Squid Access Denied

laroseengineer · 02-27-2008, 08:25 PM

I have a server running a squid proxy serverand iptables setup through webmin. My client computers get an access denied error with a refernence to acl problems. I have setup the debug level and checked the cahce.log files but I can't see which acl is causing the problem. Here is my squid.conf file.

http_port 192.168.1.111:3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
debug_options ALL,1, 32,2
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
acl lan src 192.168.1.0/24
http_access allow lan
http_access deny !Safe_ports
http_access allow CONNECT SSL_PORTS
http_access deny purge
http_access allow purge localhost
http_access deny manager
http_access allow all manager localhost
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_user administrator
cache_effective_group administrator
visible_hostname geekserver1.engineeringgeek.com
coredump_dir /var/spool/squid

Any help is appreciated. I am sure it is something simple that I am overlooking.

gilead · 02-27-2008, 08:33 PM

Have you looked in Squid's access log (it's separate to the cache.log)? It should show you which URLs are being blocked and which clients are requesting them. Based on your conf file, it looks like anyone with a 192.168.1. address should be able to access http:// URLs...

laroseengineer · 02-28-2008, 05:51 AM

Yes, I have looked in the access.log. I can ping a website just fine but I get the squid access denied page. I can see which client is getting the error which is a 403. Maybe the firewall is the culprit?

gilead · 02-28-2008, 06:17 PM

I don't think it's a firewall issue. The 403 response means that the web server received the request but refused to fulfill it. I'd start squid in debug mode, try it again and then check the logs to see which ACL is blocking access.

laroseengineer · 02-28-2008, 06:53 PM

I did run it in debug mode but the errors in the logs don't point to any specific acl. Maybe I am not doing it correctly. I have used:

squid -NCd10 (cli)
squid -z (cli)
debug_options ALL,1, 32,2 (in the config file)

Do you have any other suggestions or alternative debug modes? For some reason the cache.log and access.log files don't help or I just don't know how to read them correctly.

gilead · 02-28-2008, 08:34 PM

You should be able to change debug_options to ALL,9 or to start squid with:

Code:

squid -k debug

The debug_options setting isn't very well documented - or if it is, I couldn't find the info on it.

laroseengineer · 02-28-2008, 09:00 PM

Now that is better for debugging. Here is a tail | grep acl

The box I am trying to get on to the internet is 192.168.1.105. Any ideas? It looks like the aclMatchIp is found then it is NOT found. Also, check out the bottom post with regex.

