Re: [squid-users] Wrong ports denied as SSL_ports

On Mon, Jun 11, 2007, Jan Groenewald wrote:
> <snip>
> 2007/06/10 22:07:37| aclCheck: checking 'http_access deny CONNECT
> !SSL_ports'
> 2007/06/10 22:07:37| aclMatchAclList: checking CONNECT
> 2007/06/10 22:07:37| aclMatchAcl: checking 'acl CONNECT method CONNECT'
> 2007/06/10 22:07:37| aclMatchAclList: checking !SSL_ports
> 2007/06/10 22:07:37| aclMatchAcl: checking 'acl SSL_ports port 443 563
> # https, snews'
> 2007/06/10 22:07:37| aclMatchAclList: returning 1
> 2007/06/10 22:07:37| aclCheck: match found, returning 0
> 2007/06/10 22:07:37| cbdataUnlock: 0x82adec0
> 2007/06/10 22:07:37| aclCheckCallback: answer=0
> 2007/06/10 22:07:37| cbdataValid: 0x85e0b50
> 2007/06/10 22:07:37| The request CONNECT 209.204.61.7:4000 is DENIED,
> because it matched 'SSL_ports'

Thats right, because the http_access matches on method CONNECT and then
finds the port isn't in the SSL_ports ACL. The behaviour is correct.

There's no special meaning for the ACL name SSL_ports; its just a name.
In the default squid configuration its generally for "forwarding SSL requests
through a proxy" which is whats happening with the "CONNECT" method.

Adrian

> 2007/06/10 22:07:37| Access Denied: 209.204.61.7:4000
> 2007/06/10 22:07:37| AclMatchedName = SSL_ports
> 2007/06/10 22:07:37| Proxy Auth Message = <null>
> 2007/06/10 22:07:37| storeCreateEntry: '209.204.61.7:4000'
> 2007/06/10 22:07:37| new_MemObject: returning 0x8ce8a68
> </snip>
>
> Other ports are in the range 1025-6000 and are getting the same problem.
> My squid.conf below. Any tips appreciated.
>
> 0 root@kontiki:/etc/squid#grep -v ^\# squid.conf|grep .
> http_port 10.0.0.1:3128 transparent
> http_port 127.0.0.1:3128
> cache_peer proxy.aims.ac.za parent 3128 0 no-query
> cache_peer_domain proxy.aims.ac.za !.aims.ac.za
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> access_log /var/log/squid/access.log squid
> debug_options ALL,1
> hosts_file /etc/hosts
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563 # https, snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl purge method PURGE
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> acl our_networks src 10.0.0.0/8
> http_access allow our_networks
> http_access allow localhost
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> visible_hostname kontiki.aims.ac.za
> forwarded_for off
> acl aims dstdomain .aims.ac.za
> no_cache deny aims
> always_direct allow aims
> acl kontiki dst 10.0.0.1/32
> no_cache deny kontiki
> always_direct allow kontiki
> never_direct allow all
> coredump_dir /var/spool/squid
>
> regards,
> Jan
>
> --
> .~.
> /V\ Jan Groenewald
> /( )\ www.aims.ac.za
> ^^-^^

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level bandwidth-capped VPSes available in WA -