|
Squid Access Denied
I have a server running a squid proxy serverand iptables setup through webmin. My client computers get an access denied error with a refernence to acl problems. I have setup the debug level and checked the cahce.log files but I can't see which acl is causing the problem. Here is my squid.conf file.
http_port 192.168.1.111:3128 transparent hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache access_log /var/log/squid/access.log squid debug_options ALL,1, 32,2 hosts_file /etc/hosts refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl purge method PURGE acl CONNECT method CONNECT acl lan src 192.168.1.0/24 http_access allow lan http_access deny !Safe_ports http_access allow CONNECT SSL_PORTS http_access deny purge http_access allow purge localhost http_access deny manager http_access allow all manager localhost http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all cache_effective_user administrator cache_effective_group administrator visible_hostname geekserver1.engineeringgeek.com coredump_dir /var/spool/squid Any help is appreciated. I am sure it is something simple that I am overlooking. |
Have you looked in Squid's access log (it's separate to the cache.log)? It should show you which URLs are being blocked and which clients are requesting them. Based on your conf file, it looks like anyone with a 192.168.1. address should be able to access http:// URLs...
|
Yes, I have looked in the access.log. I can ping a website just fine but I get the squid access denied page. I can see which client is getting the error which is a 403. Maybe the firewall is the culprit?
|
I don't think it's a firewall issue. The 403 response means that the web server received the request but refused to fulfill it. I'd start squid in debug mode, try it again and then check the logs to see which ACL is blocking access.
|
I did run it in debug mode but the errors in the logs don't point to any specific acl. Maybe I am not doing it correctly. I have used:
squid -NCd10 (cli) squid -z (cli) debug_options ALL,1, 32,2 (in the config file) Do you have any other suggestions or alternative debug modes? For some reason the cache.log and access.log files don't help or I just don't know how to read them correctly. |
You should be able to change debug_options to ALL,9 or to start squid with:
Code:
squid -k debug |
Now that is better for debugging. Here is a tail | grep acl
The box I am trying to get on to the internet is 192.168.1.105. Any ideas? It looks like the aclMatchIp is found then it is NOT found. Also, check out the bottom post with regex. 2008/02/28 20:57:28| aclCheckFast: list: 0x82aa720 2008/02/28 20:57:28| aclMatchAclList: checking all 2008/02/28 20:57:28| aclMatchAcl: checking 'acl all src 0.0.0.0' 2008/02/28 20:57:28| aclMatchIp: '192.168.1.105' NOT found 2008/02/28 20:57:28| aclMatchAclList: no match, returning 0 2008/02/28 20:57:28| aclCheckFast: no matches, returning: 1 2008/02/28 20:57:28| aclCheck: checking 'http_access deny all' 2008/02/28 20:57:28| aclMatchAclList: checking all 2008/02/28 20:57:28| aclMatchAcl: checking 'acl all src 0.0.0.0' 2008/02/28 20:57:28| aclMatchIp: '192.168.1.105' NOT found 2008/02/28 20:57:28| aclMatchAclList: no match, returning 0 2008/02/28 20:57:28| aclCheck: checking 'http_access allow geek_net' 2008/02/28 20:57:28| aclMatchAclList: checking geek_net 2008/02/28 20:57:28| aclMatchAcl: checking 'acl geek_net src 192.168.1.0/24' 2008/02/28 20:57:28| aclMatchIp: '192.168.1.105' found 2008/02/28 20:57:28| aclMatchAclList: returning 1 2008/02/28 20:57:28| aclCheck: match found, returning 1 2008/02/28 20:57:28| aclCheckCallback: answer=1 2008/02/28 20:57:28| aclCheck: checking 'cache deny QUERY' 2008/02/28 20:57:28| aclMatchAclList: checking QUERY 2008/02/28 20:57:28| aclMatchAcl: checking 'acl QUERY urlpath_regex cgi-bin \?' 