2008/02/28 20:57:28| aclCheckFast: list: 0x82aa720
2008/02/28 20:57:28| aclMatchAclList: checking all
2008/02/28 20:57:28| aclMatchAcl: checking 'acl all src 0.0.0.0'
2008/02/28 20:57:28| aclMatchIp: '192.168.1.105' NOT found
2008/02/28 20:57:28| aclMatchAclList: no match, returning 0
2008/02/28 20:57:28| aclCheckFast: no matches, returning: 1
2008/02/28 20:57:28| aclCheck: checking 'http_access deny all'
2008/02/28 20:57:28| aclMatchAclList: checking all
2008/02/28 20:57:28| aclMatchAcl: checking 'acl all src 0.0.0.0'
2008/02/28 20:57:28| aclMatchIp: '192.168.1.105' NOT found
2008/02/28 20:57:28| aclMatchAclList: no match, returning 0
2008/02/28 20:57:28| aclCheck: checking 'http_access allow geek_net'
2008/02/28 20:57:28| aclMatchAclList: checking geek_net
2008/02/28 20:57:28| aclMatchAcl: checking 'acl geek_net src 192.168.1.0/24'
2008/02/28 20:57:28| aclMatchIp: '192.168.1.105' found
2008/02/28 20:57:28| aclMatchAclList: returning 1
2008/02/28 20:57:28| aclCheck: match found, returning 1
2008/02/28 20:57:28| aclCheckCallback: answer=1
2008/02/28 20:57:28| aclCheck: checking 'cache deny QUERY'
2008/02/28 20:57:28| aclMatchAclList: checking QUERY
2008/02/28 20:57:28| aclMatchAcl: checking 'acl QUERY urlpath_regex cgi-bin \?'
2008/02/28 20:57:28| aclMatchRegex: checking '/search?'
2008/02/28 20:57:28| aclMatchRegex: looking for 'cgi-bin'
2008/02/28 20:57:28| aclMatchRegex: looking for '\?'
2008/02/28 20:57:28| aclMatchRegex: match '\?' found in '/search?'
2008/02/28 20:57:28| aclMatchAclList: returning 1
2008/02/28 20:57:28| aclCheck: match found, returning 0
2008/02/28 20:57:28| aclCheckCallback: answer=0
2008/02/28 20:57:28| aclCheckFast: list: (nil)
2008/02/28 20:57:28| aclCheckFast: no matches, returning: 1
2008/02/28 20:57:28| aclCheckFast: list: 0x82aa838
2008/02/28 20:57:28| aclMatchAclList: checking all
2008/02/28 20:57:28| aclMatchAcl: checking 'acl all src 0.0.0.0'
2008/02/28 20:57:28| aclMatchIp: '192.168.1.105' NOT found
2008/02/28 20:57:28| aclMatchAclList: no match, returning 0
2008/02/28 20:57:28| aclCheckFast: no matches, returning: 0
2008/02/28 20:57:28| aclCheck: checking 'http_reply_access allow all'
2008/02/28 20:57:28| aclMatchAclList: checking all
2008/02/28 20:57:28| aclMatchAcl: checking 'acl all src 0.0.0.0'
2008/02/28 20:57:28| aclMatchIp: '192.168.1.105' NOT found
2008/02/28 20:57:28| aclMatchAclList: no match, returning 0
2008/02/28 20:57:28| aclCheck: NO match found, returning 0
2008/02/28 20:57:28| aclCheckCallback: answer=0
2008/02/28 20:57:33| aclCheckFast: list: 0x82aa720
2008/02/28 20:57:33| aclMatchAclList: checking all
2008/02/28 20:57:33| aclMatchAcl: checking 'acl all src 0.0.0.0'
2008/02/28 20:57:33| aclMatchIp: '192.168.1.105' NOT found
2008/02/28 20:57:33| aclMatchAclList: no match, returning 0
2008/02/28 20:57:33| aclCheckFast: no matches, returning: 1
2008/02/28 20:57:33| aclCheck: checking 'http_access deny all'
2008/02/28 20:57:33| aclMatchAclList: checking all
2008/02/28 20:57:33| aclMatchAcl: checking 'acl all src 0.0.0.0'
2008/02/28 20:57:33| aclMatchIp: '192.168.1.105' NOT found
2008/02/28 20:57:33| aclMatchAclList: no match, returning 0
2008/02/28 20:57:33| aclCheck: checking 'http_access allow geek_net'
2008/02/28 20:57:33| aclMatchAclList: checking geek_net
2008/02/28 20:57:33| aclMatchAcl: checking 'acl geek_net src 192.168.1.0/24'
2008/02/28 20:57:33| aclMatchIp: '192.168.1.105' found
2008/02/28 20:57:33| aclMatchAclList: returning 1
2008/02/28 20:57:33| aclCheck: match found, returning 1
2008/02/28 20:57:33| aclCheckCallback: answer=1
2008/02/28 20:57:33| aclCheck: checking 'cache deny QUERY'
2008/02/28 20:57:33| aclMatchAclList: checking QUERY
2008/02/28 20:57:33| aclMatchAcl: checking 'acl QUERY urlpath_regex cgi-bin \?'
2008/02/28 20:57:33| aclMatchRegex: checking '/safebrowsing/update?client=navclient-auto-ffox&appver=2.0.0.12&version=goog-white-domain:1:24,goog-white-url:1:371,goog-black-url:1:18803,goog-black-enchash:1:45428'
