[squid-users] TCP_DENIED/403 on raspberrypi

Amos Jeffries squid3 at treenet.co.nz
Sat Dec 3 23:47:49 UTC 2016

NOTE: please dont use fancy quoting when posting through the Nabble
interface. It erases the critical information about your problem from
any other copy of the list:

On 3/12/2016 9:30 a.m., domshyra wrote:
> So I have changed the file to a sample conf file. Here is what it looks like
> now
> authenticated_ips is a list of ip addresses that are going to be outgoing
> ips and isn't part of it. I have received a new 403 error which
> is this below
> is my macbook which is SSH'd into the raspberry pi 

There is the root cause of your problem. http_access matches the Squid
*incoming* traffic. The requests arriving into Squid from clients.

Outgoing traffic of a Squid (and thus its outgoing IP(s)) should never
be sent back into that Squid. That would be a loop in the traffic.

Your access.log says:

The client (src) of the requests is

The destination is the server port 19536.

(PS. why are you logging proxy traffic in web-server format anyway? web
servers do not have two TCP connections to deal with like proxies)

So like I said earlier:
> Starting from the default config file you should only have to add the
> 19536 port to SSL_ports and replace localnet ACL with your
> authenticated_ips thing.
> Just be extra paranoid about adding ports to SSL_Ports. Be sure you know
> that the protocol(s!) being used over that port are safe. Squid does not
> have any control or insight into whats happening over a CONNECT tunnel
> once its permitted.

1) Set your http_access lines to be this (notice that it is the default

 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 http_access allow localhost manager
 http_access deny manager


 http_access allow localnet
 http_access allow localhost
 http_access deny all

2) Since your client is using 192.168.* the localnet ACL should be reset
to the below:

 #acl localnet src    # RFC1918 possible internal network
 #acl localnet src # RFC1918 possible internal network
 acl localnet src        # RFC1918 possible internal network
 acl localnet src fc00::/7       # RFC 4193 local private network range
 acl localnet src fe80::/10      # RFC 4291 link-local (directly
plugged) machines

3) Figure out what the strange port 19536 is about. If you actually want
that to happen then add the below to your squid.conf:

 # your reason for adding this port goes here.
 acl SSL_ports port 19536


More information about the squid-users mailing list