Re: [squid-users] Squid +XChat + Bitlbee

stephane lepain wrote:
> Hi,
>
> I have added am acl in order for me to connect to Xchat through my
> proxy. it works fine. Now, I want to use bitlbee using XChat to try to
> connect to msn and everything going through my proxy. Everytime I lunch
> Bitlbee and I get the error HTTP/1.0 503 Service Unavailable. Proxy
> traversal failed. The way I connect to bitlbee through Xchat is "/server
> 127.0.0.1 and then this is when I get the error mentioned above.
> I can't see the reason why I would be able to connect to XChat and not
> bitlbee. When I check the access.log I do see a tcp_miss 503. Thanks for
> your help

That would be because your squid is not listening on 127.0.0.1.

Lets go over your config and improve it a bit shall we?

>
> ### ACCESS CONTROLS
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 # https
> acl SSL_ports port 563 # snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl purge method PURGE
> acl CONNECT method CONNECT
> acl iguane src 192.168.1.8 127.0.0.1
> acl heaven src 192.168.1.10
> acl zongo src 192.168.1.5
> acl margoullat src 192.168.1.6 192.168.1.7
> acl livebox src 192.168.1.1
> acl xchat port 6667 1863
> http_access allow CONNECT xchat
> http_access deny CONNECT xchat

The allow line above lets anyone use xchat through you.
Blocking it here or below has no effect.

> http_access allow iguane
> http_access allow heaven
> http_access allow zongo### OPTIONS FOR X-FORWARDED-FOR
> ### NETWORK OPTIONS

That missing newline will be causing some problems I think.

> http_access allow margoullat
> http_access allow livebox

You could be creating a single ACL which contains all those machines IP
addresses (like Safe_Ports is done) instead of a seperate line each.
That would help keep his and the ICP lines below sync'd up.

> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> http_access allow localhost

Like I said to someone else recently. These safety controls (from the
manager down) need to be at the top of the squid http_access lines to
have any effect.

NP: If "deny CONNECT !SSL_Ports" blocks your xchat just add " !xchat" at
the end of it.

> http_access deny all

> icp_access allow iguane
> icp_access allow heaven
> icp_access allow zongo
> icp_access allow margoullat
> icp_access allow livebox

Again combining these machines into a single ACL wil let you use it here
too in a nice and short way.

> icp_access deny ALL

Might be worth changing the case on that one ;-)

> http_port 192.168.1.7:3128

And here Squid is ONLY listening on the public IP address of its
machine. If you only have one network card you can safely remove the IP
address part of that line.

> hierarchy_stoplist cgi-bin ?
> access_log /var/log/squid/access.log squid
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> quick_abort_min 0 KB
> quick_abort_max 0 KB
> quick_abort_pct 95
> negative_ttl 2 minutes
> request_header_max_size 12 KB
> request_header_max_size 12 KB
> request_body_max_size 0 KB # 0=nolimit
> via off
> cache_vary off
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> refresh_stale_hit 5 seconds
> extension_methods REPORT MERGE MKACTIVITY CHECKOUT
> header_access From deny all
> header_access Referer deny all
> header_access Server deny all
> header_access User-Agent deny all
> header_access WWW-Authenticate deny all

Huh? you never want to login anywhere external?

> header_access Link deny all
> forward_timeout 2 minutes
> cache_mgr penguindeb@gmail.com
> htcp_port 4827
> cache_peer cache.orange.fr parent 3128 3130 default no-query
> hosts_file /etc/hosts
> append_domain .macitos.fr
> memory_pools_limit 50 MB
> forwarded_for off
> client_db off
> reload_into_ims on
> coredump_dir /var/spool/squid
>

Amos

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.