2008/02/28 20:57:28| aclMatchRegex: checking '/search?' 2008/02/28 20:57:28| aclMatchRegex: looking for 'cgi-bin' 2008/02/28 20:57:28| aclMatchRegex: looking for '\?' 2008/02/28 20:57:28| aclMatchRegex: match '\?' found in '/search?' 2008/02/28 20:57:28| aclMatchAclList: returning 1 2008/02/28 20:57:28| aclCheck: match found, returning 0 2008/02/28 20:57:28| aclCheckCallback: answer=0 2008/02/28 20:57:28| aclCheckFast: list: (nil) 2008/02/28 20:57:28| aclCheckFast: no matches, returning: 1 2008/02/28 20:57:28| aclCheckFast: list: 0x82aa838 2008/02/28 20:57:28| aclMatchAclList: checking all 2008/02/28 20:57:28| aclMatchAcl: checking 'acl all src 0.0.0.0' 2008/02/28 20:57:28| aclMatchIp: '192.168.1.105' NOT found 2008/02/28 20:57:28| aclMatchAclList: no match, returning 0 2008/02/28 20:57:28| aclCheckFast: no matches, returning: 0 2008/02/28 20:57:28| aclCheck: checking 'http_reply_access allow all' 2008/02/28 20:57:28| aclMatchAclList: checking all 2008/02/28 20:57:28| aclMatchAcl: checking 'acl all src 0.0.0.0' 2008/02/28 20:57:28| aclMatchIp: '192.168.1.105' NOT found 2008/02/28 20:57:28| aclMatchAclList: no match, returning 0 2008/02/28 20:57:28| aclCheck: NO match found, returning 0 2008/02/28 20:57:28| aclCheckCallback: answer=0 2008/02/28 20:57:33| aclCheckFast: list: 0x82aa720 2008/02/28 20:57:33| aclMatchAclList: checking all 2008/02/28 20:57:33| aclMatchAcl: checking 'acl all src 0.0.0.0' 2008/02/28 20:57:33| aclMatchIp: '192.168.1.105' NOT found 2008/02/28 20:57:33| aclMatchAclList: no match, returning 0 2008/02/28 20:57:33| aclCheckFast: no matches, returning: 1 2008/02/28 20:57:33| aclCheck: checking 'http_access deny all' 2008/02/28 20:57:33| aclMatchAclList: checking all 2008/02/28 20:57:33| aclMatchAcl: checking 'acl all src 0.0.0.0' 2008/02/28 20:57:33| aclMatchIp: '192.168.1.105' NOT found 2008/02/28 20:57:33| aclMatchAclList: no match, returning 0 2008/02/28 20:57:33| aclCheck: checking 'http_access allow geek_net' 2008/02/28 20:57:33| aclMatchAclList: checking geek_net 2008/02/28 20:57:33| aclMatchAcl: checking 'acl geek_net src 192.168.1.0/24' 2008/02/28 20:57:33| aclMatchIp: '192.168.1.105' found 2008/02/28 20:57:33| aclMatchAclList: returning 1 2008/02/28 20:57:33| aclCheck: match found, returning 1 2008/02/28 20:57:33| aclCheckCallback: answer=1 2008/02/28 20:57:33| aclCheck: checking 'cache deny QUERY' 2008/02/28 20:57:33| aclMatchAclList: checking QUERY 2008/02/28 20:57:33| aclMatchAcl: checking 'acl QUERY urlpath_regex cgi-bin \?' 2008/02/28 20:57:33| aclMatchRegex: checking '/safebrowsing/update?client=navclient-auto-ffox&appver=2.0.0.12&version=goog-white-domain:1:24,goog-white-url:1:371,goog-black-url:1:18803,goog-black-enchash:1:45428' 2008/02/28 20:57:33| aclMatchRegex: looking for 'cgi-bin' 2008/02/28 20:57:33| aclMatchRegex: looking for '\?' 