LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Squid3 Deny all traffic (Ignoring ACL) (https://www.linuxquestions.org/questions/linux-server-73/squid3-deny-all-traffic-ignoring-acl-789949/)

pliqui 02-18-2010 09:50 AM
Squid3 Deny all traffic (Ignoring ACL)
 
Hello all,

I have a squid3 on a debian lenny box but cannot get access to any site.

If i remove the http_access deny all works, but i just want those ip to get access to squid

My squid.conf

Code:
intranet:/etc/squid3# cat squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#acl all src 0.0.0.0/0
acl pliqui src 180.183.64.33
acl mochis src 180.183.64.34
acl profe src 120.48.26.17
acl nacho src 180.183.68.88
acl eduardo src 180.183.68.85
acl quelita src 120.48.28.36
acl pipino  src 120.48.27.29
acl batibati src 180.183.66.35
acl elmio src 120.48.35.44
acl bad_url url_regex "/etc/squid3/bad-sites.acl"


acl SSL_ports  port 443 494 2598
acl Safe_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
never_direct allow all

http_access allow pliqui
http_access allow mochis
http_access allow profe
http_access allow nacho
http_access allow eduardo
http_access allow quelita
http_access allow pipino
http_access allow batibati
http_access allow elmio
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny bad_url
http_access deny all
htcp_access deny all

http_port 3128
icp_port 3130


cache_peer xxx.xxx.xxx.xxx parent 80 3130 no-query name=isa


cache_replacement_policy lru
cache_mem 256 MB
maximum_object_size_in_memory 2560 KB
cache_dir ufs /var/spool/squid3 5120 16 256
maximum_object_size 1048576 KB

refresh_pattern ^ftp:          1440    20%    10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0      0%      0
refresh_pattern .              0      20%    4320

#TIMEOUTS
connect_timeout 8 seconds
peer_connect_timeout 3 seconds

#LOGS
coredump_dir /var/spool/squid3
access_log /var/log/squid3/access.log squid
Sample of access.log

Code:
1266500703.544      1 127.0.0.1 TCP_MISS/200 926 GET cache_object://localhost/storedir - NONE/- text/plain
1266500706.821      0 127.0.0.1 TCP_MISS/200 1577 GET cache_object://localhost/counters - NONE/- text/plain
1266500706.903      0 127.0.0.1 TCP_MISS/200 1577 GET cache_object://localhost/counters - NONE/- text/plain
1266500716.843      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500716.915      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500717.288      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500717.351      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500717.483      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500717.536      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500717.644      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500717.708      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500717.814      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500717.863      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500717.967      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500718.024      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500718.128      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500718.181      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500744.607      0 180.183.66.47 TCP_DENIED/403 2474 GET http://farm3.static.flickr.com/2769/4362782644_25dd632e07_m.jpg - NONE/- text/html
1266500754.223      0 180.183.66.33 TCP_DENIED/403 2935 POST http://safebrowsing.clients.google.com/safebrowsing/downloads? - NONE/- text/html
1266500760.947      0 180.183.66.33 TCP_DENIED/403 2508 GET http://www.squid-cache.org/Doc/config/never_direct/ - NONE/- text/html
1266500765.405      0 180.183.66.33 TCP_DENIED/403 2544 GET http://www.squid-cache.org/Doc/config/never_direct/ - NONE/- text/html
1266500805.610      0 180.183.66.47 TCP_DENIED/403 2474 GET http://farm3.static.flickr.com/2744/4367941896_c52f556dfd_m.jpg - NONE/- text/html
1266500896.689      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500896.758      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500897.134      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500897.198      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500897.345      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500897.410      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500897.504      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500897.553      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500897.697      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500897.747      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500897.859      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500897.923      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500898.036      0 180.183.66.33 TCP_DENIED/403 2664 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500898.099      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500898.222      0 180.183.66.33 TCP_DENIED/403 2692 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500898.280      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500898.482      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500898.534      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500898.676      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500898.748      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500898.870      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266500898.922      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266500927.631      0 180.183.66.47 TCP_DENIED/403 2474 GET http://farm5.static.flickr.com/4050/4367197921_6c3ff39dee_m.jpg - NONE/- text/html
1266500988.634      0 180.183.66.47 TCP_DENIED/403 2474 GET http://farm3.static.flickr.com/2685/4367935646_eb0809b421_m.jpg - NONE/- text/html
1266501003.647      0 127.0.0.1 TCP_DENIED/403 1866 GET cache_object://localhost/storedir - NONE/- text/html
1266501007.045      0 127.0.0.1 TCP_DENIED/403 1866 GET cache_object://localhost/counters - NONE/- text/html
1266501007.089      0 127.0.0.1 TCP_DENIED/403 1866 GET cache_object://localhost/counters - NONE/- text/html
1266501088.145      3 120.48.32.176 TCP_DENIED/403 2207 POST http://setiboinc.ssl.berkeley.edu/sah_cgi/cgi - NONE/- text/html
1266501093.757      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266501093.827      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266501094.248      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266501094.307      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266501094.442      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266501094.512      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266501094.616      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266501094.666      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266501094.765      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266501094.815      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266501094.927      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266501094.992      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266501095.104      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266501095.160      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266501095.265      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266501095.317      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266501095.427      0 180.183.66.33 TCP_DENIED/403 2728 GET http://www.eluniversal.com/index.html - NONE/- text/html
1266501095.479      0 180.183.66.33 TCP_DENIED/403 2522 GET http://www.eluniversal.com/favicon.ico - NONE/- text/html
1266501110.705      0 180.183.66.47 TCP_DENIED/403 2474 GET http://farm5.static.flickr.com/4025/4367178211_5bce0d5b16_m.jpg - NONE/- text/html
1266501178.172  59690 180.183.66.33 TCP_REFRESH_FAIL/200 168180 GET http://www.eluniversal.com/index.html - DIRECT/204.228.236.21 text/html
Thanks for any help

