LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 06-07-2004, 11:13 PM   #1
Lucinda
Member
 
Registered: May 2004
Location: Atlanta, GA
Distribution: Slackware Current
Posts: 54

Rep: Reputation: 15
Access Denied Using Squid


I have been configuring Squid to use on my home computer so it has a
very uncomplicated set up. I've configured the squid.conf file
according to the many instructions I've seen on the internet but I
have the following message when I try to access a website:

ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: http://www.google.com/

The following error was encountered:

* Access Denied.

Access control configuration prevents your request from being
allowed at this time. Please contact your service provider if you feel
this is incorrect.


I've checked the log file and everything looks fine there. Squid is running with no problem. I think it must be how I have http_access configured, but I followed the default instructions. This is what my squid.conf file looks like:

Code:
#  TAG: http_access
#	Allowing or Denying access based on defined access lists
#
#	Access to the HTTP port:
#	http_access allow|deny [!]aclname ...
#
#	NOTE on default values:
#
#	If there are no "access" lines present, the default is to deny
#	the request.
#
#	If none of the "access" lines cause a match, the default is the
#	opposite of the last line in the list.  If the last line was
#	deny, then the default is allow.  Conversely, if the last line
#	is allow, the default will be deny.  For these reasons, it is a
#	good idea to have an "deny all" or "allow all" entry at the end
#	of your access lists to avoid potential confusion.
#
#Default:

#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

#
# We strongly recommend to uncomment the following to protect innocent
# web applications running on the proxy server who think that the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks

# And finally deny all other access to this proxy
http_access deny all
Any thoughts on this? Am I missing something really obvious?

Thanks in advance,
Lucinda
 
Old 06-08-2004, 05:26 AM   #2
Jerre Cope
Member
 
Registered: Oct 2003
Location: Texas (central)
Distribution: ubuntu,Slackware,knoppix
Posts: 323

Rep: Reputation: 37
Don't forget to add the acl for "our_network" It should be before the "deny all" line.
 
Old 06-08-2004, 09:42 PM   #3
Lucinda
Member
 
Registered: May 2004
Location: Atlanta, GA
Distribution: Slackware Current
Posts: 54

Original Poster
Rep: Reputation: 15
hanks! Point well taken....

I changed the conf file to this, which I think should work (I got the
IP address from LISaDaemon):

INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
acl our_networks src 192.168.0.0/24
http_access allow our_networks

# And finally deny all other access to this proxy
http_access deny all

I set the http_port to 8080 and then configured firefox as follows:

HTTP Proxy : 127.0.0.1 Port: 8080
SSL Proxy : 127.0.0.1 Port :8080

and there is no proxy for localhost, 127.0.0.1

Squid is running fine. When I try to open a web page, I now get a
message that says "The connection was refused when attempting to
contact the proxy server you have configured. Please check your proxy
settings and try again."


I am also running a firewall script as follows, could this be part of
the problem?

#!/bin/bash
#
# Basic script to keep the nasties out of slack-lap
# First we make the default policy to drop everything
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Allow established connections and programs that use loopback
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
# Lets allow ssh to connect
iptables -A INPUT -p tcp --dport 22 -i ppp0 -j ACCEPT
#end script

I am really new to linux and I find this networking stuff a bit
confusing..but I'm learning..., so please bear with me!

Thanks,
Lucinda
 
Old 06-08-2004, 11:42 PM   #4
Jerre Cope
Member
 
Registered: Oct 2003
Location: Texas (central)
Distribution: ubuntu,Slackware,knoppix
Posts: 323

Rep: Reputation: 37
Your IP address

How are you connecting to the Internet? PPP, a router?

Can you ping outside webites? ie.

ping google.com

If you can't ping, squid can't get out, you have a network or firewall problem.

Here some snapshots from a working squid.conf

This network is on 192.168.0.0
# I left the port on 3128, 8080 is OK
http_port 3128

#Defaults:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl ournetwork src 192.168.0.1-192.168.0.255/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl here dstdomain localhost
acl lifetimewebsites dst 208.186.130.30/255.255.255.255

...
http_access allow localhost
http_access allow here
http_access allow manager localhost
http_access deny !ournetwork
http_access deny manager
http_access deny !Safe_ports
# http_access deny badsites
# http_access deny badurls
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access deny CONNECT !SSL_ports
http_access allow ournetwork
http_access deny all


Also, I always recommend WEBMIN, from www.webmin.com It will help you setup a working squid.conf file and many other sysadmin tasks more easily.
 
