Re: [squid-users] TCP_DENIED/407 CONNECT www,evernote.com:443

On Wed, 10 Mar 2010 15:51:18 +0000, Nick Cairncross
<Nick.Cairncross_at_condenast.co.uk> wrote:
> Hi All,
>
> I have some Mac clients/services that require internet via my Squid. Two
> such programs are Evernote and VMWare. Both are requesting access and
both
> are being denied. The errors I see in the access.log are as follows and
> nothing else:
>
> 268234226.935 0 172.16.0.38 TCP_DENIED/407 2117 CONNECT
> www.evernote.com:443 - NONE/- text/html
> 1268234226.938 0 172.16.0.38 TCP_DENIED/407 2117 CONNECT
> www.evernote.com:443 - NONE/- text/html
> 1268234228.667 0 172.16.0.38 TCP_DENIED/407 2134 CONNECT
> softwareupdate.vmware.com:443 - NONE/- text/html
>
> I've tried all sorts of the acls (browser, dstdomain, IP) but I still
get
> denied. Even http_access allow all doesn't work.

Something in your config requires authentication.

>
> Thanks in advance,
>
> Nick
> ==
>
> My configuration is as follows:
>
...
> #### ACCESS CONTROL LISTS #####
> ## USER-AGENT (Browser-type) ACLs
> acl Java_jvm browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_JAVA.txt"
> acl iTunes browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_ITUNES.txt"
>
> ## URL DESTINATION ACLs
>
> ## USER AUTHENTICATION ACLs
> acl AuthenticatedUsers proxy_auth REQUIRED
> acl BandwidthUserExceptions proxy_auth_regex -i
> "/etc/squid/ACL/BANDWIDTH/BANDWIDTH_NOLIMIT_USER.txt"
>
> ## LAN IP ACLs
> acl 172SUBNETS src 172.16.0.0/255.255.0.0
> acl SERVERSUBNETS src 172.16.10.0/255.255.255.0
> acl DoNotAuthenticateIP src "/etc/squid/ACL/IPADDRESSES/IP_NOAUTH.txt"
>
> ## LOCALHOST ACLs
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
>
> ## QUERY ACLs
> acl QUERY urlpath_regex cgi-bin \?
> acl apache rep_header Server ^Apache
>
> ## SEND DIRECT ACLs
> acl SENDDIRECT_DstDomains dstdomain
> "/etc/squid/ACL/SENDDIRECT/SENDDIRECT_DSTDOMAINS.txt"
> acl SENDDIRECT_Users proxy_auth_regex -i
> "/etc/squid/ACL/SENDDIRECT/SENDDIRECT_USERS.txt"
> acl SENDDIRECT_IPAddresses src
> "/etc/squid/ACL/SENDDIRECT/SENDDIRECT_IPADDRESSES.txt"
>
> ## BLACKLISTED (Deny) ACLs
> acl BLACKLIST_DstDomains dstdomain
> "/etc/squid/ACL/BLACKLIST/BLACKLIST_DSTDOMAINS.txt"
> acl BLACKLIST_Users proxy_auth_regex -i
> "/etc/squid/ACL/BLACKLIST/BLACKLIST_USERS.txt"
> acl BLACKLIST_IPAddresses src
> "/etc/squid/ACL/BLACKLIST/BLACKLIST_IPADDRESSES.txt"
>
> ## FILE TYPE ACLs
> acl FILEEXT_EXE urlpath_regex .exe$
> acl FILEEXT_EXE_Users proxy_auth_regex -i
> "/etc/squid/ACL/FILES/FILEEXT_EXE_ALLOWUSERS.txt"
> acl FILEEXT_EXE_DstDomains dstdomain
> "/etc/squid/ACL/FILES/FILEEXT_EXE_ALLOWDSTDOMAINS.txt"
> acl FILEEXT_EXE_IPAddresses src
> "/etc/squid/ACL/FILES/FILEEXT_EXE_ALLOWIPADDRESSES.txt"
>
...
> # CONNECTION METHOD ACL
> acl CONNECT method CONNECT
> acl POST method POST
>
> ###### ACCESS RULES #####
>
> ### GLOBAL BLACKLIST RULES ###
> http_access deny BLACKLIST_Users

The above rule requires login to work. It will challenge.

> http_access deny BLACKLIST_IPAddresses
> http_access deny BLACKLIST_DstDomains
> ############################
>
...
> # USER AGENTS #
> http_access allow iTunes
> http_access allow Java_jvm
>
> # URL DESTINATIONS
...
> ## POST and CONNECT ALLOW ##
> http_access allow POST

Why is post being allowed to unrestricted? I think there might be some
additional restrictions you want to add there. Perhapse the LAN IP range or
something.

> http_access allow CONNECT

I really do recommend "deny CONNECT !SSL_ports" to prevent malicious or
infected clients abusing things. Malware can do login too.

>
> ## USERS ACL ALLOW ##
> # Emergency Allow All unhash this for instant access to all without
> authentication
> #http_access allow all
> http_access allow DoNotAuthenticateIP
> http_access allow AuthenticatedUsers
> http_reply_access allow AuthenticatedUsers
>
> ## LOCAL HOST ALLOW ##
> http_access allow localhost
>
...
> ###### CATCH ALL DENY ######
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost

The above are not catch-all. They are basic security foundations/blanket
that need to be checked as early as possible to prevent major causes of
abuse.

> http_access deny 172SUBNETS

The real catch-all is this:
  http_access deny all

Amos
Received on Wed Mar 10 2010 - 22:32:08 MST