[squid-users] squid-users Digest, Vol 29, Issue 26

anand anand at visolve.com
Thu Jan 12 05:22:05 UTC 2017 

Hello Alex,

Please confirm the proxy is configured for parent/sibling proxy ?, if 
not please remove following lines from the squid conf.

"never_direct allow all"

"icp_access deny all"

If the issue raises again, kindly share your updated/current squid conf files in mailing list.

Thanks,
Anand P

On 1/12/2017 6:09 AM, squid-users-request at lists.squid-cache.org wrote:
> Send squid-users mailing list submissions to
> 	squid-users at lists.squid-cache.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.squid-cache.org/listinfo/squid-users
> or, via email, send a message with subject or body 'help' to
> 	squid-users-request at lists.squid-cache.org
>
> You can reach the person managing the list at
> 	squid-users-owner at lists.squid-cache.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of squid-users digest..."
>
>
> Today's Topics:
>
>     1. TCP 403 Denied on new squid build out (roadrage27)
>     2. Re: squid-users Digest, Vol 29, Issue 21 (Vidyadhish Joshi)
>     3. Re: TCP 403 Denied on new squid build out (Matus UHLAR - fantomas)
>     4. Re: TCP 403 Denied on new squid build out (roadrage27)
>     5. Re: TCP 403 Denied on new squid build out (Matus UHLAR - fantomas)
>     6. Re: TCP 403 Denied on new squid build out (roadrage27)
>     7. Re: Transparent Proxy in AWS (Jason Haar)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 11 Jan 2017 08:32:49 -0800 (PST)
> From: roadrage27 <alex.tate at gmail.com>
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] TCP 403 Denied on new squid build out
> Message-ID: <1484152369267-4681127.post at n4.nabble.com>
> Content-Type: text/plain; charset=us-ascii
>
> Built out Squid 3.5 on ubuntu 14.04  logs showing 403 denied when accessing
> any resources, any help is appreciated
>
> here is my conf file for reference.
>
>
> acl localhost src 127.0.0.1/32
>
> acl to_localhost dst 127.0.0.0/8
>
> acl localnet src 0.0.0.0/8 10.145.68.0/24
>
> acl myip src 10.145.68.148/32
>
> acl to_localnet dst 10.145.68.0/24
>
> acl search_engines dstdomain .yahoo.com .google.com
>
> acl SSL_ports port 443
>
> acl Safe_ports port 80          # http
>
> acl Safe_ports port 21          # ftp
>
> acl Safe_ports port 443         # https
>
> acl Safe_ports port 70          # gopher
>
> acl Safe_ports port 210         # wais
>
> acl Safe_ports port 1025-65535  # unregistered ports
>
> acl Safe_ports port 280         # http-mgmt
>
> acl Safe_ports port 488         # gss-http
>
> acl Safe_ports port 591         # filemaker
>
> acl Safe_ports port 777         # multiling http
>
>   
>
> acl CONNECT method CONNECT
>
> never_direct allow all
>
> http_access allow search_engines
>
> http_access allow manager localhost
>
> http_access deny manager
>
> http_access deny !Safe_ports
>
> http_access allow localnet
>
> http_access allow to_localnet
>
> http_access allow myip
>
> http_access allow all
>
> http_access deny to_localhost
>
> icp_access deny all
>
> http_access deny all
>
>   
>
> http_port 3128
>
> hierarchy_stoplist cgi-bin ?
>
> access_log /var/log/squid3/access.log squid
>
>   
>
>   
>
> #Suggested default:
>
> refresh_pattern ^ftp:           1440    20%     10080
>
> refresh_pattern ^gopher:        1440    0%      1440
>
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>
> refresh_pattern .               0       20%     4320
>
> # Leave coredumps in the first cache dir
>
> coredump_dir /var/spool/squid3
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-403-Denied-on-new-squid-build-out-tp4681127.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 11 Jan 2017 22:26:19 +0530
> From: Vidyadhish Joshi <vvjoshi5 at gmail.com>
> To: Amos Jeffries <squid3 at treenet.co.nz>
> Cc: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] squid-users Digest, Vol 29, Issue 21
> Message-ID:
> 	<CAMRD5gR=NyYyNNg07pJp1zsc9UCnFSN6REMGO9CSrxkcdreaPg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Thank s a lot , Amos
>
> I will try these things
>
> On 11-Jan-2017 9:22 PM, "Amos Jeffries" <squid3 at treenet.co.nz> wrote:
>
>> On 12/01/2017 3:55 a.m., Vidyadhish Joshi wrote:
>>> Amos, thank you for the details.
>>> Need pointers for caching the dynamic contents. My app has static n
>> dynamic
>>> cache n static am able to cache it . For dynamic the URL is getting
>>> appended with query string.  Is there a way to cache dynamic contests n
>>> what would be configuration changes to cache dynamic ones.
>> Sure;
>>
>> * Use the latest 3.5 version you can. There have been small but
>> important improvements across the whole series.
>>
>>
>> * Make sure you _do not_ have the old Squid-2 QUERY ACL denying storage
>> ('cache deny QUERY' line in squid.conf) for those objects.
>>
>>
>> * Make sure your refresh_pattern lines _do not_ contain ignore-auth,
>> ignore-no-cache, ignore-must-revalidate, ignore-no-store or
>> override-lastmod.
>>   - you can add store-stale if you want to increase the caching further.
>>
>>
>> * Make sure you _do_ have these Squid-3 default refresh_patterns. The 0
>> value's are important to be 0. The other numbers you can change as wanted:
>>
>>    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
>>    refresh_pattern .               0       20%     4320
>>
>>
>> * Make sure your server produces appropriate caching options indicating
>> how long the content is to be cached. Specifically either Expires or
>> Cache-Control:max-age=N indicating when it will next change, or
>> Cache-Control:must-revalidate to require constant REFRESH.
>>   see <https://tools.ietf.org/html/rfc7234> for more details
>>
>>
>> * Your server should also produce Last-Modified and/or ETag headers for
>> content it generates. And handle the If-* request headers on received
>> requests to produce 304 responses when the content is unchanged.
>>   see <https://tools.ietf.org/html/rfc7232> for more details
>>
>>   - when the server properly handles these If-* headers you can add the
>> refresh_pattern option refresh-ims and/or reload-into-ims to further
>> increase caching. (Until the server properly revalidates these options
>> are useless.)
>>
>>
>> Amos
>>
>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170111/d6932171/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 11 Jan 2017 20:33:13 +0100
> From: Matus UHLAR - fantomas <uhlar at fantomas.sk>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] TCP 403 Denied on new squid build out
> Message-ID: <20170111193313.GA6491 at fantomas.sk>
> Content-Type: text/plain; charset=us-ascii; format=flowed
>
> On 11.01.17 08:32, roadrage27 wrote:
>> Built out Squid 3.5 on ubuntu 14.04  logs showing 403 denied when accessing
>> any resources, any help is appreciated
> please show us at least one line from logs...
>
>> here is my conf file for reference.
> no need to put empty line between all lines ...

More information about the squid-users mailing list