%7Cloleary%40uic.edu%7Cd7cfe4dfe984430c6e9108d8
>> fb6706c8%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C6375357678081347
>> 99%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI
>> 6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=Adwdl4Cdzqutr6%2FmXhn7Dl19qtD
>> rG8%2FZG5G%2BYdCC0cA%3Dreserved=0
>> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Farl
>> .org%2Fdata=04%7C01%7Cloleary%40uic.edu%7Cd7cfe4dfe984430c6e9108d
>> 8fb6706c8%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637535767808134
>> 799%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=Adwdl4Cdzqutr6%2FmXhn7Dl19qt
>> DrG8%2FZG5G%2BYdCC0cA%3Dreserved=0> *
>>
>> HTTP/1.1 200 Connection established
>>
>> HTTP/1.1 301 Moved Permanently
>>
>> Server: nginx
>>
>> Date: Wed, 07 Apr 2021 17:40:31 GMT
>>
>> Content-Type: text/html
>>
>> Content-Length: 178
>>
>> Connection: keep-alive
>>
>> Keep-Alive: timeout=20
>>
>>

Re: [squid-users] Can't get squid with whitelist text file to work TCP_DENIED/403

2021-04-09 Thread Alex Rousskov

On 4/8/21 3:11 PM, Elliott Blake, Lisa Marie wrote:
> I am trying to get squid to work with a text file for a whitelist.  I
> get TCP_DENIED/403 on every url I try.  I am using curl to test.

> curl -x https://libaux-prod.lib.uic.edu:3128 -I https://arl.org

Is that the exact curl command you are using or a typo? The above
command tells curl to use an HTTPS proxy (https://libaux...) and your
squid.conf does not have an https_port so something does not add up.
Perhaps your curl version is as old and buggy as your Squid version and
it just ignores the "s" in "-x https", but I would remove it anyway.


> Server: squid/3.5.20

Could be a bug in that unsupported version, of course. If you share a
link to an debug_options ALL,9 cache.log with a problematic transaction,
somebody may be able to triage this further.

https://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction

Alex.


> Mime-Version: 1.0
> 
> Date: Wed, 07 Apr 2021 17:38:58 GMT
> 
> Content-Type: text/html;charset=utf-8
> 
> Content-Length: 3521
> 
> X-Squid-Error: ERR_ACCESS_DENIED 0
> 
> Vary: Accept-Language
> 
> Content-Language: en
> 
> X-Cache: MISS from libaux-prod.lib.uic.edu
> 
> X-Cache-Lookup: NONE from libaux-prod.lib.uic.edu:3128
> 
> Via: 1.1 libaux-prod.lib.uic.edu (squid/3.5.20)
> 
> Connection: keep-alive
> 
> curl: (56) Received HTTP code 403 from proxy after CONNECT
> 
>  
> 
> However, if I change my squid.conf to just the url it works.
> 
> acl whitelist dstdomain .arl.org
> 
> *curl -x https://libaux-prod.lib.uic.edu:3128
>  -I https://arl.org
>  *
> 
> HTTP/1.1 200 Connection established
> 
> HTTP/1.1 301 Moved Permanently
> 
> Server: nginx
> 
> Date: Wed, 07 Apr 2021 17:40:31 GMT
> 
> Content-Type: text/html
> 
> Content-Length: 178
> 
> Connection: keep-alive
> 
> Keep-Alive: timeout=20
> 
> Location: https://www.arl.org/ 
> 
> Expires: Wed, 07 Apr 2021 18:40:31 GMT
> 
> Cache-Control: max-age=3600
> 
>  
> 
> I am running a centos 7 os with squid version 3.5.20, which is the most
> recent yum version.
> 
> This is driving me crazy.  I have tried debugging in squid and cannot
> find the answer.  I have tried changing the squid.conf file.  I always
> restart squid after I change the squid.conf file.  
> 
> Any help would be appreciated.
> 
>  
> 
> My Squid.conf file:
> 
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> 
> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
> 
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> 
> acl localnet src fc00::/7   # RFC 4193 local private network range
> 
> acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
> machines
> 
>  
> 
> acl SSL_ports port 443
> 
> acl Safe_ports port 80  # http
> 
> acl Safe_ports port 443 # https
> 
> acl Safe_ports port 591 # filemaker
> 
> acl CONNECT method CONNECT
> 
>  
> 
> http_access deny !Safe_ports
> 
>  
> 
> http_access deny CONNECT !SSL_ports
> 
>  
> 
> http_access allow localhost manager
> 
> http_access deny manager
> 
>  
> 
> acl whitelist dstdomain "/etc/squid/whitelist.txt"
> 
> #acl whitelist dstdomain .arl.org
> 
> http_access allow whitelist
> 
> #http_access allow CONNECT whitelist
> 
>  
> 
> http_access deny !whitelist
> 
>  
> 
> http_access allow localnet
> 
> http_access allow localhost
> 
>  
> 
> http_access deny all
> 
>  
> 
> # Squid normally listens to port 3128
> 
> http_port 3128
> 
>  
> 
> # port 1338 is for Front Desk Machines
> 
> http_port 1338
> 
>  
> 
> coredump_dir /var/spool/squid
> 
>  
> 
> refresh_pattern ^ftp:   1440    20% 10080
> 
> refresh_pattern ^gopher:    1440    0%  1440
> 
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> 
> refresh_pattern .   0   20% 4320
> 
>  
> 
> Beginning of whitelist.txt
> 
> #A Page
> 
> .aacrjournals.org
> 
> .aai.org
> 
> .aaiddjournals.org
> 
> .aap.org
> 
> .aappublications.orga
> 
> .accessanesthesiology.com
> 
> .anthropology.org.uk
> 
> .archivegrid.org
> 
> .arl.org
> 
> .arlstatistics.org
> 
> .artstor.org
> 
>  
> 
> Thank you,
> 
> Lisa Blake
> 
>  
> 
>  
> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Can't get squid with whitelist text file to work TCP_DENIED/403

Re: [squid-users] Can't get squid with whitelist text file to work TCP_DENIED/403

Re: [squid-users] Can't get squid with whitelist text file to work TCP_DENIED/403

Re: [squid-users] Can't get squid with whitelist text file to work TCP_DENIED/403

4 matches

Site Navigation

Mail list logo

Footer information