2008/02/28 20:57:33| aclMatchRegex: looking for 'cgi-bin'
2008/02/28 20:57:33| aclMatchRegex: looking for '\?'
2008/02/28 20:57:33| aclMatchRegex: match '\?' found in '/safebrowsing/update?client=navclient-auto-ffox&appver=2.0.0.12&version=goog-white-domain:1:24,goog-white-url:1:371,goog-black-url:1:18803,goog-black-enchash:1:45428'
2008/02/28 20:57:33| aclMatchAclList: returning 1
2008/02/28 20:57:33| aclCheck: match found, returning 0
2008/02/28 20:57:33| aclCheckCallback: answer=0
2008/02/28 20:57:33| aclCheckFast: list: (nil)
2008/02/28 20:57:33| aclCheckFast: no matches, returning: 1
2008/02/28 20:57:33| aclCheckFast: list: 0x82aa838
2008/02/28 20:57:33| aclMatchAclList: checking all
2008/02/28 20:57:33| aclMatchAcl: checking 'acl all src 0.0.0.0'
2008/02/28 20:57:33| aclMatchIp: '192.168.1.105' NOT found
2008/02/28 20:57:33| aclMatchAclList: no match, returning 0
2008/02/28 20:57:33| aclCheckFast: no matches, returning: 0
2008/02/28 20:57:33| aclCheck: checking 'http_reply_access allow all'
2008/02/28 20:57:33| aclMatchAclList: checking all
2008/02/28 20:57:33| aclMatchAcl: checking 'acl all src 0.0.0.0'
2008/02/28 20:57:33| aclMatchIp: '192.168.1.105' NOT found
2008/02/28 20:57:33| aclMatchAclList: no match, returning 0
2008/02/28 20:57:33| aclCheck: NO match found, returning 0
2008/02/28 20:57:33| aclCheckCallback: answer=0
2008/02/28 20:57:39| aclCheckFast: list: 0x82aa720
2008/02/28 20:57:39| aclMatchAclList: checking all
2008/02/28 20:57:39| aclMatchAcl: checking 'acl all src 0.0.0.0'
2008/02/28 20:57:39| aclMatchIp: '192.168.1.105' NOT found
2008/02/28 20:57:39| aclMatchAclList: no match, returning 0
2008/02/28 20:57:39| aclCheckFast: no matches, returning: 1
2008/02/28 20:57:40| aclCheck: checking 'http_access deny all'
2008/02/28 20:57:40| aclMatchAclList: checking all
2008/02/28 20:57:40| aclMatchAcl: checking 'acl all src 0.0.0.0'
2008/02/28 20:57:40| aclMatchIp: '192.168.1.105' NOT found
2008/02/28 20:57:40| aclMatchAclList: no match, returning 0
2008/02/28 20:57:40| aclCheck: checking 'http_access allow geek_net'
2008/02/28 20:57:40| aclMatchAclList: checking geek_net
2008/02/28 20:57:40| aclMatchAcl: checking 'acl geek_net src 192.168.1.0/24'
2008/02/28 20:57:40| aclMatchIp: '192.168.1.105' found
2008/02/28 20:57:40| aclMatchAclList: returning 1
2008/02/28 20:57:40| aclCheck: match found, returning 1
2008/02/28 20:57:40| aclCheckCallback: answer=1
2008/02/28 20:57:40| aclCheck: checking 'cache deny QUERY'
2008/02/28 20:57:40| aclMatchAclList: checking QUERY
2008/02/28 20:57:40| aclMatchAcl: checking 'acl QUERY urlpath_regex cgi-bin \?'
2008/02/28 20:57:40| aclMatchRegex: checking '/'
2008/02/28 20:57:40| aclMatchRegex: looking for 'cgi-bin'
2008/02/28 20:57:40| aclMatchRegex: looking for '\?'
2008/02/28 20:57:40| aclMatchAclList: no match, returning 0
2008/02/28 20:57:40| aclCheck: NO match found, returning 1
2008/02/28 20:57:40| aclCheckCallback: answer=1
2008/02/28 20:57:40| aclCheckFast: list: (nil)
2008/02/28 20:57:40| aclCheckFast: no matches, returning: 1
2008/02/28 20:57:40| aclCheckFast: list: 0x82aa838
2008/02/28 20:57:40| aclMatchAclList: checking all
2008/02/28 20:57:40| aclMatchAcl: checking 'acl all src 0.0.0.0'
2008/02/28 20:57:40| aclMatchIp: '192.168.1.105' NOT found
2008/02/28 20:57:40| aclMatchAclList: no match, returning 0
2008/02/28 20:57:40| aclCheckFast: no matches, returning: 0
2008/02/28 20:57:40| aclCheck: checking 'http_reply_access allow all'
2008/02/28 20:57:40| aclMatchAclList: checking all
2008/02/28 20:57:40| aclMatchAcl: checking 'acl all src 0.0.0.0'
2008/02/28 20:57:40| aclMatchIp: '192.168.1.105' NOT found
2008/02/28 20:57:40| aclMatchAclList: no match, returning 0
2008/02/28 20:57:40| aclCheck: NO match found, returning 0
2008/02/28 20:57:40| aclCheckCallback: answer=0

