[squid-users] TCP_DENIED/403 on raspberrypi

Amos Jeffries squid3 at treenet.co.nz
Thu Dec 1 23:46:51 UTC 2016 

On 2/12/2016 4:36 a.m., domshyra wrote:
> Hello. I have looked for countless hours to solve this problem. 
> I have tried reordering the config file so that 
>  are all in different orders 
> 
> I've messed with http_access deny !Safe_ports
> 
> None of the regular trouble shooting issues helped. 
> I am on wifi on the pi with a static ip address, and I have tried explicitly
> adding that as well
> 

Try:
<http://wiki.squid-cache.org/SquidFaq/OrderIsImportant>

You have mentioned quite a few things being tried, but the config you
put the changes matters a lot to determine whether an attempt works or not.


<snip>
> acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
> #acl localnet src 192.168.1.39/24 #home wifi

You removed the default "http_access allow localnet" line that uses this
ACL check to let traffic through.

<snip>
> 
> # SAFE PORTS
> acl SSL_ports  port 443 494 2598
<snip>
> acl Safe_ports port 1025-65535  # unregistered ports
> acl CONNECT method CONNECT
> never_direct allow all
> 

So Squid is never allowed to connect to any server ... Um.


> acl authenticated_ips src "/etc/squid3/ip_auth"
> 
> # HTTP ACCESS
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access allow authenticated_ips
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny all
> icp_access deny all
> htcp_access deny all

<snip>

> pi at raspberrypi:~ $ sudo tail -F /var/log/squid3/access.log 
> 1480315313.153      1 192.168.1.25 TCP_DENIED/403 3637 CONNECT 127.0.0.1:19536 - HIER_NONE/- text/html

Read through the http_access ACL checks top-down left-to-right ...

> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access allow authenticated_ips
> http_access deny CONNECT !SSL_ports
> http_access allow localhost

These 403 transactions are;
 *not* cache manager requests, next
 *not* cache manager requests, next
 *are* to a port listed in Safe_ports, next


Is 192.168.1.25 or a subnet containing it listed in the file
/etc/squid3/ip_auth ?
 Was it listed there when you started or last reconfigured Squid?


Starting from the default config file you should only have to add the
19536 port to SSL_ports and replace localnet ACL with your
authenticated_ips thing.

Just be extra paranoid about adding ports to SSL_Ports. Be sure you know
that the protocol(s!) being used over that port are safe. Squid does not
have any control or insight into whats happening over a CONNECT tunnel
once its permitted.

Amos

More information about the squid-users mailing list