[squid-users] Error accessing the 403 page

Alex Samad alex at samad.com.au
Sat Jan 2 00:19:14 UTC 2016 

On 2 January 2016 at 09:22, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 2016-01-01 23:28, Alex Samad wrote:
>>
>> Hi
>>
>> I installed 3.5.12 and when I try and get to a page that is blocked. I
>> used to get an message page that said contact the admin person.
>>
>> trying to get to
>> http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png
>>
>>
>> This is part of the error generated
>> The following error was encountered while trying to retrieve the URL:
>> http://alcdmz1:3128/squid-internal-static/icons/SN.png
>>
>> alcdmz1 is the proxy server
>>
>> I seemed to have blocked access to all error messages. not sure how as
>> I haven't made any changes except upgrading to .12 from .11
>
>
> We fixed the Host header output on CONNECT requests to cache_peer between
> those versions. That is likely the reason it has started being visible.

Sorry not sure how that is related to this.

>
> The above URL is just an icon being served up by your Squid as part of the
> page display. The main error page text should have been sent as the body of
> the original 403 message itself.
>

agree

> Your http_access rules are the things rejecting it. Note that it contains
> the squid listening domain:port (alcdmz1:3128 or bcp.crwdcntrl.net:80) which
> your proxy machine is configured to announce publicly as its contain domain
> / FQDN.
>

The original url was bcp.crwdcntrl.net:80, the page I got back
included the text
http://alcdmz1:3128/squid-internal-static/icons/SN.png


> The squid service needs to be publicly accessible at that domain:port that
> it is advertising as its public FQDN for this icon request to succeed. That
> means making the server hostname, or visible_hostname something that clients
> can access directly - and unique_hostname the private internal name the
> Squid instance uses to distinguish itself from other peers on the proxy
> farm.

so they can connect to alcdmz1:3128



conf
auth_param negotiate program /usr/bin/ntlm_auth
--helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid
auth_param negotiate children 20 startup=0 idle=3
auth_param negotiate keep_alive on
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --configfile
/etc/samba/smb.conf-squid
auth_param ntlm children 20 startup=0 idle=3
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic --configfile
/etc/samba/smb.conf-squid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl sblMal dstdomain -i "/etc/squid/lists/squid-malicious.acl"
acl sblPorn dstdomain -i "/etc/squid/lists/squid-porn.acl"
acl localnet src 10.3.8.0/24
acl localnet_auth src 10.1.0.0/14
acl localnet_auth src 10.2.0.0/16
acl localnet_auth src 10.2.2.1/32
acl localnet_guest src 10.1.22.0/24
acl localnet_appproxy src 10.172.23.3/32
acl sblYBOveride dstdomain -i "/etc/squid/lists/yb-nonsquidblacklist.acl"
acl nonAuthDom dstdomain -i "/etc/squid/lists/nonAuthDom.lst"
acl nonAuthSrc src "/etc/squid/lists/nonAuthServer.lst"
acl FTP proto FTP
acl DMZSRV src 10.3.2.110
acl DMZSRV src 10.3.2.111
always_direct allow FTP
always_direct allow DMZSRV
ftp_passive off
ftp_epsv_all off
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
acl icp_allowed src 10.3.2.110/32
acl icp_allowed src 10.3.2.111/32
acl icp_allowed src 10.172.23.0/32
acl icp_allowed src 10.172.23.4/32
http_access allow manager localhost
http_access allow manager icp_allowed
http_access deny manager
http_access allow icp_allowed
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access allow localnet_appproxy
http_access deny !localnet_auth
http_access allow localnet_guest sblYBOveride
http_access deny localnet_guest sblMal
http_access deny localnet_guest sblPorn
http_access allow localnet_guest
http_access allow nonAuthSrc
http_access allow nonAuthDom
http_access allow sblYBOveride FTP
http_access allow sblYBOveride AuthorizedUsers
http_access deny sblMal
http_access deny sblPorn
http_access allow FTP
http_access allow AuthorizedUsers
http_access deny all
http_port 3128
http_port 8080
cache_mem 40960 MB
cache_mgr operations.manager at abc.com
cache_dir aufs /var/spool/squid 550000 16 256
coredump_dir /var/spool/squid
range_offset_limit 200 MB
maximum_object_size 200 MB
quick_abort_min -1
refresh_pattern -i
microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
43200 reload-into-ims
refresh_pattern -i
windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320
80% 43200 reload-into-ims
refresh_pattern -i
windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
43200 reload-into-ims
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
cache_peer gsdmz1.abc.com sibling 3128 4827 proxy-only htcp no-query standby=10
icp_port 0
icp_access allow icp_allowed
icp_access deny all
htcp_port 4827
htcp_access allow icp_allowed
htcp_access deny all
acl nonCacheDom dstdomain -i "/etc/squid/lists/nonCacheDom.lst"
cache deny nonCacheDom
acl nonCacheURL urlpath_regex /x86_64/repodata/repomd.xml$
cache deny nonCacheURL
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_service service_req reqmod_precache bypass=1
icap://127.0.0.1:1344/srv_clamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1
icap://127.0.0.1:1344/srv_clamav
adaptation_access service_resp allow all
ipcache_size 10240
forwarded_for delete
cache_swap_low 90
cache_swap_high 95
log_icp_queries off
icap_preview_enable on
icap_preview_size 1024
httpd_suppress_version_string on
max_filedesc 8192



I'm not sure what I have to allow

So if I understand rightly
client makes request for http://bcp.crwdcntrl.net/
squid sends back a 403

client gets response text that includes a link to
http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png from this
code
background: url('/squid-internal-static/icons/SN.png') no-repeat left;

browser / client make request for
http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png

squid returns 403 ..

which ACL or access_allow do I need to allow this.

Thanks
Alex
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list