LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
Reload this Page [SOLVED] Squid Error 403 on Splash_Page Config
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 12-28-2014, 08:11 PM   #1
dscondon
LQ Newbie
 
Registered: Dec 2014
Posts: 4

Rep: Reputation: Disabled
Squid Error 403 on Splash_Page Config

I am trying to setup a splash page for squid 3.1.2 running squidGuard for Black List Control.

I have tried many versions of the config for external_ACL however I always get Access Denied (squid Error 403) when trying to surf.

Code:
#       WELCOME TO SQUID 3.1.20
#       ----------------------------

#Recommended minimum configuration:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 172.16.1.0/25
acl staff src 172.16.1.128/26
acl admin src 172.16.1.192/26

# Ports
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http

acl CONNECT method CONNECT

http_access allow manager
http_access allow localhost
http_access deny manager
http_access deny !Safe_ports

http_access deny to_localhost
icp_access deny all
htcp_access deny all

http_port 8888 transparent
visible_hostname fae.sonorajoes.com

#Suggested default:
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .		0	20%	4320

acl whitelist dstdomain "/etc/squid3/whitelist.txt"

# Splash page
external_acl_type splash_page ttl=60 concurrency=100 %SRC /usr/lib/squid3/squid_session -t 7200 -b /var/lib/squid/session.db
acl existing_users external splash_page
deny_info http://fae.sonorajoes.com/splash.php?url=%s guest_users

# Allow localnet machines to whitelisted sites
http_access allow whitelist
http_access deny localnet !existing_users
# http_access allow localnet
http_access allow staff
http_access allow admin

# block all other access
http_access deny all

# Cache
cache_mem 512 MB
cache_effective_user proxy
cache_effective_group proxy

# SquidGuard
redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
Any help would be appriciated
 
Old 12-29-2014, 11:12 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,163
Blog Entries: 1

Rep: Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032
Quote:
# Splash page
external_acl_type splash_page ttl=60 concurrency=100 %SRC /usr/lib/squid3/squid_session -t 7200 -b /var/lib/squid/session.db
acl existing_users external splash_page
deny_info http://fae.sonorajoes.com/splash.php?url=%s guest_users
There is no "guest_users" ACL. I guess you should use "existing_users" instead

Regards
 
Old 12-29-2014, 07:37 PM   #3
dscondon
LQ Newbie
 
Registered: Dec 2014
Posts: 4

Original Poster
Rep: Reputation: Disabled
I tried "existing_users" still get same "403 Access Denied" when attempting to surf.

Here is updated Config:
Code:
#       WELCOME TO SQUID 3.1.20
#       ----------------------------

#Recommended minimum configuration:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 172.16.1.0/25
acl staff src 172.16.1.128/26
acl admin src 172.16.1.192/26

# Ports
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http

acl CONNECT method CONNECT

http_access allow manager
http_access allow localhost
http_access deny manager
http_access deny !Safe_ports

http_access deny to_localhost
icp_access deny all
htcp_access deny all

http_port 8888 transparent
visible_hostname fae.sonorajoes.com

#Suggested default:
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .		0	20%	4320

acl whitelist dstdomain "/etc/squid3/whitelist.txt"

# Splash page
external_acl_type splash_page ttl=60 concurrency=100 %SRC /usr/lib/squid3/squid_session -t 7200 -b /var/lib/squid/session.db
acl existing_users external splash_page
deny_info http://fae.sonorajoes.com/splash.php?url=%s existing_users

# Allow localnet machines to whitelisted sites
http_access allow whitelist
http_access deny localnet !existing_users
http_access allow staff
http_access allow admin

# block all other access
http_access deny all

# Cache
cache_mem 512 MB
cache_effective_user proxy
cache_effective_group proxy

# SquidGuard
redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
Here are /var/log/squid3/access.log
Code:
1419902793.976      2 172.16.1.54 TCP_DENIED/403 3855 GET http://purple.com/ - NONE/- text/html
1419902794.885      0 172.16.1.54 TCP_DENIED/403 3801 GET http://purple.com/favicon.ico - NONE/- text/html
1419902810.518      0 172.16.1.54 TCP_DENIED/403 3855 GET http://purple.com/ - NONE/- text/html
1419902810.688      0 172.16.1.54 TCP_DENIED/403 3801 GET http://purple.com/favicon.ico - NONE/- text/html
Not sure what to try from here.
 
Old 12-30-2014, 03:52 PM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,163
Blog Entries: 1

Rep: Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032
Quote:
Not sure what to try from here.
You can add .sonorajoes.com in the whitelisted domain in file /etc/squid3/whitelist.txt.
Of course you need to restart squid any time you make changes in squid.conf


Quote:
Here are /var/log/squid3/access.log

1419902793.976 2 172.16.1.54 TCP_DENIED/403 3855 GET http://purple.com/ - NONE/- text/html
1419902794.885 0 172.16.1.54 TCP_DENIED/403 3801 GET http://purple.com/favicon.ico - NONE/- text/html
1419902810.518 0 172.16.1.54 TCP_DENIED/403 3855 GET http://purple.com/ - NONE/- text/html
1419902810.688 0 172.16.1.54 TCP_DENIED/403 3801 GET http://purple.com/favicon.ico - NONE/- text/html
Huh, is purple.com the host that servers the splash page, or is it fae.sonorajoes.com?
 
Old 12-30-2014, 04:03 PM   #5
dscondon
LQ Newbie
 
Registered: Dec 2014
Posts: 4

Original Poster
Rep: Reputation: Disabled
I already have fae.sonorajoes.com in the whitelist. (fae.sonorajoes.com is FQDN of the squid / Apache2 server)
I added .sonorajoes.com to the whitelist and it allows "localnet" out of intranet to our WWW locacted on an off site hosted server. Without getting splash_page.
purple.com is just a generic FQDN of a 3rd party website. I use it since I know it is always just a purple screen for testing internet access past our firewall.

if you look at the conf file I posted the Deny_info shows fae.sonorajoes.com/splash.php?url=%s should that be the static IP of the Apache2 installation?
 
Old 12-30-2014, 07:59 PM   #6
dscondon
LQ Newbie
 
Registered: Dec 2014
Posts: 4

Original Poster
Rep: Reputation: Disabled
It appears I have fixed the issue.
I did not have an ACL for http_access allow existing_users after the deny statement.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid config, allow external IP address to connect to Squid langerak Linux - Server 10 08-04-2010 09:17 AM
Squid 403 error Anauj0101 Linux - Software 2 12-12-2009 03:51 PM
squid proxy on slackware TCP_DENIED/403 davimint Linux - Server 9 07-30-2007 09:05 AM
can't get anything but error 403 kuplo Linux - Software 2 11-02-2005 10:11 AM
Squid ... 403 Forbidden elmu Linux - Networking 1 02-23-2005 09:49 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 02:40 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration