[squid-users] TCP_DENIED/407 accessing webserver on same machine as squid
squid3 at treenet.co.nz
Fri May 26 17:28:51 UTC 2017
On 27/05/17 04:17, j m wrote:
> I have a webserver and squid 3.5 running on the same Linux machine. > The webserver is actually part of shellinabox, so it's only for me
to > access. Shellinabox simply presents a terminal and login in a web
> browser. I want it to be accessible only through squid for more >
security. > > shellinabox works fine if I access it directly, but
through squid I > see this in access.log: > > 1495813953.860 79
18.104.22.168 TCP_TUNNEL/200 1440 CONNECT > IP:PORT USER HIER_DIRECT/IP
> > > 1495813962.001 0 22.214.171.124 TCP_DENIED/407 4397 CONNECT >
IP:PORT USER HIER_NONE/- text/html > > > I've replaced the real IP,
PORT, and USER with those words, however > the real PORT is a
nonstandard port number.There are some other > posts I found mentioning
a 407 error and it was said it occurs when > the webpage is asking for
authentication. However I don't understand > this, since shellinabox
only display a login prompt which I wouldn't > think would be a
problem. Another post said a 407 is when squid auth > is failing, but I
can get to external websites through squid. > > Does it matter that what
I'm trying to access is HTTPS instead of > HTTP?
Yes it does. Beyond the obvious encryption there are messaging
differences that directly effect what the proxy can do.
The first log entry indicates that something has already been done to
let the port "work", so your config is already non-standard and probably
doing something weird. The presence of a USER value other than "-"
indicates that the proxy-auth is working at least for that transaction.
Yes the 407 is login to *Squid*. Nothing to do with the shellinabox
software, the HEIR_NONE/- on the second line says shellinabox is not
even being contacted yet for that transaction.
It is not possible to say why anything is happening here without knowing
your config structure and intended policy. You will need to provide your
squid.conf details to get much help.
If you need to obfuscate IP's please map them as if you were using the
10/8 or 192.168/16 ranges so we can still identify any subtle things
like TCP connections going wrong without revealing your public addresses.
More information about the squid-users