[squid-users] TCP_DENIED/403 on raspberrypi
squid3 at treenet.co.nz
Sat Dec 3 23:47:49 UTC 2016
NOTE: please dont use fancy quoting when posting through the Nabble
interface. It erases the critical information about your problem from
any other copy of the list:
On 3/12/2016 9:30 a.m., domshyra wrote:
> So I have changed the file to a sample conf file. Here is what it looks like
> authenticated_ips is a list of ip addresses that are going to be outgoing
> ips and 192.168.1.25 isn't part of it. I have received a new 403 error which
> is this below
> 192.168.1.25 is my macbook which is SSH'd into the raspberry pi
There is the root cause of your problem. http_access matches the Squid
*incoming* traffic. The requests arriving into Squid from clients.
Outgoing traffic of a Squid (and thus its outgoing IP(s)) should never
be sent back into that Squid. That would be a loop in the traffic.
Your access.log says:
The client (src) of the requests is 192.168.1.25.
The destination is the server 127.0.0.1 port 19536.
(PS. why are you logging proxy traffic in web-server format anyway? web
servers do not have two TCP connections to deal with like proxies)
So like I said earlier:
> Starting from the default config file you should only have to add the
> 19536 port to SSL_ports and replace localnet ACL with your
> authenticated_ips thing.
> Just be extra paranoid about adding ports to SSL_Ports. Be sure you know
> that the protocol(s!) being used over that port are safe. Squid does not
> have any control or insight into whats happening over a CONNECT tunnel
> once its permitted.
1) Set your http_access lines to be this (notice that it is the default
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
# INSERT YOUR OWN RULE(S) HERE ...
http_access allow localnet
http_access allow localhost
http_access deny all
2) Since your client is using 192.168.* the localnet ACL should be reset
to the below:
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
3) Figure out what the strange port 19536 is about. If you actually want
that to happen then add the below to your squid.conf:
# your reason for adding this port goes here.
acl SSL_ports port 19536
More information about the squid-users