[squid-users] Error accessing the 403 page

Amos Jeffries squid3 at treenet.co.nz
Sat Jan 2 01:23:48 UTC 2016 

On 2016-01-02 13:19, Alex Samad wrote:
> On 2 January 2016 at 09:22, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>> On 2016-01-01 23:28, Alex Samad wrote:
>>> 
>>> Hi
>>> 
>>> I installed 3.5.12 and when I try and get to a page that is blocked. 
>>> I
>>> used to get an message page that said contact the admin person.
>>> 
>>> trying to get to
>>> http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png
>>> 
>>> 
>>> This is part of the error generated
>>> The following error was encountered while trying to retrieve the URL:
>>> http://alcdmz1:3128/squid-internal-static/icons/SN.png
>>> 
>>> alcdmz1 is the proxy server
>>> 
>>> I seemed to have blocked access to all error messages. not sure how 
>>> as
>>> I haven't made any changes except upgrading to .12 from .11
>> 
>> 
>> We fixed the Host header output on CONNECT requests to cache_peer 
>> between
>> those versions. That is likely the reason it has started being 
>> visible.
> 
> Sorry not sure how that is related to this.

It is the only Squid change between those versions that seems related to 
the issue.

> 
>> 
>> The above URL is just an icon being served up by your Squid as part of 
>> the
>> page display. The main error page text should have been sent as the 
>> body of
>> the original 403 message itself.
>> 
> 
> agree
> 
>> Your http_access rules are the things rejecting it. Note that it 
>> contains
>> the squid listening domain:port (alcdmz1:3128 or bcp.crwdcntrl.net:80) 
>> which
>> your proxy machine is configured to announce publicly as its contain 
>> domain
>> / FQDN.
>> 
> 
> The original url was bcp.crwdcntrl.net:80, the page I got back
> included the text
> http://alcdmz1:3128/squid-internal-static/icons/SN.png
> 
> 
>> The squid service needs to be publicly accessible at that domain:port 
>> that
>> it is advertising as its public FQDN for this icon request to succeed. 
>> That
>> means making the server hostname, or visible_hostname something that 
>> clients
>> can access directly - and unique_hostname the private internal name 
>> the
>> Squid instance uses to distinguish itself from other peers on the 
>> proxy
>> farm.
> 
> so they can connect to alcdmz1:3128
> 
> 
> 
> conf
> auth_param negotiate program /usr/bin/ntlm_auth
> --helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid
> auth_param negotiate children 20 startup=0 idle=3
> auth_param negotiate keep_alive on
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp --configfile
> /etc/samba/smb.conf-squid
> auth_param ntlm children 20 startup=0 idle=3
> auth_param ntlm keep_alive on
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic --configfile
> /etc/samba/smb.conf-squid
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> acl sblMal dstdomain -i "/etc/squid/lists/squid-malicious.acl"
> acl sblPorn dstdomain -i "/etc/squid/lists/squid-porn.acl"
> acl localnet src 10.3.8.0/24
> acl localnet_auth src 10.1.0.0/14
> acl localnet_auth src 10.2.0.0/16
> acl localnet_auth src 10.2.2.1/32

NP: 10.1.0.0/14 contains and matches all of 10.2.*.*, therefore the 
other localnet_auth entries are all redundant and can be removed.

(squid -k parse should be warning you about that)


> acl localnet_guest src 10.1.22.0/24
> acl localnet_appproxy src 10.172.23.3/32

NP: localnet and localnet_appproxy are both of the same type and both 
only used to allow http_access within the same block of allows.

You should simplify by adding 10.172.23.3 to the localnet definition and 
drop localnet_appproxy entirely.

> acl sblYBOveride dstdomain -i 
> "/etc/squid/lists/yb-nonsquidblacklist.acl"
> acl nonAuthDom dstdomain -i "/etc/squid/lists/nonAuthDom.lst"
> acl nonAuthSrc src "/etc/squid/lists/nonAuthServer.lst"
> acl FTP proto FTP
> acl DMZSRV src 10.3.2.110
> acl DMZSRV src 10.3.2.111
> always_direct allow FTP
> always_direct allow DMZSRV
> ftp_passive off
> ftp_epsv_all off
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https

Aha. You have restricted the Safe_ports to exclude 3128. Thus 
"http://alcdmz1:3128/..." are rejected even if the remote client could 
resolve domains within the TLD "alcdmz1".


