RE: [squid-users] Cannot authorize payment

> -----Original Message-----
> From: Casey King [mailto:cking@lovebox.com]
> Sent: Tuesday, February 21, 2006 11:27 AM
> To: 'Squid Mailing List'
> Subject: [squid-users] Cannot authorize payment
>
>
> I have a piece of software called POS-systems for credit card
> authorization.
> It has been working fine until last week. It tends to
> coincide when I added
> another rule to the squid.conf file. I have commented the
> rule out, but
> still having the same problem.
>
> When I try to authorize a transaction I get a 40002 error
> message, looking
> it up on the POS-systems website, this is a tcp/ip connection
> issue. After
> working with them and finding the software setup properly, I
> looked at my
> access.log file to see what was going on. Here is what I see:
>
> -------------------------
> 1140552332.683 2 172.16.12.219 TCP_DENIED/407 1729 CONNECT
> ssl.pgs.wcom.net:443 - NONE/- text/html
> ----------------------------
>
> Normally I would expect to see at least 4 lines in a row with this
> information because I am using NTLM and basic authentication.
> When I open a
> browser, I can nagivate to this https://ssl.pgs.wcom.net.

From this information, I'd postulate the POS-systems software doesn't support proxy authentication.

> The ports that
> are required to be open and bi-directional are 443, 563, and
> 2112. Here is
> what I have in my squid.conf:
>
> ----snip-----
> acl SSL_ports port 443
> acl SSL_ports port 563
> acl SSL_ports port 1433
> acl SSL_ports port 2112
> acl SSL_ports port 3389
> -----snip------
> -----snip-------
> acl Safe_ports port 280
> acl Safe_ports port 443
> acl Safe_ports port 488
> acl Safe_ports port 563
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl Safe_ports port 1203
> acl Safe_ports port 1205
> acl Safe_ports port 1433
> acl Safe_ports port 2112
> acl Safe_ports port 3389
> --------snip-------
> I have added .wcom.net in the list below, and have added to my
> openaccesswhitelist.txt, openaccesswhiltelistipaddr.txt,
> whiteipaddr.txt,
> whitelist.txt

Adding .wcom.net to openaccesswhiltelistipaddr.txt and whiteipaddr.txt doesn't make much sense in the context given below, as it's not a valid FQDN.

>
> acl DoNotCacheWebSites dstdomain
> "/etc/squid/rules/donotcachewebsites.txt"
> acl Freemarkets dstdomain .freemarkets.com
> acl MyTextron dstdomain .mytextron.com
> acl WComNet dstdomain .wcom.net
> acl Corrlink dstdomain .weyerhaeuser.com
> acl SchwabPlan dstdomain .schwabplan.com
> acl LindWaldock dstdomain .lind-waldock.com

So, why are these separate from the OpenAccessWhiteListWebsites (given the context below)?

> acl BrownListWebsites dstdomain "/etc/squid/rules/brownlist.txt"
> acl BlackListWebsites dstdomain "/etc/squid/rules/blacklist.txt"
> acl BlackListIpAddresses dst "/etc/squid/rules/blacklistipaddr.txt"
> acl BlackListIpAddress1 dst 64.73.35.120

Again, this could be merged with blacklistipaddr.txt

> acl OpenAccessWhiteListWebsites dstdomain
> "/etc/squid/rules/openaccesswhitelist.txt"
> acl OpenAccessWhiteListIpAddresses dst
> "/etc/squid/rules/openaccesswhitelistipaddr.txt"
> acl WhiteListWebsites dstdomain "/etc/squid/rules/whitelist.txt"
> acl WhiteListIPAddresses dst "/etc/squid/rules/whiteipaddr.txt"
> acl AuthLimitedUsers proxy_auth REQUIRED
> acl AuthPowerUsers proxy_auth "/etc/squid/rules/powerusers.txt"
> acl AuthIPAddresses src "/etc/squid/rules/poweripaddresses.txt"
> acl AuthSafeAccessUsers proxy_auth "/etc/squid/rules/users.txt"
> acl OverRideBrownListUsers proxy_auth
> "/etc/squid/rules/ovrdbrownlist.txt"
> acl AdultBlackListWebsites dstdomain
> "/etc/squid/rules/adultblacklist.txt"
>
> http_access allow manager our_networks
> http_access allow WhiteListWebsites AuthLimitedUsers

I'd guess this is where your problem lies. You have added the site to whitelist.txt (WhiteListWebsites), so this rule starts to match, but it requires authentication (which as I postulated above, the application can't handle), and therefore you get a 407.

> http_access allow WhiteListIPAddresses AuthLimitedUsers
> http_access allow all OpenAccessWhiteListWebsites

Whoa! Assuming you have not re-defined the "all" ACL, this will allow ANYONE to use your proxy to access the sites listed in openaccesswhitelist.txt. Change the "all" to "our_networks", move this rule to the top, and the application should work just fine. Otherwise, a re-worked http_access list follows, that should allow the same functionality (with listed exceptions).

> http_access allow all OpenAccessWhiteListIpAddresses
> http_access deny all AdultBlackListWebsites
> http_access allow all Freemarkets
> http_access allow all MyTextron
> http_access allow all Corrlink
> http_access allow all SchwabPlan
> http_access allow all WcomNet
> http_access allow all LindWaldock
> http_access allow all AuthPowerUsers
> http_access allow all AuthIPAddresses
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> http_access deny !our_networks
> http_access allow BrownListWebsites OverRideBrownListUsers
> http_access deny all BrownListWebsites
> http_access deny all BlackListWebsites
> http_access deny all BlackListIpAddresses
> http_access deny all BlackListIpAddress1
> http_access allow all AuthSafeAccessUsers
> http_access deny all
>
>

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny !our_networks
http_access allow manager
http_access allow OpenAccessWhiteListWebsites
http_access allow OpenAccessWhiteListIpAddresses
http_access allow WhiteListWebsites AuthLimitedUsers
http_access allow WhiteListIPAddresses AuthLimitedUsers
http_access deny AdultBlackListWebsites
http_access allow AuthPowerUsers
http_access allow AuthIPAddresses
http_access allow BrownListWebsites OverRideBrownListUsers
http_access deny BrownListWebsites
http_access deny BlackListWebsites
http_access deny BlackListIpAddresses
http_access allow AuthSafeAccessUsers
http_access deny all

This setup assumes that you merge the one-off acl sites/IPs into the corresponding file. It also assumes that you don't have people outside of "our_networks" using the proxy. Perhaps checking out the FAQ section on ACLs (http://www.squid-cache.org/Doc/FAQ/FAQ-10.html) would be beneficial.

Chris
Received on Tue Feb 21 2006 - 14:07:05 MST