Re: [squid-users] canīt access site fna.gov.co:8081

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 29 Apr 2011 03:05:06 +1200

On 29/04/11 00:49, Eliezer Croitoru wrote:
> On 27/04/2011 22:53, Oscar Andrés Eraso Moncayo wrote:
>
>> Hi,
>>
>> squid.conf:
>> ******************************************************************************************************************
>>
>> http_port 127.0.0.1:3030
>> hierarchy_stoplist cgi-bin ?
>> acl QUERY urlpath_regex cgi-bin \?
>> cache deny QUERY
>>
>> acl apache rep_header Server ^Apache
>> broken_vary_encoding allow apache
>>
>> cache_mem 1024 MB
>> cache_dir ufs /var/spool/squid 4096 16 256
>> access_log /var/log/squid/access.log squid
>> authenticate_ip_ttl 1 hours
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>> acl all src 0.0.0.0/0.0.0.0
>> acl localhost src 127.0.0.1/255.255.255.255
>> #acl msn_messenger req_mime_type -i ^application/x-msn-messenger$
>> #acl msn_url url_regex -i gateway.dll
> add here these lines:
>
> acl fnagov dstdomain .fna.gov.co
> acl fnagovport port 8081
> #add if dosnt exist already the nexet line
> acl CONNECT method CONNECT
> #remember that the next line must be in the top of any deny rule that is
> related to one of the acls that in the rule.
> http_access allow all fnagov CONNECT fnagovport
>
> should give you what you need.
>
> Regards
> Eliezer
>

I would be a bit surprised if it did. It is technically right, but...

To fetch through a proxy on 127.0.0.1:3030 one must use the source IP
127.0.0.1 to do so.

He already has:
  acl localhost src 127.0.0.1/255.255.255.255
  ...
  http_access allow localhost

Which is an open proxy for any requests made by the same machine as the
proxy.

I would guess the 403 was coming from the remote server, but with
CONNECT and no cache_peer that seems not possible either.

It looks suspiciously like there is more config hidden away somewhere.
Or the log comes from some other proxy. Or the log detail (403) is
corrupt data in the tunnel state.

>> http_access allow localhost
>> #http_access deny msn_messenger
>> #http_access deny msn_method msn_url
>> http_access deny all
>> http_reply_access allow all
>> icp_access allow all
>> error_directory /usr/share/squid/errors/Spanish
>> client_db off
>> log_fqdn off
>> *******************************************************************************************************************************
>>
>> Best regards,
>>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1
Received on Thu Apr 28 2011 - 15:05:12 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 28 2011 - 12:00:03 MDT