2008/02/28 20:57:33| aclMatchRegex: match '\?' found in '/safebrowsing/update?client=navclient-auto-ffox&appver=2.0.0.12&version=goog-white-domain:1:24,goog-white-url:1:371,goog-black-url:1:18803,goog-black-enchash:1:45428' 2008/02/28 20:57:33| aclMatchAclList: returning 1 2008/02/28 20:57:33| aclCheck: match found, returning 0 2008/02/28 20:57:33| aclCheckCallback: answer=0 2008/02/28 20:57:33| aclCheckFast: list: (nil) 2008/02/28 20:57:33| aclCheckFast: no matches, returning: 1 2008/02/28 20:57:33| aclCheckFast: list: 0x82aa838 2008/02/28 20:57:33| aclMatchAclList: checking all 2008/02/28 20:57:33| aclMatchAcl: checking 'acl all src 0.0.0.0' 2008/02/28 20:57:33| aclMatchIp: '192.168.1.105' NOT found 2008/02/28 20:57:33| aclMatchAclList: no match, returning 0 2008/02/28 20:57:33| aclCheckFast: no matches, returning: 0 2008/02/28 20:57:33| aclCheck: checking 'http_reply_access allow all' 2008/02/28 20:57:33| aclMatchAclList: checking all 2008/02/28 20:57:33| aclMatchAcl: checking 'acl all src 0.0.0.0' 2008/02/28 20:57:33| aclMatchIp: '192.168.1.105' NOT found 2008/02/28 20:57:33| aclMatchAclList: no match, returning 0 2008/02/28 20:57:33| aclCheck: NO match found, returning 0 2008/02/28 20:57:33| aclCheckCallback: answer=0 2008/02/28 20:57:39| aclCheckFast: list: 0x82aa720 2008/02/28 20:57:39| aclMatchAclList: checking all 2008/02/28 20:57:39| aclMatchAcl: checking 'acl all src 0.0.0.0' 2008/02/28 20:57:39| aclMatchIp: '192.168.1.105' NOT found 2008/02/28 20:57:39| aclMatchAclList: no match, returning 0 2008/02/28 20:57:39| aclCheckFast: no matches, returning: 1 2008/02/28 20:57:40| aclCheck: checking 'http_access deny all' 2008/02/28 20:57:40| aclMatchAclList: checking all 2008/02/28 20:57:40| aclMatchAcl: checking 'acl all src 0.0.0.0' 2008/02/28 20:57:40| aclMatchIp: '192.168.1.105' NOT found 2008/02/28 20:57:40| aclMatchAclList: no match, returning 0 2008/02/28 20:57:40| aclCheck: checking 'http_access allow geek_net' 2008/02/28 20:57:40| aclMatchAclList: checking geek_net 2008/02/28 20:57:40| aclMatchAcl: checking 'acl geek_net src 192.168.1.0/24' 2008/02/28 20:57:40| aclMatchIp: '192.168.1.105' found 2008/02/28 20:57:40| aclMatchAclList: returning 1 2008/02/28 20:57:40| aclCheck: match found, returning 1 2008/02/28 20:57:40| aclCheckCallback: answer=1 2008/02/28 20:57:40| aclCheck: checking 'cache deny QUERY' 2008/02/28 20:57:40| aclMatchAclList: checking QUERY 2008/02/28 20:57:40| aclMatchAcl: checking 'acl QUERY urlpath_regex cgi-bin \?' 2008/02/28 20:57:40| aclMatchRegex: checking '/' 2008/02/28 20:57:40| aclMatchRegex: looking for 'cgi-bin' 2008/02/28 20:57:40| aclMatchRegex: looking for '\?' 2008/02/28 20:57:40| aclMatchAclList: no match, returning 0 2008/02/28 20:57:40| aclCheck: NO match found, returning 1 2008/02/28 20:57:40| aclCheckCallback: answer=1 2008/02/28 20:57:40| aclCheckFast: list: (nil) 2008/02/28 20:57:40| aclCheckFast: no matches, returning: 1 2008/02/28 20:57:40| aclCheckFast: list: 0x82aa838 2008/02/28 20:57:40| aclMatchAclList: checking all 2008/02/28 20:57:40| aclMatchAcl: checking 'acl all src 0.0.0.0' 2008/02/28 20:57:40| aclMatchIp: '192.168.1.105' NOT found 2008/02/28 20:57:40| aclMatchAclList: no match, returning 0 2008/02/28 20:57:40| aclCheckFast: no matches, returning: 0 2008/02/28 20:57:40| aclCheck: checking 'http_reply_access allow all' 2008/02/28 20:57:40| aclMatchAclList: checking all 2008/02/28 20:57:40| aclMatchAcl: checking 'acl all src 0.0.0.0' 2008/02/28 20:57:40| aclMatchIp: '192.168.1.105' NOT found 2008/02/28 20:57:40| aclMatchAclList: no match, returning 0 2008/02/28 20:57:40| aclCheck: NO match found, returning 0 2008/02/28 20:57:40| aclCheckCallback: answer=0 ## 2008/02/28 21:22:58| aclMatchIp: '192.168.1.105' found 2008/02/28 21:22:58| aclMatchAclList: returning 1 2008/02/28 21:22:58| aclCheck: match found, returning 1 2008/02/28 21:22:58| aclCheckCallback: answer=1 2008/02/28 21:22:58| aclCheck: checking 'cache deny QUERY' 2008/02/28 21:22:58| aclMatchAclList: checking QUERY 2008/02/28 21:22:58| aclMatchAcl: checking 'acl QUERY urlpath_regex cgi-bin \?' 