HELP NEEDED "Forward denied"!!!

From: Balgansuren <balgaa@dont-contact.us>
Date: Wed, 17 Nov 1999 12:11:47 +0800 (CST)

Hello,

Currently, I am using Pentium II 333MHz, w/64MB RAM,4GB HDD, 10/100Mb NIC
and OS Redhat Linux 6.1. Redhat Linux 6.1 kernel version is 2.2.12.
I compiled kernel with options described in the http://squid.nlanr.net/
FAQ section. Also I configured ipchains and some kernel parameter
described in the FAQ section.

Could you explain more detail about this problem?

Following my squid.conf file:

http_port 8080
acl public src 202.xxx.0.0/255.255.255.192
acl nmc src 202.xxx.0.96/255.255.255.224
acl public1 src 202.xxx.4.0/255.255.255.128
acl mtc src 202.xxx.0.128/255.255.255.192
acl gover src 202.xxx.7.32/27
acl undp src 202.xxx.7.0/28
acl serial_link src 202.xxx.3.0/255.255.255.0
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access allow public
http_access allow public1
http_access allow nmc
http_access allow mtc
http_access allow undp
http_access allow gover
http_access allow serial_link
http_access deny all

# TAG: icp_access
# Reply to all ICP queries we receive
#
icp_access allow all

# TAG: miss_access
# Use to force your neighbors to use you as a sibling instead of
# a parent. For example:
#
# acl localclients src 172.16.0.0/16
# miss_access allow localclients
# miss_access deny !localclients
#
# This means that only your local clients are allowed to fetch
# MISSES and all other clients can only fetch HITS.
#
# By default, allow all clients who passed the http_access rules
# to fetch MISSES from us.
#miss_access allow all
acl localclients src 202.xxx.0.101/255.255.255.255
miss_access allow localclients
miss_access allow manager
miss_access deny !localclients

# TAG: httpd_accel_host
# TAG: httpd_accel_port
# If you want to run Squid as an httpd accelerator, define the
# host name and port number where the real HTTP server is.
#
# If you want virtual host support then specify the hostname
# as "virtual".
#
# NOTE: enabling httpd_accel_host disables proxy-caching and
# ICP. If you want these features enabled also, then set
# the 'httpd_accel_with_proxy' option.
#
#httpd_accel_host hostname
#httpd_accel_port port
httpd_accel_host virtual
httpd_accel_port 80

# TAG: httpd_accel_with_proxy on|off
# If you want to use Squid as both a local httpd accelerator
# and as a proxy, change this to 'on'.
#
#httpd_accel_with_proxy off
httpd_accel_with_proxy on

# TAG: httpd_accel_uses_host_header on|off
# HTTP/1.1 requests include a Host: header which is basically the
# hostname from the URL. Squid can be an accelerator for
# different HTTP servers by looking at this header. However,
# Squid does NOT check the value of the Host header, so it opens
# a big security hole. We recommend that this option remain
# disabled unless you are sure of what you are doing.
#
# However, you will need to enable this option if you run Squid
# as a transparent proxy. Otherwise, virtual servers which
# require the Host: header will not be properly cached.
#httpd_accel_uses_host_header off
httpd_accel_uses_host_header on

# TAG: forwarded_for on|off
# If set, Squid will include your system's IP address or name
# in the HTTP requests it forwards. By default it looks like
# this:
#
# X-Forwarded-For: 192.1.2.3
#
# If you disable this, it will appear as
#
# X-Forwarded-For: unknown
#
forwarded_for on

Other section by default. I made only change above items.

Please check and review it.
What is your suggestion?
 
Best Regards
Balgansuren

On Wed, 17 Nov 1999, Colin Campbell wrote:

> Hi,
>
> To get some help you'll need to post to the list some or all of your
> squid.conf and some sort of description of the network layout around the
> squid box.
>
> Colin
>
>
Received on Tue Nov 16 1999 - 21:08:38 MST

This archive was generated by hypermail pre-2.1.9 : Wed Apr 09 2008 - 11:57:32 MDT