> acl CONNECT method CONNECT
> acl AuthorizedUsers proxy_auth REQUIRED
> acl icp_allowed src 10.3.2.110/32
> acl icp_allowed src 10.3.2.111/32
> acl icp_allowed src 10.172.23.0/32
> acl icp_allowed src 10.172.23.4/32

NP: you do not need to put /32 on IPv4 addresses.

> http_access allow manager localhost
> http_access allow manager icp_allowed
> http_access deny manager
> http_access allow icp_allowed

All the manager and icp_allowed stuff above should be down ...

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

  ... here.

I would also restructure the manager tests as:
   http_access allow icp_allowed
   http_access allow localhost
   http_access deny manager

... which avoids repeated checking of the (relatively) slow regex 
manager ACL, and allows removal of the lines checking "allow localhost" 
and "allow icp_allowed".


> http_access allow localnet
> http_access allow localhost
> http_access allow localnet_appproxy
> http_access deny !localnet_auth
> http_access allow localnet_guest sblYBOveride
> http_access deny localnet_guest sblMal
> http_access deny localnet_guest sblPorn
> http_access allow localnet_guest
> http_access allow nonAuthSrc
> http_access allow nonAuthDom

Instead of repeating allows for FTP and Authorized users twice you could 
replace all these:

> http_access allow sblYBOveride FTP
> http_access allow sblYBOveride AuthorizedUsers
> http_access deny sblMal
> http_access deny sblPorn

... with these:
> http_access deny !sblYBOveride sblMal
> http_access deny !sblYBOveride sblPorn


> http_access allow FTP
> http_access allow AuthorizedUsers
> http_access deny all
> http_port 3128
> http_port 8080
> cache_mem 40960 MB
> cache_mgr operations.manager at abc.com
> cache_dir aufs /var/spool/squid 550000 16 256
> coredump_dir /var/spool/squid
> range_offset_limit 200 MB
> maximum_object_size 200 MB
> quick_abort_min -1
> refresh_pattern -i
> microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
> 43200 reload-into-ims
> refresh_pattern -i
> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320
> 80% 43200 reload-into-ims
> refresh_pattern -i
> windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
> 43200 reload-into-ims
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> cache_peer gsdmz1.abc.com sibling 3128 4827 proxy-only htcp no-query 
> standby=10
> icp_port 0
> icp_access allow icp_allowed
> icp_access deny all
> htcp_port 4827
> htcp_access allow icp_allowed
> htcp_access deny all
> acl nonCacheDom dstdomain -i "/etc/squid/lists/nonCacheDom.lst"
> cache deny nonCacheDom
> acl nonCacheURL urlpath_regex /x86_64/repodata/repomd.xml$
> cache deny nonCacheURL
> icap_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_header X-Authenticated-User
> icap_service service_req reqmod_precache bypass=1
> icap://127.0.0.1:1344/srv_clamav
> adaptation_access service_req allow all
> icap_service service_resp respmod_precache bypass=1
> icap://127.0.0.1:1344/srv_clamav
> adaptation_access service_resp allow all
> ipcache_size 10240
> forwarded_for delete
> cache_swap_low 90
> cache_swap_high 95
> log_icp_queries off
> icap_preview_enable on
> icap_preview_size 1024
> httpd_suppress_version_string on
> max_filedesc 8192
> 
> 
> 
> I'm not sure what I have to allow
> 
> So if I understand rightly
> client makes request for http://bcp.crwdcntrl.net/
> squid sends back a 403
> 
> client gets response text that includes a link to
> http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png from this
> code
> background: url('/squid-internal-static/icons/SN.png') no-repeat left;
> 
> browser / client make request for
> http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png
> 
> squid returns 403 ..
> 
> which ACL or access_allow do I need to allow this.

Either add 3128 back into your Safe_ports ACL, or add an ACL " 
urlpath_regex ^/squid-internal-static/ " and permit requests that match 
it.

The second way is better because it should allow the 
"http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png" request to 
succeed, which is both faster and avoiding the proxy hostname:port 
exposure.

Amos

More information about the squid-users mailing list