LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-18-2010, 09:50 AM   #1
pliqui
Member
 
Registered: Feb 2007
Location: Caracas, Venezuela
Distribution: Debian x64
Posts: 156

Rep: Reputation: 17
Squid3 Deny all traffic (Ignoring ACL)


Hello all,

I have a squid3 on a debian lenny box but cannot get access to any site.

If i remove the http_access deny all works, but i just want those ip to get access to squid

My squid.conf

Code:
intranet:/etc/squid3# cat squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#acl all src 0.0.0.0/0
acl pliqui src 180.183.64.33
acl mochis src 180.183.64.34
acl profe src 120.48.26.17
acl nacho src 180.183.68.88
acl eduardo src 180.183.68.85
acl quelita src 120.48.28.36
acl pipino  src 120.48.27.29
acl batibati src 180.183.66.35
acl elmio src 120.48.35.44
acl bad_url url_regex "/etc/squid3/bad-sites.acl"


acl SSL_ports  port 443 494 2598
acl Safe_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
never_direct allow all

http_access allow pliqui
http_access allow mochis
http_access allow profe
http_access allow nacho
http_access allow eduardo
http_access allow quelita
http_access allow pipino
http_access allow batibati
http_access allow elmio
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny bad_url
http_access deny all
htcp_access deny all

http_port 3128
icp_port 3130


cache_peer xxx.xxx.xxx.xxx parent 80 3130 no-query name=isa


cache_replacement_policy lru
cache_mem 256 MB
maximum_object_size_in_memory 2560 KB
cache_dir ufs /var/spool/squid3 5120 16 256
maximum_object_size 1048576 KB

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0       0%      0
refresh_pattern .               0       20%     4320

#TIMEOUTS
connect_timeout 8 seconds
peer_connect_timeout 3 seconds

#LOGS
coredump_dir /var/spool/squid3
access_log /var/log/squid3/access.log squid
Sample of access.log

Code:
1266500703.544      1 127.0.0.1 TCP_MISS/200 926 GET cache_object://localhost/storedir - NONE/- text/plain
1266500706.821      0 127.0.0.1 TCP_MISS/200 1577 GET cache_object://localhost/counters - NONE/- text/plain
1266500706.903      0 127.0.0.1 TCP_MISS/200 1577 GET cache_object://localhost/counters - NONE/- text/plain
1266500716.843      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500716.915      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500717.288      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500717.351      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500717.483      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500717.536      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500717.644      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500717.708      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500717.814      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500717.863      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500717.967      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500718.024      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500718.128      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500718.181      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500744.607      0 180.183.66.47 TCP_DENIED/403 2474 GET http://farm3.static.flickr.com/2769/4362782644_25dd632e07_m.jpg - NONE/- text/html
1266500754.223      0 180.183.66.33 TCP_DENIED/403 2935 POST http://safebrowsing.clients.google.com/safebrowsing/downloads? - NONE/- text/html
1266500760.947      0 180.183.66.33 TCP_DENIED/403 2508 GET http://www.squid-cache.org/Doc/config/never_direct/ - NONE/- text/html
1266500765.405      0 180.183.66.33 TCP_DENIED/403 2544 GET http://www.squid-cache.org/Doc/config/never_direct/ - NONE/- text/html
1266500805.610      0 180.183.66.47 TCP_DENIED/403 2474 GET http://farm3.static.flickr.com/2744/4367941896_c52f556dfd_m.jpg - NONE/- text/html
1266500896.689      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500896.758      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500897.134      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500897.198      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500897.345      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500897.410      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500897.504      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500897.553      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500897.697      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500897.747      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500897.859      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500897.923      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500898.036      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500898.099      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500898.222      0 180.183.66.33 TCP_DENIED/403 2692 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500898.280      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500898.482      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500898.534      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500898.676      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500898.748      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500898.870      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500898.922      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500927.631      0 180.183.66.47 TCP_DENIED/403 2474 GET http://farm5.static.flickr.com/4050/4367197921_6c3ff39dee_m.jpg - NONE/- text/html
1266500988.634      0 180.183.66.47 TCP_DENIED/403 2474 GET http://farm3.static.flickr.com/2685/4367935646_eb0809b421_m.jpg - NONE/- text/html
1266501003.647      0 127.0.0.1 TCP_DENIED/403 1866 GET cache_object://localhost/storedir - NONE/- text/html
1266501007.045      0 127.0.0.1 TCP_DENIED/403 1866 GET cache_object://localhost/counters - NONE/- text/html
1266501007.089      0 127.0.0.1 TCP_DENIED/403 1866 GET cache_object://localhost/counters - NONE/- text/html
1266501088.145      3 120.48.32.176 TCP_DENIED/403 2207 POST http://setiboinc.ssl.berkeley.edu/sah_cgi/cgi - NONE/- text/html
1266501093.757      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266501093.827      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266501094.248      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266501094.307      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266501094.442      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266501094.512      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266501094.616      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266501094.666      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266501094.765      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266501094.815      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266501094.927      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266501094.992      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266501095.104      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266501095.160      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266501095.265      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266501095.317      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266501095.427      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266501095.479      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266501110.705      0 180.183.66.47 TCP_DENIED/403 2474 GET http://farm5.static.flickr.com/4025/4367178211_5bce0d5b16_m.jpg - NONE/- text/html
1266501178.172  59690 180.183.66.33 TCP_REFRESH_FAIL/200 168180 GET http://www.eluniversal.com/index.html - DIRECT/204.228.236.21 text/html
Thanks for any help

Last edited by pliqui; 02-18-2010 at 02:20 PM.
 
