Re: [squid-users] Access Denied with transparent mode on FreeBSD

From: Guy Helmer <guy.helmer_at_palisadesystems.com>
Date: Thu, 24 Jan 2013 08:54:47 -0600

On Jan 24, 2013, at 2:41 AM, iain <expat.iain_at_gmail.com> wrote:

> FreeBSD 9.1 installation with Squid installed from ports and using
> transparent mode results in "Access Denied" messages when trying to
> browse regular HTTP.
>
> Log files fill up with:
>
> *** LOGFILE ***
> 1359013451.945 0 XXX.XXX.XXX.25 TCP_MISS/403 4272 GET
> http://www.facebook.com/ - HIER_NONE/- text/html
> 1359013451.946 139 XXX.XXX.XXX.137 TCP_MISS/403 4369 GET
> http://www.facebook.com/ - HIER_DIRECT/XXX.XXX.XXX.25 text/html
> 1359013451.966 0 XXX.XXX.XXX.25 TCP_MISS/403 4071 GET
> http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
> 1359013451.967 1 XXX.XXX.XXX.137 TCP_MISS/403 4168 GET
> http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/XXX.XXX.XXX.25
> text/html
> 1359013451.992 0 XXX.XXX.XXX.25 TCP_MISS/403 4179 GET
> http://www.facebook.com/favicon.ico - HIER_NONE/- text/html
> 1359013451.992 1 XXX.XXX.XXX.137 TCP_MISS/403 4276 GET
> http://www.facebook.com/favicon.ico - HIER_DIRECT/XXX.XXX.XXX.25 text/html
> *** END ***
>
> Squid.conf file is:
>
> *** SQUID.CONF ***
> visible_hostname XXXXXXXXXXXXXXXXXXXXX
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
> machines
> acl localnet src XXXX:XXXX:ffff::/48 # More IPv6 ...
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl cacti src XXX.XXX.0.154/32
> acl snmpstats snmp_community tainROcacti
> acl sliema_net_fine src XXX.XXX.0.0/25
> acl sliema_net_core src XXX.XXX.0.128/25
> acl sliema_net_gnet src XXX.XXX.1.0/25
> acl sliema_net_norm src XXX.XXX.1.128/25
> acl topsites dstdomain "/usr/local/etc/squid/squid-topsites.text"
> acl youtube dstdomain .youtube.com
> acl youtube dstdomain .youtu.be
> acl youtube dstdomain .googlevideo.com
> acl cdners dstdomain .akamai.com
> acl cdners dstdomain .llnwd.net
> acl facebook dstdomain .facebook.com
> tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_norm
> tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_fine
> tcp_outgoing_address XXX.XXX.XXX.25 sliema_net_core
> snmp_port 3401
> snmp_access allow snmpstats cacti
> snmp_access deny all
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port 3128 intercept
> http_port 80
> cache_dir ufs /var/squid/cache/squid 100 16 256
> cache_mem 256 MB
> coredump_dir /var/squid/cache/squid
> refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
> refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90%
> 432000
> refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$
> 43200 90% 432000
> refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
> refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
> refresh_pattern -i youtube.com/.* 43200 90% 432000
> refresh_pattern -i youtu.be/.* 43200 90% 432000
> refresh_pattern -i ytimg.com/.* 43200 90% 432000
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> *** END ***
>
> And squid compile options are:
>
> *** SQUID VERSION ***
> Squid Cache: Version 3.2.6
> configure options:
> '--with-default-user=squid'
> '--bindir=/usr/local/sbin'
> '--sbindir=/usr/local/sbin'
> '--datadir=/usr/local/etc/squid'
> '--libexecdir=/usr/local/libexec/squid'
> '--localstatedir=/var/squid'
> '--sysconfdir=/usr/local/etc/squid'
> '--with-logdir=/var/log/squid'
> '--with-pidfile=/var/run/squid/squid.pid'
> '--enable-auth'
> '--enable-build-info'
> '--enable-loadable-modules'
> '--enable-removal-policies=lru heap'
> '--disable-epoll'
> '--disable-linux-netfilter'
> '--disable-linux-tproxy'
> '--disable-translation'
> '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS
> fake getpwnam'
> '--enable-auth-digest=file'
> '--enable-external-acl-helpers=file_userip unix_group'
> '--enable-auth-negotiate=none'
> '--enable-auth-ntlm=fake smb_lm'
> '--enable-storeio=diskd rock ufs aufs'
> '--enable-disk-io=AIO Blocking DiskDaemon IpcIo Mmapped DiskThreads'
> '--enable-log-daemon-helpers=file'
> '--enable-url-rewrite-helpers=fake'
> '--enable-icmp'
> '--enable-htcp'
> '--disable-forw-via-db'
> '--disable-cache-digests'
> '--enable-wccp'
> '--enable-wccpv2'
> '--disable-eui'
> '--enable-ipfw-transparent'
> '--enable-pf-transparent'
> '--enable-ipf-transparent'
> '--disable-follow-x-forwarded-for'
> '--enable-ecap'
> '--disable-icap-client'
> '--disable-esi'
> '--enable-kqueue'
> '--prefix=/usr/local'
> '--mandir=/usr/local/man'
> '--infodir=/usr/local/info/'
> '--build=amd64-portbld-freebsd9.1'
> 'build_alias=amd64-portbld-freebsd9.1' 'CC=cc' 'CFLAGS=-O2 -pipe
> -I/usr/local/include -fno-strict-aliasing' 'LDFLAGS= -pthread
> -L/usr/local/lib' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe
> -I/usr/local/include -fno-strict-aliasing' 'CPP=cpp'
> 'PKG_CONFIG=pkgconf' --enable-ltdl-convenience
> *** END ***
>
> This is basically a working 2.7 installation config that has been moved
> onto a 3.2 box with some minor tweaks in the new config.
>
> Any help appreciated.
>
> Iain.

I'm using squid-3.2 and squid-3.3.0.3 (with a patch to fix communication with local helpers) on FreeBSD-8.3 with HTTP and HTTPS interception via ipfw, and they are working OK. I don't have PF or IPF transparent enabled, though.

If you enable debug_options 28,9 or ALL,9, can you see in cache.log what ACL is causing the requests to be denied?

Guy
Received on Thu Jan 24 2013 - 14:55:04 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 24 2013 - 12:00:04 MST