squid denies access to clients
Hello good people of Linux Questions.
I recently have upgraded my squid to the version 2.6. Right in the begining encounter problems... It seems this new version changed the way to configure it for a transparency proxy. After searching in google i have manage to confiruge it to transparent proxy server. But when a user machine tray to navigate throughout the proxy server it give the error of Access Denied. In the access control i have give permisions for him to use the proxy but it not seem to work. This server have to be giving service just for the internal lan. Service are: - Access to the internet throughout squid transparent proxy. - Internal server for: Web page (httpd), Web Mail (webmail of apache server), ftp (vsftd) and Internal DNS (BIND 9.3.4). So far all work great but the squid does not work. This is the part of log from the file access.log ot the squid while the machine2.internaldomain.home open the mozilla and try to open pages: Code:
.. Devices configs. Conection to the internet: Code:
DEVICE=eth0 Code:
TYPE=Ethernet Code:
search tekorei.home Code:
options { Code:
; Code:
; Code:
http_port 3128 transparent iptables config. Default policy are set to accept. No other rules are set besides this ones becose i'm still working on the iptables rules to have default policy to drop. Code:
echo 1 > /proc/sys/net/ipv4/ip_forward Does someone can help? :confused: |
your acl's in squid are clearly useless...
http_access allow manager localhost <-- not matched as not manager on localhost http_access deny manager <-- not matched as not manager http_access deny CONNECT !SSL_ports <-- not matched as not SSL http_access allow network1 <- not matched as network1 doesn't seem to exist http_access deny all <-- DENY |
Sorry acid_kewpie, i don't get it... coul you explain to me please?
What do you meant by "not matched" & i see that i put "red1" and no "network1" that one is now ok :) http_access allow manager localhost <-- not matched as not manager on localhost http_access deny manager <-- not matched as not manager http_access deny CONNECT !SSL_ports <-- not matched as not SSL http_access allow network1 <- not matched as network1 doesn't seem to exist http_access deny all <-- DENY Do i have to put like this? http_access allow !manager localhost <-- not matched as not manager on localhost http_access deny !manager <-- not matched as not manager http_access deny !CONNECT !SSL_ports <-- not matched as not SSL http_access allow network1 <- not matched as network1 doesn't seem to exist http_access deny all <-- DENY Can you tell me a little more? :) |
edit:
Nuts, just ignore me |
i take it you really really don't understand squid acl's at all right?
based on the acl's you have, you are telling it to block ALL normal requests. it's doing exactly what is being asked of it. the only point in the acl's where there's a chance for being connected outside the local machine is where network1 is being permitted. but networks1 is not defined anywhere... |
Well, i do understand something..
what i did was: Defined manager --> acl manager... defined all posible request --> acl all... defined localhost --> acl localhost... defined the secure ports --> acl SSL_ports... difined the conection it selft --> acl CONNECT... defined the only network that i want to have access to squid --> acl network1 And after that, i start to close and open things up, the squid accept the first rule like iptables... so they ares post in order to be secure. like this.. http_access allow manager localhost--> so here i let manager if its comming from localhost. http_access deny manager--> now deny manager form any other source. http_access deny CONNECT !SSL_ports--> deny connections that don't came from the secure ports http_access allow network1--> open all for network1 to conect to squid. http_access deny all--> deny all other conections. First will open conection to manager from localhost. If the petition manager come from other source that is not localhost it is denied. The other rule to CONNECT i really have to admit that don't get it. I have copy that from a papper that says it is for just deny conection that are not coming from good ports. Then i open the conecction for network1 and after that close all other petitions so no one can cannect whitoutgh my permition. If ther is something wron please point it to me :) Please homey help me here too :) what was that you say? |
so where's the definition for network1?
CONNECT !SSL_ports means that the HTTP CONNECT method is only allowed to connect on ports which are known to require this, e.g. HTTPS. if someone is trying to use that method on an unknown / non-standrd port, e.g. 1234, it is most likely a dubios thing going on, and so is denied. not relevant here at all thoguh to be honest. |
I have edited the code for the squid whit the correct one.. now if you look at it it will show that the acl for network1 is there.
I have tray and deleted all the acl and http_access and leave just the acl for "network1" one and the http_access for it. It is the same as before, the denied log messege continue. I just don't undertand whay is this hapening. It is really a problem of the squid? or is another problem? If the client machine gets the error "denied" it meas that the squid is listening but no accepting it as one machine inside of the "network1"?. Any idea? :) i really know just the basics to configure squid 2.5 as a transparent proxy. Before it was ok, i meant when it was squid 2.5, after i have update squid the problems startet :) |
ok, weell i'd still wonder about the config, editing the original doesn't prove that your actual config is now correct... please post the FULL config agani, along with the squid access log showing the issues you're having.
|
Resolved
Hello!!! I have good news! now it is working!
The problem was that i did not know about the funtion of "follow_x_forwarded_for" The squid makes the defaul value for it to: "follow_x_forwarded_for deny all". So, the "acl all src 0.0.0.0" is every trafic that its comming. if the defaul value is "..deny all" it was doing what the default say to do. The solution was to put in the last line ot the squid.conf: Code:
http_port 192.168.1.254:3128 transparent Quote:
|
All times are GMT -5. The time now is 09:36 PM. |