Re: [squid-users] Chat Apps getting blocked

From: Amos Jeffries <squid3@dont-contact.us>
Date: Tue, 22 Apr 2008 18:56:30 +1200

g f wrote:
>
>
>
>
>
>
>
>
>
>
>

They are all run

So the ...
http_access

... does not stop
later ACL check.

http_access

... which matches
in SSL_Ports)

Amos

>
> Thanks.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Amos
> --
>
>
>

 -- Please use Squid

Received

This message:

Next message:

Maybe in

Next in

This archive was : Thu May 01 2008 - 12:00:04 MDT I have a question about your reply: http_access deny CONNECT !SSL_ports Shouldnt this deny access to all but SSL_ports 443 and 563? but wouldnt this: acl Safe_ports port 1025-65535 # unregistered ports http_access deny !Safe_ports allow access on port 5222 (normally default xmpp port). I am curious if I understand the acls properly. top-to-bottom with first-match-wins. deny !Safe_ports port 5222 access, merely lets it continue down to a Which in this case is ... deny CONNECT !SSL_Ports and denies it (CONNECT is being done and 5222 is not On Mon, Apr 21, 2008 at 8:13 AM, Amos Jeffries <squid3@treenet.co.nz <mailto:squid3@treenet.co.nz>> wrote: Odhiambo Washington wrote: Hello List, I copycat(ed) a squid.conf from this list a few days ago and did minimal config mods just to allow my network to use it. It works great with youtube caching, but stranegly, it blocks MSN/Yahoo chats, but I sincerely cannot see where this is happening. The file can be access from the following URL: https://212.22.160.35/~wash/squid.conf.txt <https://212.22.160.35/%7Ewash/squid.conf.txt> (I use a self-signed certificate, so please just accept it) I get the following in the access log: 1208510066.248 7255 192.168.0.106 <http://192.168.0.106> TCP_DENIED/403 1422 CONNECT 207.46.110.28:1863 <http://207.46.110.28:1863> - NONE/- text/html 1208510066.726 7850 192.168.0.150 <http://192.168.0.150> TCP_DENIED/403 1422 CONNECT 207.46.110.89:1863 <http://207.46.110.89:1863> - NONE/- text/html 1208510100.571 847 192.168.0.106 <http://192.168.0.106> TCP_DENIED/403 1422 CONNECT 207.46.110.94:1863 <http://207.46.110.94:1863> - NONE/- text/html 1208510119.339 28 192.168.0.150 <http://192.168.0.150> TCP_DENIED/403 1422 CONNECT 207.46.110.94:1863 <http://207.46.110.94:1863> - NONE/- text/html 1208510173.114 853 192.168.0.106 <http://192.168.0.106> TCP_DENIED/403 1422 CONNECT 207.46.108.13:1863 <http://207.46.108.13:1863> - NONE/- text/html 1208510216.270 668 192.168.0.150 <http://192.168.0.150> TCP_DENIED/403 1422 CONNECT 207.46.108.85:1863 <http://207.46.108.85:1863> - NONE/- text/html 1208510300.314 852 192.168.0.106 <http://192.168.0.106> TCP_DENIED/403 1422 CONNECT 207.46.108.97:1863 <http://207.46.108.97:1863> - NONE/- text/html 1208510347.723 853 192.168.0.106 <http://192.168.0.106> TCP_DENIED/403 1422 CONNECT 207.46.108.86:1863 <http://207.46.108.86:1863> - NONE/- text/html 1208510371.584 823 192.168.0.106 <http://192.168.0.106> TCP_DENIED/403 1422 CONNECT 207.46.108.66:1863 <http://207.46.108.66:1863> - NONE/- text/html 1208510408.981 20 192.168.0.150 <http://192.168.0.150> TCP_DENIED/403 1422 CONNECT 207.46.108.97:1863 <http://207.46.108.97:1863> - NONE/- text/html 1208510413.535 1673 192.168.0.106 <http://192.168.0.106> TCP_DENIED/403 1422 CONNECT 207.46.108.93:1863 <http://207.46.108.93:1863> - NONE/- text/html 1208510488.270 19 192.168.0.106 <http://192.168.0.106> TCP_DENIED/403 1438 CONNECT messenger.hotmail.com:1863 <http://messenger.hotmail.com:1863> - NONE/- text/html 1208510609.843 0 192.168.0.117 <http://192.168.0.117> TCP_DENIED/403 1426 CONNECT talk.google.com:5222 <http://talk.google.com:5222> - NONE/- text/html 1208510609.844 0 192.168.0.117 <http://192.168.0.117> TCP_DENIED/403 1430 CONNECT scs.msg.yahoo.com:5050 <http://scs.msg.yahoo.com:5050> - NONE/- text/html 1208510616.495 0 192.168.0.117 <http://192.168.0.117> TCP_DENIED/403 1426 CONNECT talk.google.com:5222 <http://talk.google.com:5222> - NONE/- text/html 1208510617.057 1 192.168.0.117 <http://192.168.0.117> TCP_DENIED/403 1430 CONNECT scs.msg.yahoo.com:5050 <http://scs.msg.yahoo.com:5050> - NONE/- text/html 1208510637.734 20 192.168.0.106 <http://192.168.0.106> TCP_DENIED/403 1438 CONNECT messenger.hotmail.com:1863 <http://messenger.hotmail.com:1863> - NONE/- text/html 1208510643.865 31 192.168.0.106 <http://192.168.0.106> TCP_DENIED/403 1438 CONNECT messenger.hotmail.com:1863 <http://messenger.hotmail.com:1863> - NONE/- text/html 1208510676.014 0 192.168.0.117 <http://192.168.0.117> TCP_DENIED/403 1430 CONNECT scs.msg.yahoo.com:5050 <http://scs.msg.yahoo.com:5050> - NONE/- text/html <snip> Where in the acls is this coming from? You have: http_access deny CONNECT !SSL_ports If you really want to allow the chat programs out, then you will need to add an acl for their domain/ports and allow CONNECT for them. Please use Squid 2.6.STABLE19 or 3.0.STABLE4 2.6.STABLE19 or 3.0.STABLE4 on Tue Apr 22 2008 - 13:11:00 MDT name="navbarfoot" title="Related messages"> [ Message body ] Julien MARY: "[squid-users] IP-to-Country csv file and conditionnal relay." message: Henrik Nordstrom: "Re: [squid-users] Problem with Restarted Squid Stable 2.6_19 Add" reply to: Amos Jeffries: "Re: [squid-users] Chat Apps getting blocked" thread: Chris Robertson: "Re: [squid-users] Chat Apps getting blocked" id="options2">Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ] generated by hypermail 2.2.0