squid denies access to clients

Ronin_tekorei · 05-09-2007, 06:01 AM

Hello good people of Linux Questions.
I recently have upgraded my squid to the version 2.6.
Right in the begining encounter problems... It seems this new version changed the way to configure it for a transparency proxy.
After searching in google i have manage to confiruge it to transparent proxy server. But when a user machine tray to navigate throughout the proxy server it give the error of Access Denied. In the access control i have give permisions for him to use the proxy but it not seem to work.
This server have to be giving service just for the internal lan. Service are:
- Access to the internet throughout squid transparent proxy.
- Internal server for: Web page (httpd), Web Mail (webmail of apache server), ftp (vsftd) and Internal DNS (BIND 9.3.4).
So far all work great but the squid does not work. This is the part of log from the file access.log ot the squid while the machine2.internaldomain.home open the mozilla and try to open pages:

Code:

..
1178674986.492    447 192.168.1.2 TCP_DENIED/403 1346 GET http://www.google.com.py/ - DIRECT/64.233.161.104 text/html
1178674988.571    668 192.168.1.2 TCP_DENIED/403 1346 GET http://www.google.com.py/ - DIRECT/64.233.161.147 text/html
..

Now here goes my config for the server =D
Devices configs.
Conection to the internet:

Code:

DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
HWADDR=xx:xx:xx:xx:xx:xx
NETMASK=255.255.255.252
IPADDR=172.18.3.30
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
GATEWAY=172.18.3.29

Conection to the Internal LAN

Code:

TYPE=Ethernet
DEVICE=eth1
HWADDR=xx:xx:xx:xx:xx:xx
BOOTPROTO=none
NETMASK=255.255.255.0
IPADDR=192.168.1.254
ONBOOT=yes
USERCTL=no
IPV6INIT=no
PEERDNS=yes

resolv.conf file:

Code:

search tekorei.home
nameserver 127.0.0.1

named.conf

Code:

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
query-source address * port 53;
listen-on { 127.0.0.1; 192.168.1.254; };
allow-query { 127.0.0.1; 192.168.1.0/24; };
..Deleted Content..
zone "internaldomain.home" IN {
type master;
file "data/internaldomain.home.zone";
allow-update { none; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "data/reverse.internaldomain.home.zone";
allow-update { none; };
};
..Deleted Content..

internaldomain.home.zone file

Code:

;
$TTL 1D
@ IN SOA server.internaldomain.home. sysadmin.internaldomain.home. (
2007050301 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D ) ; Minimum
IN NS server;
IN MX 10 server;
internaldomain.home. IN A 192.168.1.254;
server IN A 192.168.1.254;
www IN CNAME server;
ftp IN CNAME server;
mail IN CNAME server;
machine1 IN A 192.168.1.1;
machine2 IN A 192.168.1.2;

reverse.internaldomain.home.zone file

Code:

;
$TTL 1D
@ IN SOA server.internaldomain.home. sysadmin.internaldomain.home. (
2007050301;
8H;
2H;
4W;
1D );
IN NS server.internaldomain.home.
254 IN PTR server.internaldomain.home.;
1 IN PTR machine1.internaldomain.home.;
2 IN PTR machine2.internaldomain.home.;

squid.conf file

Code:

http_port 3128 transparent
icp_port 3130
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_dir ufs /var/spool/squid 3000 16 256
access_log /var/log/squid/access.log squid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern .		0	20%	4320
acl manager proto cache_object
acl all src 0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl CONNECT method CONNECT
acl network1 src 192.168.1.0/255.255.255.0<--This one was set to "red1" now it is correct thanks to acid_kewpie.
always_direct allow all
http_access allow manager localhost
http_access deny manager
http_access deny CONNECT !SSL_ports
http_access allow network1
http_access deny all 
http_reply_access allow all
icp_access allow all
error_directory /usr/share/squid/errors/Spanish
coredump_dir /var/spool/squid

In the original file acl network1 is called acl red1 in spanish, i translated to english for you all

it was an error of translation. In the original file they are called acl red1 and http_access allow red1 sorry for this

iptables config. Default policy are set to accept. No other rules are set besides this ones becose i'm still working on the iptables rules to have default policy to drop.