2008/02/28 21:22:58| aclMatchRegex: checking '/safebrowsing/update?client=navclient-auto-ffox&appver=2.0.0.12&version=goog-white-domain:1:24,goog-white-url:1:371,goog-black-url:1:18803,goog-black-enchash:1:45428' 2008/02/28 21:22:58| aclMatchRegex: looking for 'cgi-bin' 2008/02/28 21:22:58| aclMatchRegex: looking for '\?' 2008/02/28 21:22:58| aclMatchRegex: match '\?' found in '/safebrowsing/update?client=navclient-auto-ffox&appver=2.0.0.12&version=goog-white-domain:1:24,goog-white-url:1:371,goog-black-url:1:18803,goog-black-enchash:1:45428' 2008/02/28 21:22:58| aclMatchAclList: returning 1 2008/02/28 21:22:58| aclCheck: match found, returning 0 2008/02/28 21:22:58| aclCheckCallback: answer=0 2008/02/28 21:22:58| aclCheckFast: list: (nil) 2008/02/28 21:22:58| aclCheckFast: no matches, returning: 1 2008/02/28 21:22:58| aclCheckFast: list: 0x82aa838 2008/02/28 21:22:58| aclMatchAclList: checking all 2008/02/28 21:22:58| aclMatchAcl: checking 'acl all src 0.0.0.0' 2008/02/28 21:22:58| aclMatchIp: '192.168.1.105' NOT found 2008/02/28 21:22:58| aclMatchAclList: no match, returning 0 2008/02/28 21:22:58| aclCheckFast: no matches, returning: 0 2008/02/28 21:22:58| aclCheck: checking 'http_reply_access allow all' 2008/02/28 21:22:58| aclMatchAclList: checking all 2008/02/28 21:22:58| aclMatchAcl: checking 'acl all src 0.0.0.0' 2008/02/28 21:22:58| aclMatchIp: '192.168.1.105' NOT found 2008/02/28 21:22:58| aclMatchAclList: no match, returning 0 2008/02/28 21:22:58| aclCheck: NO match found, returning 0 2008/02/28 21:22:58| aclCheckCallback: answer=0 2008/02/28 21:23:03| aclCheckFast: list: 0x82aa720 2008/02/28 21:23:03| aclMatchAclList: checking all 2008/02/28 21:23:03| aclMatchAcl: checking 'acl all src 0.0.0.0' 2008/02/28 21:23:03| aclMatchIp: '192.168.1.105' NOT found 2008/02/28 21:23:03| aclMatchAclList: no match, returning 0 2008/02/28 21:23:03| aclCheckFast: no matches, returning: 1 2008/02/28 21:23:04| aclCheck: checking 'http_access deny all' 2008/02/28 21:23:04| aclMatchAclList: checking all 2008/02/28 21:23:04| aclMatchAcl: checking 'acl all src 0.0.0.0' 2008/02/28 21:23:04| aclMatchIp: '192.168.1.105' NOT found 2008/02/28 21:23:04| aclMatchAclList: no match, returning 0 2008/02/28 21:23:04| aclCheck: checking 'http_access allow geek_net' 2008/02/28 21:23:04| aclMatchAclList: checking geek_net 2008/02/28 21:23:04| aclMatchAcl: checking 'acl geek_net src 192.168.1.0/24' 2008/02/28 21:23:04| aclMatchIp: '192.168.1.105' found 2008/02/28 21:23:04| aclMatchAclList: returning 1 2008/02/28 21:23:04| aclCheck: match found, returning 1 2008/02/28 21:23:04| aclCheckCallback: answer=1 2008/02/28 21:23:04| aclCheck: checking 'cache deny QUERY' 2008/02/28 21:23:04| aclMatchAclList: checking QUERY 2008/02/28 21:23:04| aclMatchAcl: checking 'acl QUERY urlpath_regex cgi-bin \?' 