Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3 from Eliezer Croitoru on 2012-11-22 (squid-users)

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Thu, 22 Nov 2012 16:19:17 +0200

Next time just clean the file first to make it more readable:
use the command cat squid.conf|sed 's/^[ \t]*//'|sed 's/^#.*//'|sed '/^$/d'

##start
http_port 127.0.0.1:8080 intercept
http_port 172.18.0.1:8080 intercept
hierarchy_stoplist cgi-bin ? php asp
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 32 MB
maximum_object_size 100 MB
cache_dir ufs /usr/local/squid/cache 1024 16 256
cache_store_log none
access_log /usr/local/squid/logs/access.log squid
logfile_rotate 2
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#acl localnet src 172.18.0.1-172.18.0.254
#try to change this into
acl localnet src 172.18.0.0/24

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 591 # filemaker
acl CONNECT method CONNECT
acl PURGE method PURGE
http_access allow manager localhost
http_access deny manager
http_access allow PURGE localhost
http_access deny PURGE
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
#remove these if you want to remove something
visible_hostname ZZZZ
cache_mgr YYY
buffered_logs on
coredump_dir /usr/local/squid/cache
##end

it seems to me like forward proxy and the only reason I can think of to
not work is:
Missing credentials related settings.
With the current config file squid only allows users with specific SRC
ip which are only localhost\127.0.0.1/8 and a range of 172.18.0.0/24/
Also you didnt posted the access.log output for the request but it seem
like you have one missing ACL.

What are the IPFW rules for interception?

Eliezer

On 11/22/2012 3:39 PM, Leslie Jensen wrote:
>
>
> Amos Jeffries skrev 2012-11-22 13:24:
>> On 23/11/2012 12:28 a.m., Leslie Jensen wrote:
>>>
>>>
>>> Pavel Bychykhin skrev 2012-11-22 12:15:
>>>>
>>>>
>>>> 22.11.2012 12:14, Leslie Jensen пишет:
>>>>> Hi list.
>>>>>
>>>>> I just upgraded Squid from 3.1 to 3.2 on my Freebsd version 8.3
>>>>>
>>>>> In my squid.conf I had the following lines that I got complaints from
>>>>> when starting squid after the upgrade.
>>>>>
>>>>> -------------------------------------------------------------------
>>>>> Define access control lists
>>>>> # acl all is defined by default in version 3.0 STABLE
>>>>>
>>>>> acl manager proto cache_object
>>>>> acl localhost src 127.0.0.1/32
>>>>> acl to_localhost dst 127.0.0.0/8
>>>>> --------------------------------------------------------------------
>>>>
>>>> You should to remove all 3 entires from squid.conf, as they all are
>>>> predefined in squid 3.2
>>>>
>>>
>>> As I wrote, I did so but the users now get the error I described.
>>>
>>
>> ACCESS_DENIED is an explicit ACL rejection. Your configuration details,
>> as well as that domain name and client IP you elided are important to
>> track this down.
>>
>> Also, are you using a forward proxy?
>> interception proxy? (how?)
>> reverse proxy?
>> or a mixture of the above?
>>
>> Amos
>
>
> Sorry about that. With squid working with my conf file at version 3.1
> but not 3.2 I didn't realise that the domain name would be important.
>
> Here's my config file attached and the complete error message.
>
>
> CacheHost: dentista01.no-ip.org
> ErrPage: ERR_ACCESS_DENIED
> Err: [none]
> TimeStamp: Wed, 21 Nov 2012 07:47:59 GMT
>
> ClientIP: 172.18.0.1
>
> HTTP Request:
> GET / HTTP/1.1
> Host: www.praktikertjanst.se
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101
> Firefox/16.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: sv-SE,sv;q=0.8,en-US;q=0.5,en;q=0.3
> Accept-Encoding: gzip, deflate
> Cookie: CP=null*; Vizzit=pn1180RxoESjRcHErLVI3Q==:1328713777
> Via: 1.1 dentista01.no-ip.org (squid/3.2.3)
> X-Forwarded-For: 172.18.0.101
> Cache-Control: max-age=259200
> Connection: keep-alive
>
> Thanks
>
> /Leslie
>
>

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il

Received on Thu Nov 22 2012 - 14:19:35 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 22 2012 - 12:00:04 MST