[squid-users] unknown source IP in access.log

Antony Stone Antony.Stone at squid.open.source.it
Wed Dec 14 19:11:46 UTC 2016

On Wednesday 14 December 2016 at 17:26:34, Sameh Onaissi wrote:

> Thanks for your reply.
> Here’s the config file: http://pastebin.com/DNDacy6M

Where is this file located on your system?  The answer to this question is 
needed further down my reply.

I've skipped some bits to make my reply clearer...

> acl localnet src # RFC1918 possible internal network
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_access allow CONNECT localnet numeric_IPs Skype_UA

Maybe someone more knowledgeable can say if I'm wrong here, but I find it hard 
to accept that this really is the squid.conf file you're using:

a) if it allows connections from IPs such as

b) if it allows *anything* to CONNECT.

Please do one of the following:

1. Run "squid -k parse" and make sure it returns no errors, then introduce a 
deliberate error to your squid.conf file (such as mis-spelling "deny" or 
similar) and run "squid -k parse" again to make sure it reads the file you 
think it is using, and reports the error (then undo the mistake again).

2. Run "squid -f /path/to/your/squid.conf -k parse" substituting in the 
location on your system where your config file lives (as asked above).  Assuming 
this returns no errors, again (as in suggestion 1) instroduce a deliberate 
error, re-run "squid -f /path/to/you/squid.conf -k parse" and make sure it 
picks up on the error.

I find it hard to believe that the squid.conf you showed can produce the 
results you report.

Please also post the output of "find / -name squid.conf" on your machine.

> Dovecot used its default ports:
> 110: pop
> 143: imap
> 995: pop3s
> 993: maps
> Postfix SMTP 587

Okay, so nothing to do with Squid, then.  I just wondered whether it might 
have a web interface.



> On Dec 14, 2016, at 10:25 AM, Antony Stone wrote:
> On Wednesday 14 December 2016 at 16:16:17, Sameh Onaissi wrote:
> Looking at access.log, to find the Skype IPs, I noticed a LOT of unknown
> source IPs. All those IPs seem to be originated from China. In my config
> file I deny all but local net IPs
> I suggest you show us your squid.conf (wiithout comments or blank lines)
> because you do not seem to have achieved restricting source IPs as
> intended.
> Here is a sample of the log:
> TCP_MISS/200 445 POST http://online.huya.com/ -
> HIER_DIRECT/ application/multipart-formdata 1481728036.461
> 595
> TCP_MISS/200 419 POST http://online.huya.com/ -
> HIER_DIRECT/ application/multipart-formdata 1481728036.993
> 749
> TCP_MISS/502 3806 GET -
> HIER_DIRECT/ text/html 1481728040.312      0
> I am worried about spam…
> I would not call this spam - I would call it "people trying to abuse your
> proxy".
> is this normal?
> It is normal that they try.  It is not normal that your access control
> rules allow them to get this far.
> if not, how can I know what is accessing squid and stop it.
> You don't care what is accessing it - you only care that it's coming from
> the outside, and that should not be allowed.  Either or both of your Squid
> ACLs and your firewall rules need to be reviewed.
> NOTE: this server has a small iRedMail server installed on it.
> What port/s does that listen on?  It is intended to be externally
> accessible?

"The tofu battle I saw last weekend was quite brutal."

 - Marija Danute Brigita Kuncaitis

                                                   Please reply to the list;
                                                         please *don't* CC me.

More information about the squid-users mailing list