Squid 403 after upgrade from Debian 8 to Debian 9

tiuz · 07-25-2020, 08:49 AM

Hello,

After upgrading from Debian 8 to Debian 9 i keep getting the following errors (taken from squid access.log)

1595683676.360 0 127.0.0.1 TCP_MISS/403 4311 GET http://linuxquestions.org/favicon.ico - HIER_NONE/- text/html
1595683676.360 1 127.0.0.1 TCP_MISS/403 4410 GET http://linuxquestions.org/favicon.ico - ORIGINAL_DST/127.0.0.1 text/htm

I checked with squid -k parse there are some warnings which i already tried while these commented out with the same result. Here is the output from squid -k parse:

2020/07/25 15:46:42| Startup: Initializing Authentication Schemes ...
2020/07/25 15:46:42| Startup: Initialized Authentication Scheme 'basic'
2020/07/25 15:46:42| Startup: Initialized Authentication Scheme 'digest'
2020/07/25 15:46:42| Startup: Initialized Authentication Scheme 'negotiate'
2020/07/25 15:46:42| Startup: Initialized Authentication Scheme 'ntlm'
2020/07/25 15:46:42| Startup: Initialized Authentication.
2020/07/25 15:46:42| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2020/07/25 15:46:42| Processing: acl all src all
2020/07/25 15:46:42| WARNING: (B) '::/0' is a subnetwork of (A) '::/0'
2020/07/25 15:46:42| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
2020/07/25 15:46:42| WARNING: You should probably remove '::/0' from the ACL named 'all'
2020/07/25 15:46:42| Processing: acl manager proto cache_object
2020/07/25 15:46:42| UPGRADE: ACL 'manager' is now a built-in ACL. Remove it from your config file.
2020/07/25 15:46:42| Processing: acl localhost src 127.0.0.1/32
2020/07/25 15:46:42| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'
2020/07/25 15:46:42| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable
2020/07/25 15:46:42| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'
2020/07/25 15:46:42| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'
2020/07/25 15:46:42| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable
2020/07/25 15:46:42| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'
2020/07/25 15:46:42| Processing: acl to_localhost dst 127.0.0.0/8
2020/07/25 15:46:42| WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) '127.0.0.0/8'
2020/07/25 15:46:42| WARNING: because of this '127.0.0.0/8' is ignored to keep splay tree searching predictable
2020/07/25 15:46:42| WARNING: You should probably remove '127.0.0.0/8' from the ACL named 'to_localhost'
2020/07/25 15:46:42| Processing: acl borsti src 192.168.0.0/24
2020/07/25 15:46:42| Processing: acl localnet src 192.168.0.0/24 # RFC1918 possible internal network
2020/07/25 15:46:42| Processing: acl SSL_ports port 443 # https
2020/07/25 15:46:42| Processing: acl SSL_ports port 563 # snews
2020/07/25 15:46:42| Processing: acl SSL_ports port 873 # rsync
2020/07/25 15:46:42| Processing: acl Safe_ports port 80 # http
2020/07/25 15:46:42| Processing: acl Safe_ports port 21 # ftp
2020/07/25 15:46:42| Processing: acl Safe_ports port 443 # https
2020/07/25 15:46:42| Processing: acl Safe_ports port 70 # gopher
2020/07/25 15:46:42| Processing: acl Safe_ports port 210 # wais
2020/07/25 15:46:42| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2020/07/25 15:46:42| Processing: acl Safe_ports port 280 # http-mgmt
2020/07/25 15:46:42| Processing: acl Safe_ports port 488 # gss-http
2020/07/25 15:46:42| Processing: acl Safe_ports port 591 # filemaker
2020/07/25 15:46:42| Processing: acl Safe_ports port 777 # multiling http
2020/07/25 15:46:42| Processing: acl Safe_ports port 631 # cups
2020/07/25 15:46:42| Processing: acl Safe_ports port 873 # rsync
2020/07/25 15:46:42| Processing: acl Safe_ports port 901 # SWAT
2020/07/25 15:46:42| Processing: acl purge method PURGE
2020/07/25 15:46:42| Processing: acl CONNECT method CONNECT
2020/07/25 15:46:42| Processing: http_access allow borsti
2020/07/25 15:46:42| Processing: http_access allow manager localhost
2020/07/25 15:46:42| Processing: http_access deny manager
2020/07/25 15:46:42| Processing: http_access allow purge localhost
2020/07/25 15:46:42| Processing: http_access deny purge
2020/07/25 15:46:42| Processing: http_access deny !Safe_ports
2020/07/25 15:46:42| Processing: http_access deny CONNECT !SSL_ports
2020/07/25 15:46:42| Processing: http_access allow localhost
2020/07/25 15:46:42| Processing: http_access deny all
2020/07/25 15:46:42| Processing: icp_access allow localnet
2020/07/25 15:46:42| Processing: icp_access deny all
2020/07/25 15:46:42| Processing: http_port 127.0.0.1:3128 transparent
2020/07/25 15:46:42| Starting Authentication on port 127.0.0.1:3128
2020/07/25 15:46:42| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2020/07/25 15:46:42| Processing: access_log /var/log/squid/access.log squid
2020/07/25 15:46:42| Processing: refresh_pattern ^ftp: 1440 20% 10080
2020/07/25 15:46:42| Processing: refresh_pattern ^gopher: 1440 0% 1440
2020/07/25 15:46:42| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2020/07/25 15:46:42| Processing: refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
2020/07/25 15:46:42| Processing: refresh_pattern . 0 20% 4320
2020/07/25 15:46:42| Processing: acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
2020/07/25 15:46:42| Processing: acl apache rep_header Server ^Apache
2020/07/25 15:46:42| Processing: hosts_file /etc/hosts
2020/07/25 15:46:42| Processing: coredump_dir /var/spool/squid

An iptables Rule for Dansguardian is present

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

Squid is up and running listening on default port 3128

Dansguardian is up and running

I can't figure out why after the upgrade vom Debian 8 to 9 i keep getting 403 on squid, thanks for any hint / help.