[squid-users] TCP_DENIED/407 CONNECT www,evernote.com:443

Hi All,

I have some Mac clients/services that require internet via my Squid. Two such programs are Evernote and VMWare. Both are requesting access and both are being denied. The errors I see in the access.log are as follows and nothing else:

268234226.935 0 172.16.0.38 TCP_DENIED/407 2117 CONNECT www.evernote.com:443 - NONE/- text/html
1268234226.938 0 172.16.0.38 TCP_DENIED/407 2117 CONNECT www.evernote.com:443 - NONE/- text/html
1268234228.667 0 172.16.0.38 TCP_DENIED/407 2134 CONNECT softwareupdate.vmware.com:443 - NONE/- text/html

I've tried all sorts of the acls (browser, dstdomain, IP) but I still get denied. Even http_access allow all doesn't work.

Thanks in advance,

Nick
==

My configuration is as follows:

http_port 172.16.10.195:8080
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm children 40
cache_peer [upstream ISP proxy] parent 8080 7 no-query no-digest no-netdb-exchange login=*

visible_hostname VHSQUID1.[my domain]
dns_nameservers 172.16.10.52 172.16.10.53 172.16.40.20

# Total number of delay pools
delay_pools 1

## LOGGING SWITCHES
log_fqdn on

## LOG LOCATIONS
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log squid
useragent_log /var/log/squid/useragent.log squid

#### ACCESS CONTROL LISTS #####
## USER-AGENT (Browser-type) ACLs
acl Java_jvm browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_JAVA.txt"
acl iTunes browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_ITUNES.txt"

## URL DESTINATION ACLs

## USER AUTHENTICATION ACLs
acl AuthenticatedUsers proxy_auth REQUIRED
acl BandwidthUserExceptions proxy_auth_regex -i "/etc/squid/ACL/BANDWIDTH/BANDWIDTH_NOLIMIT_USER.txt"

## LAN IP ACLs
acl 172SUBNETS src 172.16.0.0/255.255.0.0
acl SERVERSUBNETS src 172.16.10.0/255.255.255.0
acl DoNotAuthenticateIP src "/etc/squid/ACL/IPADDRESSES/IP_NOAUTH.txt"

## LOCALHOST ACLs
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

## QUERY ACLs
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache

## SEND DIRECT ACLs
acl SENDDIRECT_DstDomains dstdomain "/etc/squid/ACL/SENDDIRECT/SENDDIRECT_DSTDOMAINS.txt"
acl SENDDIRECT_Users proxy_auth_regex -i "/etc/squid/ACL/SENDDIRECT/SENDDIRECT_USERS.txt"
acl SENDDIRECT_IPAddresses src "/etc/squid/ACL/SENDDIRECT/SENDDIRECT_IPADDRESSES.txt"

## BLACKLISTED (Deny) ACLs
acl BLACKLIST_DstDomains dstdomain "/etc/squid/ACL/BLACKLIST/BLACKLIST_DSTDOMAINS.txt"
acl BLACKLIST_Users proxy_auth_regex -i "/etc/squid/ACL/BLACKLIST/BLACKLIST_USERS.txt"
acl BLACKLIST_IPAddresses src "/etc/squid/ACL/BLACKLIST/BLACKLIST_IPADDRESSES.txt"

## FILE TYPE ACLs
acl FILEEXT_EXE urlpath_regex .exe$
acl FILEEXT_EXE_Users proxy_auth_regex -i "/etc/squid/ACL/FILES/FILEEXT_EXE_ALLOWUSERS.txt"
acl FILEEXT_EXE_DstDomains dstdomain "/etc/squid/ACL/FILES/FILEEXT_EXE_ALLOWDSTDOMAINS.txt"
acl FILEEXT_EXE_IPAddresses src "/etc/squid/ACL/FILES/FILEEXT_EXE_ALLOWIPADDRESSES.txt"

## PORTS ACLs
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl RTMP_ports port 1935 # RTMP

# CONNECTION METHOD ACL
acl CONNECT method CONNECT
acl POST method POST

###### ACCESS RULES #####

### GLOBAL BLACKLIST RULES ###
http_access deny BLACKLIST_Users
http_access deny BLACKLIST_IPAddresses
http_access deny BLACKLIST_DstDomains
############################

## FILE EXTENSIONS
http_reply_access deny FILEEXT_EXE !FILEEXT_EXE_Users !FILEEXT_EXE_IPAddresses !FILEEXT_EXE_DstDomains

# USER AGENTS #
http_access allow iTunes
http_access allow Java_jvm

# URL DESTINATIONS

## SEND DIRECT ALLOW
always_direct allow SENDDIRECT_Users
always_direct allow SENDDIRECT_DstDomains
always_direct allow SENDDIRECT_IPAddresses

## POST and CONNECT ALLOW ##
http_access allow POST
http_access allow CONNECT

## USERS ACL ALLOW ##
# Emergency Allow All unhash this for instant access to all without authentication
#http_access allow all
http_access allow DoNotAuthenticateIP
http_access allow AuthenticatedUsers
http_reply_access allow AuthenticatedUsers

## LOCAL HOST ALLOW ##
http_access allow localhost

###### DELAY ACCESS RULES ######
# First delay class pool is User allocated
delay_class 1 4

# First delay class pool is limited to 4mb i.e. all users not in exceptions
delay_parameters 1 -1/-1 -1/-1 -1/-1 4000000/4000000

#First delay pool applied to Authenticated users except those in !BandwidthUserExceptions and !ServerSubnets
delay_access 1 allow AuthenticatedUsers !BandwidthUserExceptions !SERVERSUBNETS
delay_access 1 deny all

###### CATCH ALL DENY ######
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny 172SUBNETS
cache deny 172SUBNETS
cache deny QUERY
snmp_access deny 172SUBNETS

** Please consider the environment before printing this e-mail **

The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author.

Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU

Registered in London No. 226900
Received on Wed Mar 10 2010 - 15:53:17 MST