Old 06-09-2004, 06:22 AM   #5
Lucinda
Member
 
Registered: May 2004
Location: Atlanta, GA
Distribution: Slackware Current
Posts: 54

Original Poster
Rep: Reputation: 15
Thanks for your help. Yes, I can ping, so it looks like I don't have a firewall problem.

How did you configure your browser settings? I think that's where I may have a problem. I may not have configured firefox correctly.
 
Old 06-09-2004, 05:49 PM   #6
Lucinda
Member
 
Registered: May 2004
Location: Atlanta, GA
Distribution: Slackware Current
Posts: 54

Original Poster
Rep: Reputation: 15
Thanks for the info from your configuration file. Based on your model, I changed mine as follows:

Code:
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
#acl to_localhost dst 127.0.0.0/8
acl our_networks src 192.168.0.0/24 
acl SSL_ports port 443 563
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443 563	# https, snews
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl here dstdomain localhost
acl CONNECT method CONNECT

<snip>

# Only allow cachemgr access from localhost
#added 06/09/2004
http_access allow localhost
http_access allow here
http_access allow manager localhost
http_access deny !our_networks
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

<snip>

http_access allow our_networks

# And finally deny all other access to this proxy
http_access deny all
I am still getting the message that my proxy server isn't configured correctly. Should I be using acl our_networks src 192.168.0.0/24? When I looked at the LISaDaemon set up, it said the IP address was 192.168.0.0 but everyone else's examples seem to use 192.168.0.1, etc.

Do I have firefox configured correctly? It is set to:

HTTP Proxy : 127.0.0.1 Port: 8080
SSL Proxy : 127.0.0.1 Port :8080

and there is no proxy for localhost, 127.0.0.1

I am using an ethernet connection for my cable modem, that is how I am getting out to the internet.

Any other suggestions?

Thanks.

-Lucinda
 
Old 06-09-2004, 11:00 PM   #7
Jerre Cope
Member
 
Registered: Oct 2003
Location: Texas (central)
Distribution: ubuntu,Slackware,knoppix
Posts: 323

Rep: Reputation: 37
Good. If you are using a router to connect to the cable modem, your gateway is probably 192.168.0.1

As root, type:

ifconfig

The "inet addr:" field will show you your IP address. This is the address you should use in firefox.

The acl our_networks src 192.168.0.0/24 line squid.conf allows everyone on your network (192.168.0.*) to access your proxy.

If you are using DHCP and your address changes depending on when you boot up, you can use the Hardware Address that you learned from ifconfig to program your router to set your IP address to a fixed number.
 
Old 06-10-2004, 06:06 AM   #8
Lucinda
Member
 
Registered: May 2004
Location: Atlanta, GA
Distribution: Slackware Current
Posts: 54

Original Poster
Rep: Reputation: 15
Jerre,

Thanks for all your help. I finally got it to work! I used WebMin to troubleshott squid.conf. It's so much easier to use a GUI to see what's going on with that file.

Now my browser is surfing at incredible speeds.

Now I'm going to use WebMin to figure out how to configure my firewall...

Thanks again!
 
Old 06-10-2004, 06:30 AM   #9
Jerre Cope
Member
 
Registered: Oct 2003
Location: Texas (central)
Distribution: ubuntu,Slackware,knoppix
Posts: 323

Rep: Reputation: 37
No problem. Now that you're an expert, you need to install squidGuard to filter the websites--see squidGuard.org

Webmin will help you configure it as a helper application.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid Access Denied Help eurekaguy4u Linux - Networking 21 04-29-2010 10:30 AM
Squid url port 81 access-denied error steve@korehicom.com Linux - Networking 0 10-13-2005 09:55 AM
squid access denied hariiyer Linux - Networking 2 10-30-2004 09:55 AM
squid comes back with message 'access denied' mhs1973 Linux - Networking 4 02-08-2002 11:17 PM
Denied access by squid hagenuk Linux - General 1 10-07-2001 10:45 AM


All times are GMT -5. The time now is 04:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration