<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:"Arial Rounded MT Bold";
        panose-1:2 15 7 4 3 5 4 3 2 4;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
h1
        {mso-style-priority:9;
        mso-style-link:"Heading 1 Char";
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:24.0pt;
        font-family:"Times New Roman",serif;
        font-weight:bold;}
h2
        {mso-style-priority:9;
        mso-style-link:"Heading 2 Char";
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:18.0pt;
        font-family:"Times New Roman",serif;
        font-weight:bold;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.Heading1Char
        {mso-style-name:"Heading 1 Char";
        mso-style-priority:9;
        mso-style-link:"Heading 1";
        font-family:"Times New Roman",serif;
        font-weight:bold;}
span.Heading2Char
        {mso-style-name:"Heading 2 Char";
        mso-style-priority:9;
        mso-style-link:"Heading 2";
        font-family:"Times New Roman",serif;
        font-weight:bold;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span lang=EN-GB>I’m testing Squid 4.1 and my proxy is showing TCP_DENIED when fetching certificates like this:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB>1531425362.414 000000 - TCP_DENIED/403 3661 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" - REP-X-CACHE: "-" Adapted-X-Store-Id: "-"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>1531425364.299 000000 - TCP_DENIED/403 3661 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" - REP-X-CACHE: "-" Adapted-X-Store-Id: "-"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB>If I’m not wrong Amos wrote that there is a special directive or ACL to allow these since there is not originating from a client IP src address.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB>And also when I’m trying to access <a href="https://bugs.squid-cache.org/">https://bugs.squid-cache.org/</a> with SSL-BUMP on I am receiving the next page:<o:p></o:p></span></p><h1><span style='font-family:"Verdana",sans-serif;color:black'>ERROR<o:p></o:p></span></h1><h2><span style='font-family:"Verdana",sans-serif;color:black'>The requested URL could not be retrieved<o:p></o:p></span></h2><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="100%" noshade style='color:#1E1E1E' align=center></div><p style='background:white'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E'>The following error was encountered while trying to retrieve the URL: <a href="https://bugs.squid-cache.org/*">https://bugs.squid-cache.org/*</a><o:p></o:p></span></p><p style='background:white'><b><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E'>Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.</span></b><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E'><o:p></o:p></span></p><p style='background:white' id=sysmsg><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E'>The system returned: <i>(101) Network is unreachable</i><o:p></o:p></span></p><p style='background:white'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E'>The remote host or network may be down. Please try the request again.<o:p></o:p></span></p><p style='background:white'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E'>Your cache administrator is <a href="mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_CONNECT_FAIL&body=CacheHost%3A%20squid4-testing%0D%0AErrPage%3A%20ERR_CONNECT_FAIL%0D%0AErr%3A%20(101)%20Network%20is%20unreachable%0D%0ATimeStamp%3A%20Thu,%2012%20Jul%202018%2020%3A01%3A40%20GMT%0D%0A%0D%0AClientIP%3A%2010.0.0.28%0D%0AServerIP%3A%20bugs.squid-cache.org%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%20HTTP%2F1.1%0AProxy-Connection%3A%20keep-alive%0D%0AUser-Agent%3A%20Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML,%20like%20Gecko)%20Chrome%2F67.0.3396.99%20Safari%2F537.36%0D%0AHost%3A%20bugs.squid-cache.org%3A443%0D%0A%0D%0A%0D%0A">webmaster</a>.<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E'><o:p> </o:p></span></p><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="100%" noshade style='color:#1E1E1E' align=center></div><p><span style='font-size:7.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E'>Generated Thu, 12 Jul 2018 20:01:40 GMT by squid4-testing (squid/4.1)<o:p></o:p></span></p><p class=MsoNormal>##END OF PAGE<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>With these access log lines:<o:p></o:p></p><p class=MsoNormal>1531425990.290 000000 - TCP_DENIED/403 3564 GET http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- text/html;charset=utf-8 Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" - REP-X-CACHE: "-" Adapted-X-Store-Id: "-"<o:p></o:p></p><p class=MsoNormal>1531425990.291 000355 10.0.0.28 NONE/200 0 CONNECT bugs.squid-cache.org:443 - HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed - Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" 00:00:00:00:00:00 REP-X-CACHE: "-" Adapted-X-Store-Id: "-"<o:p></o:p></p><p class=MsoNormal>1531425990.294 000000 - TCP_DENIED/403 3564 GET http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- text/html;charset=utf-8 Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" - REP-X-CACHE: "-" Adapted-X-Store-Id: "-"<o:p></o:p></p><p class=MsoNormal>1531425990.295 000359 10.0.0.28 NONE/200 0 CONNECT bugs.squid-cache.org:443 - HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed - Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" 00:00:00:00:00:00 REP-X-CACHE: "-" Adapted-X-Store-Id: "-"<o:p></o:p></p><p class=MsoNormal>1531425990.299 000000 10.0.0.28 NONE/503 4117 GET https://bugs.squid-cache.org/index.cgi - HIER_NONE/- text/html Q-CC: "no-cache" "no-cache" Q-P: "no-cache" "no-cache" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "Accept-Language" 00:00:00:00:00:00 REP-X-CACHE: "MISS from squid4-testing" Adapted-X-Store-Id: "-"<o:p></o:p></p><p class=MsoNormal>1531425990.304 000000 - TCP_DENIED/403 3564 GET http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- text/html;charset=utf-8 Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" - REP-X-CACHE: "-" Adapted-X-Store-Id: "-"<o:p></o:p></p><p class=MsoNormal>1531425990.305 000365 10.0.0.28 NONE/200 0 CONNECT bugs.squid-cache.org:443 - HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed - Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" 00:00:00:00:00:00 REP-X-CACHE: "-" Adapted-X-Store-Id: "-"<o:p></o:p></p><p class=MsoNormal>1531425990.307 000000 - TCP_DENIED/403 3564 GET http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- text/html;charset=utf-8 Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" - REP-X-CACHE: "-" Adapted-X-Store-Id: "-"<o:p></o:p></p><p class=MsoNormal>1531425990.307 000000 - TCP_DENIED/403 3564 GET http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- text/html;charset=utf-8 Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" - REP-X-CACHE: "-" Adapted-X-Store-Id: "-"<o:p></o:p></p><p class=MsoNormal>1531425990.307 000372 10.0.0.28 NONE/200 0 CONNECT bugs.squid-cache.org:443 - HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed - Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" 00:00:00:00:00:00 REP-X-CACHE: "-" Adapted-X-Store-Id: "-"<o:p></o:p></p><p class=MsoNormal>1531425990.307 000368 10.0.0.28 NONE/200 0 CONNECT bugs.squid-cache.org:443 - HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed - Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" 00:00:00:00:00:00 REP-X-CACHE: "-" Adapted-X-Store-Id: "-"<o:p></o:p></p><p class=MsoNormal>1531425990.339 000000 10.0.0.28 NONE/503 4117 GET http://squid4-testing:3128/squid-internal-static/icons/SN.png - HIER_NONE/- text/html Q-CC: "no-cache" "no-cache" Q-P: "no-cache" "no-cache" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "Accept-Language" 00:00:00:00:00:00 REP-X-CACHE: "MISS from squid4-testing" Adapted-X-Store-Id: "-"<o:p></o:p></p><p class=MsoNormal>1531425990.374 000000 10.0.0.28 NONE/503 4117 GET https://bugs.squid-cache.org/favicon.ico - HIER_NONE/- text/html Q-CC: "no-cache" "no-cache" Q-P: "no-cache" "no-cache" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "Accept-Language" 00:00:00:00:00:00 REP-X-CACHE: "MISS from squid4-testing" Adapted-X-Store-Id: "-"<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>So the issue is a bit strange, is the remote IP is the issue or another thing?<o:p></o:p></p><p class=MsoNormal>I looked at the archives and also the docs and from what I managed to make sure the next resolve both issues which are tangled to each other:<o:p></o:p></p><p class=MsoNormal>## START squid.conf addition<o:p></o:p></p><p class=MsoNormal>acl internal transaction_initiator internal<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal># Deny requests to certain unsafe ports<o:p></o:p></p><p class=MsoNormal>http_access deny !Safe_ports<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal># Deny CONNECT to other than secure SSL ports<o:p></o:p></p><p class=MsoNormal>http_access deny CONNECT !SSL_ports<o:p></o:p></p><p class=MsoNormal>http_access allow internal<o:p></o:p></p><p class=MsoNormal><span lang=EN-GB>## END squid.conf addition<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB><a href="http://www.squid-cache.org/Versions/v4/cfgman/acl.html">http://www.squid-cache.org/Versions/v4/cfgman/acl.html</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB>Clarify that  there is a new type of ACL named “</span>transaction_initiator” which does couple good things.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I am not sure but it seems to me that some wiki page is missing regarding this issue.<br>I can try to write one if no one else will sit on it in the next month.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>All The Bests,<o:p></o:p></p><p class=MsoNormal>Eliezer<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-family:"Arial Rounded MT Bold",sans-serif'>----<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Arial Rounded MT Bold",sans-serif'><a href="http://ngtech.co.il/lmgtfy/">Eliezer Croitoru</a><br>Linux System Administrator<br>Mobile: +972-5-28704261<br>Email: eliezer@ngtech.co.il<o:p></o:p></span></p><p class=MsoNormal><img border=0 width=183 height=69 id="Picture_x0020_1" src="cid:image002.png@01D41A36.7D787730"><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>