Re: [squid-users] Allow MSN messenger

On Tue, 08 Feb 2011 19:22:26 +0100, David Touzeau wrote:
> Dear i Use squid 3.1.10 and i would like to allow MSN messenger pass
> trough squid
>

NOTE: the default squid configuration allows it through without problems.

> According wikis i did this :

Which wiki? Not the Squid one which only lists how to block MSN due to the
default mentioned above.

>
> # Permit MSN
> acl MSN_ports port 1863 443 1503
> acl MSN_domains
> dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com
> .passport.com
> acl MSN_hosts dstdomain messenger.hotmail.com
> acl MSN_nets dst 207.46.111.0/255.255.255.0

acl MSN_nets dst 207.46.111.0/24

NP: I'm not sure that is really needed. My clients have not had any
problems using MSN and Live etc with the default setup allowing them out by
IP and login.

> acl MSN_methods method CONNECT
>
>
> http_access allow MSN_methods MSN_ports MSN_hosts
> http_access allow MSN_methods MSN_ports MSN_domains

"messenger.hotmail.com" is part of ".hotmail.com" so this second rule is
not needed, nor is the MSN_domains ACL.

> http_access allow MSN_methods MSN_ports MSN_net
>
> But MSN still did want to connect with these errors:
>
> 192.168.82.173 - - [08/Feb/2011:10:48:38 -04-30] "POST
> http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403
> 1662 TCP_MISS:DIRECT
> 192.168.82.173 - - [08/Feb/2011:10:48:39 -04-30] "POST
> http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403
> 1662 TCP_MISS:DIRECT
> 192.168.82.173 - - [08/Feb/2011:10:48:39 -04-30] "POST
> http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403
> 1662 TCP_MISS:DIRECT
>
> Where i'm wrong ??

None of the rules you posted above have any relation to the port 80 POST
requests in your log. They are all paired with CONNECT so apply only on
HTTPS traffic and also only on ports 1863, 443, 1503.

Check the location you placed those rules and your http_access config
logic as a whole.

Amos
Received on Tue Feb 08 2011 - 23:55:25 MST