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $172.18.3.30

I also have configured the internal server for web pages (httpd), dovecot and senmail for internal mail and the vsftpd. If needed i will post the config for each one of this services.
Does someone can help?

acid_kewpie · 05-09-2007, 06:08 AM

your acl's in squid are clearly useless...

http_access allow manager localhost <-- not matched as not manager on localhost
http_access deny manager <-- not matched as not manager
http_access deny CONNECT !SSL_ports <-- not matched as not SSL
http_access allow network1 <- not matched as network1 doesn't seem to exist
http_access deny all <-- DENY

Ronin_tekorei · 05-09-2007, 06:37 PM

Sorry acid_kewpie, i don't get it... coul you explain to me please?
What do you meant by "not matched" & i see that i put "red1" and no "network1" that one is now ok

http_access allow manager localhost <-- not matched as not manager on localhost
http_access deny manager <-- not matched as not manager
http_access deny CONNECT !SSL_ports <-- not matched as not SSL
http_access allow network1 <- not matched as network1 doesn't seem to exist
http_access deny all <-- DENY

Do i have to put like this?
http_access allow !manager localhost <-- not matched as not manager on localhost
http_access deny !manager <-- not matched as not manager
http_access deny !CONNECT !SSL_ports <-- not matched as not SSL
http_access allow network1 <- not matched as network1 doesn't seem to exist
http_access deny all <-- DENY

Can you tell me a little more?

homey · 05-09-2007, 07:26 PM

edit:
Nuts, just ignore me

acid_kewpie · 05-10-2007, 01:27 AM

i take it you really really don't understand squid acl's at all right?

based on the acl's you have, you are telling it to block ALL normal requests. it's doing exactly what is being asked of it. the only point in the acl's where there's a chance for being connected outside the local machine is where network1 is being permitted. but networks1 is not defined anywhere...

Ronin_tekorei · 05-10-2007, 03:24 AM

Well, i do understand something..

what i did was:
Defined manager --> acl manager...
defined all posible request --> acl all...
defined localhost --> acl localhost...
defined the secure ports --> acl SSL_ports...
difined the conection it selft --> acl CONNECT...
defined the only network that i want to have access to squid --> acl network1

And after that, i start to close and open things up, the squid accept the first rule like iptables... so they ares post in order to be secure. like this..

http_access allow manager localhost--> so here i let manager if its comming from localhost.
http_access deny manager--> now deny manager form any other source.
http_access deny CONNECT !SSL_ports--> deny connections that don't came from the secure ports
http_access allow network1--> open all for network1 to conect to squid.
http_access deny all--> deny all other conections.

First will open conection to manager from localhost. If the petition manager come from other source that is not localhost it is denied. The other rule to CONNECT i really have to admit that don't get it. I have copy that from a papper that says it is for just deny conection that are not coming from good ports. Then i open the conecction for network1 and after that close all other petitions so no one can cannect whitoutgh my permition.

If ther is something wron please point it to me

Please homey help me here too

what was that you say?

acid_kewpie · 05-10-2007, 03:28 AM

so where's the definition for network1?

CONNECT !SSL_ports means that the HTTP CONNECT method is only allowed to connect on ports which are known to require this, e.g. HTTPS. if someone is trying to use that method on an unknown / non-standrd port, e.g. 1234, it is most likely a dubios thing going on, and so is denied. not relevant here at all thoguh to be honest.

Ronin_tekorei · 05-10-2007, 06:59 AM

I have edited the code for the squid whit the correct one.. now if you look at it it will show that the acl for network1 is there.
I have tray and deleted all the acl and http_access and leave just the acl for "network1" one and the http_access for it.
It is the same as before, the denied log messege continue. I just don't undertand whay is this hapening. It is really a problem of the squid? or is another problem? If the client machine gets the error "denied" it meas that the squid is listening but no accepting it as one machine inside of the "network1"?. Any idea?

i really know just the basics to configure squid 2.5 as a transparent proxy. Before it was ok, i meant when it was squid 2.5, after i have update squid the problems startet

acid_kewpie · 05-10-2007, 07:49 AM

ok, weell i'd still wonder about the config, editing the original doesn't prove that your actual config is now correct... please post the FULL config agani, along with the squid access log showing the issues you're having.

Ronin_tekorei · 05-11-2007, 09:35 PM

Hello!!! I have good news! now it is working!

The problem was that i did not know about the funtion of "follow_x_forwarded_for" The squid makes the defaul value for it to: "follow_x_forwarded_for deny all". So, the "acl all src 0.0.0.0" is every trafic that its comming. if the defaul value is "..deny all" it was doing what the default say to do.

The solution was to put in the last line ot the squid.conf:

Code:

http_port 192.168.1.254:3128 transparent
icp_port 3130
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_dir ufs /var/spool/squid 3000 16 256
access_log /var/log/squid/access.log squid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320

acl manager proto cache_object
acl all src 0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl CONNECT method CONNECT
acl network1 src 192.168.1.0/255.255.255.0

always_direct allow network1
http_access allow manager localhost
http_access deny manager
http_access deny CONNECT !SSL_ports
http_access allow network1
http_access deny all

http_reply_access allow network1
icp_access allow network1

error_directory /usr/share/squid/errors/Spanish
coredump_dir /var/spool/squid
follow_x_forwarded_for allow network1 --> This one here =D

So it is done.. thanks a lot acid_kewpie!!!

Quote:

...editing the original doesn't prove that your actual config is now correct...

thanks to that i have go deep in the config and found the solution!!