2008/02/28 21:23:04| aclMatchRegex: checking '/safebrowsing/update?client=navclient-auto-ffox&appver=2.0.0.12&version=goog-white-domain:1:24,goog-white-url:1:371,goog-black-url:1:18803,goog-black-enchash:1:45428' 2008/02/28 21:23:04| aclMatchRegex: looking for 'cgi-bin' 2008/02/28 21:23:04| aclMatchRegex: looking for '\?' 2008/02/28 21:23:04| aclMatchRegex: match '\?' found in '/safebrowsing/update?client=navclient-auto-ffox&appver=2.0.0.12&version=goog-white-domain:1:24,goog-white-url:1:371,goog-black-url:1:18803,goog-black-enchash:1:45428' 2008/02/28 21:23:04| aclMatchAclList: returning 1 2008/02/28 21:23:04| aclCheck: match found, returning 0 2008/02/28 21:23:04| aclCheckCallback: answer=0 2008/02/28 21:23:04| aclCheckFast: list: (nil) 2008/02/28 21:23:04| aclCheckFast: no matches, returning: 1 2008/02/28 21:23:04| aclCheckFast: list: 0x82aa838 2008/02/28 21:23:04| aclMatchAclList: checking all 2008/02/28 21:23:04| aclMatchAcl: checking 'acl all src 0.0.0.0' 2008/02/28 21:23:04| aclMatchIp: '192.168.1.105' NOT found 2008/02/28 21:23:04| aclMatchAclList: no match, returning 0 2008/02/28 21:23:04| aclCheckFast: no matches, returning: 0 2008/02/28 21:23:04| aclCheck: checking 'http_reply_access allow all' 2008/02/28 21:23:04| aclMatchAclList: checking all 2008/02/28 21:23:04| aclMatchAcl: checking 'acl all src 0.0.0.0' 2008/02/28 21:23:04| aclMatchIp: '192.168.1.105' NOT found 2008/02/28 21:23:04| aclMatchAclList: no match, returning 0 2008/02/28 21:23:04| aclCheck: NO match found, returning 0 2008/02/28 21:23:04| aclCheckCallback: answer=0 |
Is there series of defined acl Safe_ports in your squid.conf? You never posted it in your configuration file. By default squid has this defined and it came as ordered below.
Code:
#Recommended minimum configuration: |
I din't see ACL for the lan which you have allowed
http_access allow lan because when I was configuring I mention my network like acl lan src 192.168.0.0/24 then allowed http_access allow lan |
==Update==
Note, this is no longer an issue. I uninstalled 2.5 and installed the latest 3.0 stable. Works like a charm. I think there was a bug or something in 2.5. It only took me 20 minutes or so to setup 3.0. Although I don't like to give up and working through these 'bug'issues only make me smarter, I couldn't see spending more time on it. Thanks for everyone's assistance. You can check out my setup here. http://engineeringgeek.com/wiki/index.php/Squid ## Yes, I do have the acl's for the safe ports. I don't know why they weren't posted. Here is my squid.conf with the safe ports and http_access allow geek_net and the specific ip 192.168.1.105.. ## http_port 192.168.1.111:3128 transparent hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache access_log /var/log/squid/access.log squid debug_options ALL,1, 32,2 hosts_file /etc/hosts refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 # https acl SSL_ports port 563 # snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT http_access deny all acl geek_net src 192.168.1.0/24 acl geekjr src 192.168.1.105 http_access allow geek_net http_access allow geekjr http_access deny !Safe_ports http_access allow CONNECT SSL_PORTS http_access deny purge http_access allow purge localhost http_access deny manager http_access allow all manager localhost http_access allow localhost http_reply_access allow all icp_access allow all cache_effective_user administrator cache_effective_group administrator visible_hostname geekserver1.engineeringgeek.com coredump_dir /var/spool/squid ## |
| All times are GMT -5. The time now is 07:08 PM. |