##

2008/02/28 21:22:58| aclMatchIp: '192.168.1.105' found
2008/02/28 21:22:58| aclMatchAclList: returning 1
2008/02/28 21:22:58| aclCheck: match found, returning 1
2008/02/28 21:22:58| aclCheckCallback: answer=1
2008/02/28 21:22:58| aclCheck: checking 'cache deny QUERY'
2008/02/28 21:22:58| aclMatchAclList: checking QUERY
2008/02/28 21:22:58| aclMatchAcl: checking 'acl QUERY urlpath_regex cgi-bin \?'
2008/02/28 21:22:58| aclMatchRegex: checking '/safebrowsing/update?client=navclient-auto-ffox&appver=2.0.0.12&version=goog-white-domain:1:24,goog-white-url:1:371,goog-black-url:1:18803,goog-black-enchash:1:45428'
2008/02/28 21:22:58| aclMatchRegex: looking for 'cgi-bin'
2008/02/28 21:22:58| aclMatchRegex: looking for '\?'
2008/02/28 21:22:58| aclMatchRegex: match '\?' found in '/safebrowsing/update?client=navclient-auto-ffox&appver=2.0.0.12&version=goog-white-domain:1:24,goog-white-url:1:371,goog-black-url:1:18803,goog-black-enchash:1:45428'
2008/02/28 21:22:58| aclMatchAclList: returning 1
2008/02/28 21:22:58| aclCheck: match found, returning 0
2008/02/28 21:22:58| aclCheckCallback: answer=0
2008/02/28 21:22:58| aclCheckFast: list: (nil)
2008/02/28 21:22:58| aclCheckFast: no matches, returning: 1
2008/02/28 21:22:58| aclCheckFast: list: 0x82aa838
2008/02/28 21:22:58| aclMatchAclList: checking all
2008/02/28 21:22:58| aclMatchAcl: checking 'acl all src 0.0.0.0'
2008/02/28 21:22:58| aclMatchIp: '192.168.1.105' NOT found
2008/02/28 21:22:58| aclMatchAclList: no match, returning 0
2008/02/28 21:22:58| aclCheckFast: no matches, returning: 0
2008/02/28 21:22:58| aclCheck: checking 'http_reply_access allow all'
2008/02/28 21:22:58| aclMatchAclList: checking all
2008/02/28 21:22:58| aclMatchAcl: checking 'acl all src 0.0.0.0'
2008/02/28 21:22:58| aclMatchIp: '192.168.1.105' NOT found
2008/02/28 21:22:58| aclMatchAclList: no match, returning 0
2008/02/28 21:22:58| aclCheck: NO match found, returning 0
2008/02/28 21:22:58| aclCheckCallback: answer=0
2008/02/28 21:23:03| aclCheckFast: list: 0x82aa720
2008/02/28 21:23:03| aclMatchAclList: checking all
2008/02/28 21:23:03| aclMatchAcl: checking 'acl all src 0.0.0.0'
2008/02/28 21:23:03| aclMatchIp: '192.168.1.105' NOT found
2008/02/28 21:23:03| aclMatchAclList: no match, returning 0
2008/02/28 21:23:03| aclCheckFast: no matches, returning: 1
2008/02/28 21:23:04| aclCheck: checking 'http_access deny all'
2008/02/28 21:23:04| aclMatchAclList: checking all
2008/02/28 21:23:04| aclMatchAcl: checking 'acl all src 0.0.0.0'
2008/02/28 21:23:04| aclMatchIp: '192.168.1.105' NOT found
2008/02/28 21:23:04| aclMatchAclList: no match, returning 0
2008/02/28 21:23:04| aclCheck: checking 'http_access allow geek_net'
2008/02/28 21:23:04| aclMatchAclList: checking geek_net
2008/02/28 21:23:04| aclMatchAcl: checking 'acl geek_net src 192.168.1.0/24'
2008/02/28 21:23:04| aclMatchIp: '192.168.1.105' found
2008/02/28 21:23:04| aclMatchAclList: returning 1
2008/02/28 21:23:04| aclCheck: match found, returning 1
2008/02/28 21:23:04| aclCheckCallback: answer=1
2008/02/28 21:23:04| aclCheck: checking 'cache deny QUERY'
2008/02/28 21:23:04| aclMatchAclList: checking QUERY
2008/02/28 21:23:04| aclMatchAcl: checking 'acl QUERY urlpath_regex cgi-bin \?'
2008/02/28 21:23:04| aclMatchRegex: checking '/safebrowsing/update?client=navclient-auto-ffox&appver=2.0.0.12&version=goog-white-domain:1:24,goog-white-url:1:371,goog-black-url:1:18803,goog-black-enchash:1:45428'
2008/02/28 21:23:04| aclMatchRegex: looking for 'cgi-bin'
2008/02/28 21:23:04| aclMatchRegex: looking for '\?'
2008/02/28 21:23:04| aclMatchRegex: match '\?' found in '/safebrowsing/update?client=navclient-auto-ffox&appver=2.0.0.12&version=goog-white-domain:1:24,goog-white-url:1:371,goog-black-url:1:18803,goog-black-enchash:1:45428'
2008/02/28 21:23:04| aclMatchAclList: returning 1
2008/02/28 21:23:04| aclCheck: match found, returning 0
2008/02/28 21:23:04| aclCheckCallback: answer=0
2008/02/28 21:23:04| aclCheckFast: list: (nil)
2008/02/28 21:23:04| aclCheckFast: no matches, returning: 1
2008/02/28 21:23:04| aclCheckFast: list: 0x82aa838
2008/02/28 21:23:04| aclMatchAclList: checking all
2008/02/28 21:23:04| aclMatchAcl: checking 'acl all src 0.0.0.0'
2008/02/28 21:23:04| aclMatchIp: '192.168.1.105' NOT found
2008/02/28 21:23:04| aclMatchAclList: no match, returning 0
2008/02/28 21:23:04| aclCheckFast: no matches, returning: 0
2008/02/28 21:23:04| aclCheck: checking 'http_reply_access allow all'
2008/02/28 21:23:04| aclMatchAclList: checking all
2008/02/28 21:23:04| aclMatchAcl: checking 'acl all src 0.0.0.0'
2008/02/28 21:23:04| aclMatchIp: '192.168.1.105' NOT found
2008/02/28 21:23:04| aclMatchAclList: no match, returning 0
2008/02/28 21:23:04| aclCheck: NO match found, returning 0
2008/02/28 21:23:04| aclCheckCallback: answer=0