prasanta 02-18-2010 10:15 AM
The conf file looks fine. Could you try restructuring the squid.conf rules, like moving the below mentioned lines above the http_access lines and check.

http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

Move the http_port and icp_port also above.

--
Prasanta

pliqui 02-18-2010 10:26 AM
Hello Prasanta,

Just moved the lines you said and nothing

Code:
intranet:/etc/squid3# cat squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#acl all src 0.0.0.0/0
acl pliqui src 180.183.64.33
acl mochis src 180.183.64.34
acl profe src 120.48.26.17
acl nacho src 180.183.68.88
acl eduardo src 180.183.68.85
acl quelita src 120.48.28.36
acl pipino  src 120.48.27.29
acl batibati src 180.183.66.35
acl elmio src 120.48.35.44
acl bad_url url_regex "/etc/squid3/bad-sites.acl"


acl SSL_ports  port 443 494 2598
acl Safe_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
never_direct allow all

http_port 3128
icp_port 3130

http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny bad_url
http_access allow pliqui
http_access allow mochis
http_access allow profe
http_access allow nacho
http_access allow eduardo
http_access allow quelita
http_access allow pipino
http_access allow batibati
http_access allow elmio
http_access allow manager localhost
http_access deny all
htcp_access deny all

cache_peer xxxx.xxxx.xxxx.xxx parent 80 3130 no-query name=isa

cache_replacement_policy lru
cache_mem 256 MB
maximum_object_size_in_memory 2560 KB
cache_dir ufs /var/spool/squid3 5120 16 256
maximum_object_size 1048576 KB

refresh_pattern ^ftp:          1440    20%    10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0      0%      0
refresh_pattern .              0      20%    4320

#TIMEOUTS
connect_timeout 8 seconds
peer_connect_timeout 3 seconds

#LOGS
coredump_dir /var/spool/squid3
access_log /var/log/squid3/access.log squid
Still getting
Quote:
ERROR

The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: http://www.eluniversal.com/

Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is webmaster.


Generated Thu, 18 Feb 2010 16:20:59 GMT by localhost (squid/3.0.STABLE19)

And the funny thing is that even if i log into the debian box and try to surf the web as localhost still get the Access Denied.

Note: After moving the lines as you asked and commeting the http_access deny all, got the Access Denid error too

pliqui 02-18-2010 02:24 PM
I made it work, was the order of the squid.conf

This is the order i got for future reference and to avoid error trying to get https pages must have the never_direct allow all sentence

Code:
intranet:/etc/squid3# cat squid.conf
# CACHE PEER
cache_peer xxx.xxx.xxx.xxx parent 80 3130 no-query name=isa

# ACLS
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl pliqui src 180.183.66.33
acl junior src 180.183.66.47
acl mochis src 180.183.66.34
acl profe src 120.48.32.176
#acl all src 0.0.0.0/0
acl bad_url url_regex "/etc/squid3/bad-sites.acl"

# SAFE PORTS
acl SSL_ports  port 443 494 2598
acl Safe_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
never_direct allow all

# HTTP ACCESS
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny bad_url
http_access allow localhost
http_access allow pliqui
http_access allow junior
http_access allow mochis
http_access allow profe
http_access deny all
icp_access deny all
htcp_access deny all

# PUERTOS
http_port 3128
icp_port 3130

# CACHE CFG
cache_replacement_policy lru
cache_mem 256 MB
maximum_object_size_in_memory 2560 KB
cache_dir ufs /var/spool/squid3 5120 16 256
maximum_object_size 1048576 KB

refresh_pattern ^ftp:          1440    20%    10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0      0%      0
refresh_pattern .              0      20%    4320

#TIMEOUTS
connect_timeout 8 seconds
peer_connect_timeout 3 seconds

#LOGS
coredump_dir /var/spool/squid3
access_log /var/log/squid3/access.log squid


All times are GMT -5. The time now is 07:40 AM.