Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm new on squid (Squid 2.7 Stable7) everything is working OK until I want to get access to an URL http://webpage:93/folder/page.maf I get a message "The requested URL could not be retrieved" all my clients from my local network have access to all the web page or sites that I put on the ACL rules except to this site
I read some article that I have to configure iptables so my server can get the traffic of the server that I want to access but nothing happens!
I'm new on squid (Squid 2.7 Stable7) everything is working OK until I want to get access to an URL http://webpage:93/folder/page.maf I get a message "The requested URL could not be retrieved" all my clients from my local network have access to all the web page or sites that I put on the ACL rules except to this site
I read some article that I have to configure iptables so my server can get the traffic of the server that I want to access but nothing happens!
does someone knows what can cause this error?? right now I'm clueless about this issue
Well, have you tried to hit the site outside your firewall/proxy? It appears the site is down and/or, that link is invalid. Did you verify that the page and site is UP??
I'm new on squid (Squid 2.7 Stable7) everything is working OK until I want to get access to an URL http://webpage:93/folder/page.maf I get a message "The requested URL could not be retrieved" all my clients from my local network have access to all the web page or sites that I put on the ACL rules except to this site
Does your squid.conf have an ACL for that site? Port 93 seems unusual so you'd probably need to add it yourself. You could make the ACL for port 93 in general, the domain/port combination webpage:93, or the URL http://webpage:93/folder/page.maf. As for iptables, you just need to check whether it's allowing Squid to connect to TCP port 93 on the WAN. Something like (example):
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p TCP -o eth0 --dport 93 -m state --state NEW -j ACCEPT
...and, of course, if there's a router in front of this proxy it might need to have its FORWARD chain tweaked accordingly.
Yes I tried to add the port via acl rule, but maibe this can help you more to get an outlook about my squid.conf file
Code:
# TAG: authenticate_cache_garbage_interval
# The time period between garbage collection across the username cache.
# This is a tradeoff between memory utilization (long intervals - say
# 2 days) and CPU (short intervals - say 1 minute). Only change if you
# have good reason to.
#
#Default:
# authenticate_cache_garbage_interval 1 hour
# TAG: authenticate_ttl
# The time a user & their credentials stay in the logged in user cache
# since their last request. When the garbage interval passes, all user
# credentials that have passed their TTL are removed from memory.
#
#Default:
# authenticate_ttl 1 hour
# TAG: authenticate_ip_ttl
# If you use proxy authentication and the 'max_user_ip' ACL, this
# directive controls how long Squid remembers the IP addresses
# associated with each user. Use a small value (e.g., 60 seconds) if
# your users might change addresses quickly, as is the case with
# dialups. You might be safe using a larger value (e.g., 2 hours) in a
# corporate LAN environment with relatively static address assignments.
#
#Default:
# authenticate_ip_ttl 0 seconds
# TAG: authenticate_ip_shortcircuit_ttl
# Cache authentication credentials per client IP address for this
# long. Default is 0 seconds (disabled).
#
# See also authenticate_ip_shortcircuit_access directive.
#
#Default:
# authenticate_ip_shortcircuit_ttl 0 seconds
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
# TAG: acl
# Defining an Access List
#
#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Recommended minimum configuration:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl mired src 10.166.0.0/24
############### My Local Network ######################
acl fullaccess src "/etc/squid/permitidos"
acl medios src "/etc/squid/medios"
acl denaid url_regex "/etc/squid/negados"
acl negado src 10.166.145.40
#
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
# TAG: http_access
# Allowing or Denying access based on defined access lists
#
#################################
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost
################ ACCESO A MIS PERMITIDOS #####################
http_access allow permitidos
http_access allow medios !negados
http_access allow mired
http_access deny negado
# And finally deny all other access to this proxy
http_access deny all
# TAG: http_access2
# Allowing or Denying access based on defined access lists
#
# Identical to http_access, but runs after redirectors. If not set
# then only http_access is used.
#
#Default:
# none
# TAG: http_reply_access
# Allow replies to client requests. This is complementary to http_access.
#
#Allow ICP queries from local networks only
icp_access allow localnet
icp_access deny all
# TAG: htcp_access
# Allowing or Denying access to the HTCP port based on defined
# access lists
#
# htcp_access allow|deny [!]aclname ...
#
# See http_access for details
#
# NOTE: The default if no htcp_access lines are present is to
# deny all traffic. This default may cause problems with peers
# using the htcp or htcp-oldsquid options.
#
#Default:
# htcp_access deny all
#
#Allow HTCP queries from local networks only
htcp_access allow localnet
# htcp_access deny all
# TAG: htcp_clr_access
# Allowing or Denying access to purge content using HTCP based
# htcp_clr_access deny all
# TAG: miss_access
# Use to force your neighbors to use you as a sibling instead of
#
#Default setting:
# miss_access allow all
# TAG: ident_lookup_access
# A list of ACL elements which, if matched, cause an ident
#
#Default:
# ident_lookup_access deny all
# TAG: reply_body_max_size bytes allow|deny acl acl...
#Default:
# reply_body_max_size 0 allow all
# TAG: authenticate_ip_shortcircuit_access
# Access list determining when shortcicuiting the authentication process
# based on source IP cached credentials is acceptable. Use this to deny
# using the ip auth cache on requests from child proxies or other source
# ip's having multiple users.
#
# See also authenticate_ip_shortcircuit_ttl directive
#
#Default:
# none
# OPTIONS FOR X-Forwarded-For
# -----------------------------------------------------------------------------
# TAG: follow_x_forwarded_for
#Default:
# follow_x_forwarded_for deny all
# TAG: acl_uses_indirect_client on|off
# Controls whether the indirect client address
# (see follow_x_forwarded_for) is used instead of the
# direct client address in acl matching.
#
#Default:
# acl_uses_indirect_client on
# TAG: delay_pool_uses_indirect_client on|off
# Controls whether the indirect client address
# (see follow_x_forwarded_for) is used instead of the
# direct client address in delay pools.
#
#Default:
# delay_pool_uses_indirect_client on
# TAG: log_uses_indirect_client on|off
# Controls whether the indirect client address
# (see follow_x_forwarded_for) is used instead of the
# direct client address in the access log.
#
#Default:
# log_uses_indirect_client on
# SSL OPTIONS
# -----------------------------------------------------------------------------
# NETWORK OPTIONS
# -----------------------------------------------------------------------------
# TAG: http_port
# Usage: port [options]
# hostname:port [options]
# 1.2.3.4:port [options]
#
############## Squid normally listens to port 3128 ########
http_port 3128
#http_port 8080
http_port 93
thanks your help!
Last edited by win32sux; 11-19-2010 at 10:25 PM.
Reason: Added CODE tags for readability (please use them in the future).
You need to get rid of this, as your objective has nothing to do with the port Squid listens on.
You need to insert an ACL for port 93 right there with the others, like (example):
Code:
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 93 # for that site that listens on port 93.
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
BTW, there's some other weird things going on here. For example, you've got this line:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Squid not retrieve URL