gani · 02-28-2008, 11:04 PM

Is there series of defined acl Safe_ports in your squid.conf? You never posted it in your configuration file. By default squid has this defined and it came as ordered below.

Code:

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

shahz · 02-29-2008, 04:29 AM

I din't see ACL for the lan which you have allowed

http_access allow lan

because when I was configuring I mention my network like

acl lan src 192.168.0.0/24

then allowed

http_access allow lan

laroseengineer · 02-29-2008, 06:13 AM

==Update==
Note, this is no longer an issue. I uninstalled 2.5 and installed the latest 3.0 stable. Works like a charm. I think there was a bug or something in 2.5. It only took me 20 minutes or so to setup 3.0. Although I don't like to give up and working through these 'bug'issues only make me smarter, I couldn't see spending more time on it.

Thanks for everyone's assistance. You can check out my setup here.

http://engineeringgeek.com/wiki/index.php/Squid

##
Yes, I do have the acl's for the safe ports. I don't know why they weren't posted.

Here is my squid.conf with the safe ports and http_access allow geek_net and the specific ip 192.168.1.105..

##
http_port 192.168.1.111:3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
debug_options ALL,1, 32,2
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access deny all
acl geek_net src 192.168.1.0/24
acl geekjr src 192.168.1.105
http_access allow geek_net
http_access allow geekjr
http_access deny !Safe_ports
http_access allow CONNECT SSL_PORTS
http_access deny purge
http_access allow purge localhost
http_access deny manager
http_access allow all manager localhost
http_access allow localhost
http_reply_access allow all
icp_access allow all
cache_effective_user administrator
cache_effective_group administrator
visible_hostname geekserver1.engineeringgeek.com
coredump_dir /var/spool/squid
##