Re: [squid-users] ACL rules allow localhost, but I still get an Access Denied in transparent setup...

From: GoogleGuy <googleguy@dont-contact.us>
Date: Mon, 30 Jul 2007 17:29:32 +0300

On Mon, 30 Jul 2007 15:56:11 +0200
Henrik Nordstrom <henrik@henriknordstrom.net> wrote:

> > The weird thing is, if I manually configure Firefox to access the
> > Web via localhost:3128, it works fine, no matter whether I use the
> > "transparent" keyword or not. The ACL rule that allows localhost is
> > in effect in this case, since if I change
>
> It's not so strange. When intercepted the source ip for the request is
> your real IP, not localhost...

That's what I thought...

> > However, adding a rule like this:
> >
> > acl ME src 1.2.3.4
> > http_access allow ME
> >
> > doesn't help at all.
>
> Make sure you add it before the "deny all".. http_access rules is
> order sensitive..

Thanks for your suggestion, but like I said, still no luck.

access.log sample when trying to access google.com:
1185804381.874 0 192.144.46.78 TCP_DENIED/403 1450 GET
http://www.google.com/ - NONE/- text/html
1185804381.950 92 192.144.46.78 TCP_MISS/403 1598 GET
http://www.google.com/ - DIRECT/64.233.183.147 text/html

(assuming 192.144.46.78 is my IP -- it's not, of course)

The ACL rule in the squid.conf is definitely before the "http_access
deny all" line:

-----------------------------------------------------------
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

acl ME src 192.144.46.78
http_access allow ME

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks

http_access allow localhost

# And finally deny all other access to this
proxy http_access deny all
-----------------------------------------------------------

Any other ideas?

Andrei

PS: By the way, I just put

debug_options ALL,1 33,2

into the config, and now the cache log says:

2007/07/30 17:22:20| The reply for GET http://www.google.com/ is
ALLOWED, because it matched
'QUERY'
2007/07/30 17:22:25| The request GET http://www.google.com:80/ is
ALLOWED, because it matched
'ME'

...while the access.log still says access denied, and so does the
browser! How come?

I also noticed that cache log has this warning:
2007/07/30 13:23:36| WARNING: Forwarding loop detected
for: Client: 192.144.46.78 http_port: 69.65.107.188:80

Could this warning be related to the problem I'm having?
Received on Mon Jul 30 2007 - 08:27:47 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Aug 01 2007 - 12:00:04 MDT