Old 02-18-2010, 10:15 AM   #2
prasanta
Member
 
Registered: Mar 2005
Location: India
Distribution: Debian
Posts: 368

Rep: Reputation: 37
The conf file looks fine. Could you try restructuring the squid.conf rules, like moving the below mentioned lines above the http_access lines and check.

http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

Move the http_port and icp_port also above.

--
Prasanta
 
Old 02-18-2010, 10:26 AM   #3
pliqui
Member
 
Registered: Feb 2007
Location: Caracas, Venezuela
Distribution: Debian x64
Posts: 156

Original Poster
Rep: Reputation: 17
Hello Prasanta,

Just moved the lines you said and nothing

Code:
intranet:/etc/squid3# cat squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#acl all src 0.0.0.0/0
acl pliqui src 180.183.64.33
acl mochis src 180.183.64.34
acl profe src 120.48.26.17
acl nacho src 180.183.68.88
acl eduardo src 180.183.68.85
acl quelita src 120.48.28.36
acl pipino  src 120.48.27.29
acl batibati src 180.183.66.35
acl elmio src 120.48.35.44
acl bad_url url_regex "/etc/squid3/bad-sites.acl"


acl SSL_ports  port 443 494 2598
acl Safe_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
never_direct allow all

http_port 3128
icp_port 3130

http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny bad_url
http_access allow pliqui
http_access allow mochis
http_access allow profe
http_access allow nacho
http_access allow eduardo
http_access allow quelita
http_access allow pipino
http_access allow batibati
http_access allow elmio
http_access allow manager localhost
http_access deny all
htcp_access deny all

cache_peer xxxx.xxxx.xxxx.xxx parent 80 3130 no-query name=isa

cache_replacement_policy lru
cache_mem 256 MB
maximum_object_size_in_memory 2560 KB
cache_dir ufs /var/spool/squid3 5120 16 256
maximum_object_size 1048576 KB

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0       0%      0
refresh_pattern .               0       20%     4320

#TIMEOUTS
connect_timeout 8 seconds
peer_connect_timeout 3 seconds

#LOGS
coredump_dir /var/spool/squid3
access_log /var/log/squid3/access.log squid
Still getting
Quote:
ERROR

The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: http://www.eluniversal.com/

Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is webmaster.


Generated Thu, 18 Feb 2010 16:20:59 GMT by localhost (squid/3.0.STABLE19)

And the funny thing is that even if i log into the debian box and try to surf the web as localhost still get the Access Denied.

Note: After moving the lines as you asked and commeting the http_access deny all, got the Access Denid error too

Last edited by pliqui; 02-18-2010 at 02:21 PM. Reason: finding
 
Old 02-18-2010, 02:24 PM   #4
pliqui
Member
 
Registered: Feb 2007
Location: Caracas, Venezuela
Distribution: Debian x64
Posts: 156

Original Poster
Rep: Reputation: 17
I made it work, was the order of the squid.conf

This is the order i got for future reference and to avoid error trying to get https pages must have the never_direct allow all sentence

Code:
intranet:/etc/squid3# cat squid.conf
# CACHE PEER
cache_peer xxx.xxx.xxx.xxx parent 80 3130 no-query name=isa

# ACLS
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl pliqui src 180.183.66.33
acl junior src 180.183.66.47
acl mochis src 180.183.66.34
acl profe src 120.48.32.176
#acl all src 0.0.0.0/0
acl bad_url url_regex "/etc/squid3/bad-sites.acl"

# SAFE PORTS
acl SSL_ports  port 443 494 2598
acl Safe_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
never_direct allow all

# HTTP ACCESS
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny bad_url
http_access allow localhost
http_access allow pliqui
http_access allow junior
http_access allow mochis
http_access allow profe
http_access deny all
icp_access deny all
htcp_access deny all

# PUERTOS
http_port 3128
icp_port 3130

# CACHE CFG
cache_replacement_policy lru
cache_mem 256 MB
maximum_object_size_in_memory 2560 KB
cache_dir ufs /var/spool/squid3 5120 16 256
maximum_object_size 1048576 KB

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0       0%      0
refresh_pattern .               0       20%     4320

#TIMEOUTS
connect_timeout 8 seconds
peer_connect_timeout 3 seconds

#LOGS
coredump_dir /var/spool/squid3
access_log /var/log/squid3/access.log squid
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid3 on fedora 11 alexdagr8est Linux - Server 0 08-18-2009 09:52 PM
squid2 or squid3 ? cccc Linux - Server 2 10-06-2008 01:23 PM
iptables acl versus cisco acl id_viorel Linux - Security 1 04-09-2008 05:00 AM
slapd ignoring hosts.deny garba Linux - Security 1 09-07-2006 09:25 AM
never_direct deny all vs. always_direct deny all simplyrahul Linux - General 1 02-16-2005 02:42 PM


All times are GMT -5. The time now is 10:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration