Re: [squid-users] Squid and Perl and DENIED

From: Chris Robertson <crobertson@dont-contact.us>
Date: Fri, 12 Oct 2007 16:22:28 -0800

Joe wrote:
> I'm going to have a hemorrhagic stroke over this and I
> hope I can get some insight from one of you kind
> souls.
>
> Here's my essential problem: I have two separate
> squid proxies setup on two different VPSs. I
> configured, compiled, installed, and setup both
> identically (or thought I did, anyway). Through both
> of these Squids I can proxy using Opera/Firefox just
> fine, for http and https using whatever protocol is
> needed (GET/POST/CONNECT). So far so good.
>

Indeed.

> I also need to run some PERL http requests through
> those proxies, and that's where it gets weird. Though
> squid A, everything works perfectly fine. Though
> squid B, only requests for http work, and everything
> else is DENIED with (71) Connection Refused returned.
> Given that I thought both squid proxies were setup the
> same, I'm hurting to explain why one works and the
> other doesn't. There's obviously some difference
> between them but I can't fathom what. I even copied
> the squid.conf file from one to the other without any
> love. I tried turning off ALL the acl denial rules
> just to see but still nothing.
>
> That aside, I can't work out why Opera is fine but the
> PERL isn't being accepted. There's obviously some
> difference in the way the requests are coming in, but
> the access.log files aren't helping me at all. Of
> course, looking at the logs, Opera is using CONNECT to
> get the https and Perl is trying to use GET/POST, but
> squid-A is perfectly fine with this so I'm not sure
> why squid-B isn't.
>

I'm not so sure why squid-A would be OK with it. More specifically, the
web site that squid-A passes the request to shouldn't be OK with it.
Though the method of the error is odd. I wouldn't expect a connection
refused, but a connection reset. The SSL set up really shouldn't work
as a GET request, to the best of my understanding...

> I've scoured the wikis, google, and documentation to
> no avail. Maybe I'm missing something obvious? Is
> this a problem with SSL keys or something? Any help is
> greatly appreciated.
>
>
> Here's the details:
>
> -------------------------------------------------------------------------
> squid - A (works fine for Opera/Firefox/IE and also
> for all my PERL requests)
> -------------------------------------------------------------------------
> squid.conf file:
>
> http_port 3141
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> access_log /usr/local/squid/var/logs/access.log squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl Nibbler src 147.126.141.0/255.255.255.0
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> http_access allow Nibbler
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> visible_hostname jvds.com
> deny_info TCP_RESET all
> via off
> forwarded_for off
> header_access all deny all
> header_access From deny all
> header_access Referer deny all
> header_access Server deny all
> header_access WWW-authenticate deny all
> header_access Link deny all
> header_access User-Agent deny all
> header_access Proxy-Authorization deny all
> header_access Proxy-Authentication deny all
> header_access Proxy-Connection deny all
> coredump_dir /usr/local/squid/var/cache
>
> -------------------------------------------------------------------------
> squid B (works for Opera, etc, but NOT for PERL)
> -------------------------------------------------------------------------
> squid.conf:
>
> http_port 3141
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> access_log /usr/local/squid/var/logs/access.log squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl Nibbler src 147.126.141.0/255.255.255.0
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
>

Huh... There's a difference here. You've neglected the following lines:

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost

No, my attention to detail is not that good. Cut & paste + diff.

> http_access allow Nibbler
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> visible_hostname jvds.com
> deny_info TCP_RESET all
> via off
> forwarded_for off
> header_access all deny all
> header_access From deny all
> header_access Referer deny all
> header_access Server deny all
> header_access WWW-authenticate deny all
> header_access Link deny all
> header_access User-Agent deny all
> header_access Proxy-Authorization deny all
> header_access Proxy-Authentication deny all
> header_access Proxy-Connection deny all
> coredump_dir /usr/local/squid/var/cache
>
> -------------------------------------------------------------------------
> Squid - B: Access.log file
> -------------------------------------------------------------------------
> A selection of the log file:
>
> USING OPERA:
> 1192153002.874 14 67.163.91.153 TCP_MISS/200 39
> CONNECT www.yahoo.com:443 - DIRECT/69.147.114.210 -
> 1192153283.477 818 67.163.91.153 TCP_MISS/200 1939
> POST http://ocsp.verisign.com/ - DIRECT/199.7.48.72
> application/ocsp-response
>
> USING PERL:
> 1192153251.478 7 67.163.91.153 TCP_DENIED/501
> 1312 GET https://www.wellsfargo.com - NONE/- text/html
> 1192153378.916 5 67.163.91.153 TCP_DENIED/501
> 1522 POST
> https://www.ticketmaster.ca/checkout/reserve/D31k5IiYM2z0ebOSvKG0wdEGnRhd9NBlZia4npSJfqQ6wz2iBm_fjNLuQCBAXhbS6uaw-MQYR4G-yS10GLlwqQ
> - NONE/- text/html
>
>
>

What I'd like to see is the successful GET requests for SSL ports
through squid-A.

Chris
Received on Fri Oct 12 2007 - 18:22:37 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT