[squid-users] deny_info

Vieri rentorbuy at yahoo.com
Tue Nov 14 09:46:51 UTC 2017 

Hi,

I'm trying to figure out how to correctly handle ERROR pages (or deny pages) in one particular case.

An HTTP client is trying to access a website as https://example.org/.

I'm getting the following info in cache.log:

2017/11/14 09:11:11.481 kid1| 85,2| client_side_request.cc(745) clientAccessCheckDone: The request GET https://example.org/ is ALLOWED; last ACL checked: bl_lookup
2017/11/14 09:11:11.481 kid1| 85,2| client_side_request.cc(721) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2017/11/14 09:11:11.481 kid1| 85,2| client_side_request.cc(745) clientAccessCheckDone: The request GET https://example.org/ is ALLOWED; last ACL checked: bl_lookup
2017/11/14 09:11:11.591 kid1| 88,2| client_side_reply.cc(2073) processReplyAccessResult: The reply for GET https://example.org/ is DENIED, because it matched denied_restricted1_mimetypes_rep
2017/11/14 09:11:11.591 kid1| 88,2| client_side_reply.cc(2073) processReplyAccessResult: The reply for GET https://example.org/ is ALLOWED, because it matched denied_restricted1_mimetypes_rep

This is what I have in squid.conf (part of it):

external_acl_type bllookup ttl=86400 negative_ttl=86400 children-max=80 children-startup=10 children-idle=3 concurrency=8 %PROTO %DST %PORT %PATH /opt/custom/scripts/ext_sql_blwl_acl.pl --table=shallalist_bl --categories=adv,aggressive,alcohol,anonvpn,automobile_bikes,automobile_boats,automobie_cars,automobile_planes,chat,costtraps,dating,drugs,dynamic,finance_insurance,finance_moneylending,finance_other,finance_realestate,finance_trading,fortunetlling,forum,gamble,hacking,hobby_cooking,hobby_games-misc,hobby_games-online,hobby_gardening,hobby_pets,homestyle,imagehosting,isp,jobsearch,military,models,ovies,music,podcasts,politics,porn,radiotv,recreation_humor,recreation_martialarts,recreation_restaurants,recreation_sports,recreation_travel,recreation_welless,redirector,religion,remotecontrol,ringtones,science_astronomy,science_chemistry,sex_education,sex_lingerie,shopping,socialnet,spyware,tracker,updatesitesurlshortener,violence,warez,weapons,webphone,webradio,webtv
acl allowed_ips src "/opt/custom/proxy-settings/allowed.ips"
acl allowed_extra1_ips src "/opt/custom/proxy-settings/allowed.extra1.ips"
acl allowed_groups external nt_group "/opt/custom/proxy-settings/allowed.groups"
acl allowed_domains dstdomain "/opt/custom/proxy-settings/allowed.domains"
acl allowed_domains_filetypes dstdomain "/opt/custom/proxy-settings/allowed.domains.filetypes"
acl allowed_domains_mimetypes dstdomain "/opt/custom/proxy-settings/allowed.domains.mimetypes"
acl denied_domains dstdomain -i "/opt/custom/proxy-settings/denied.domains"
acl denied_extra1_domains dstdomain -i "/opt/custom/proxy-settings/denied.extra1.domains"
acl denied_ads url_regex "/opt/custom/proxy-settings/denied.ads"
acl denied_filetypes urlpath_regex -i "/opt/custom/proxy-settings/denied.filetypes"
acl denied_mimetypes_req req_mime_type -i "/opt/custom/proxy-settings/denied.mimetypes"
acl denied_extra1_mimetypes_req req_mime_type -i "/opt/custom/proxy-settings/denied.extra1.mimetypes"
acl denied_mimetypes_rep rep_mime_type -i "/opt/custom/proxy-settings/denied.mimetypes"
acl denied_extra1_mimetypes_rep rep_mime_type -i "/opt/custom/proxy-settings/denied.extra1.mimetypes"
acl denied_restricted1_mimetypes_req req_mime_type -i "/opt/custom/proxy-settings/denied.restricted1.mimetypes"
acl denied_restricted1_mimetypes_rep rep_mime_type -i "/opt/custom/proxy-settings/denied.restricted1.mimetypes"
acl allowed_restricted1_domains dstdomain -i "/opt/custom/proxy-settings/allowed.restricted1.domains"
acl allowed_restricted1_ips dst "/opt/custom/proxy-settings/allowed.restricted1.ips"
acl restricted_ips src "/opt/custom/proxy-settings/restricted.ips"
acl restricted_groups external nt_group "/opt/custom/proxy-settings/restricted.groups"
acl restricted_domains dstdomain "/opt/custom/proxy-settings/restricted.domains"
acl bl_lookup external bllookup
acl denied_urlshorteners dstdomain -i "/opt/custom/proxy-settings/db/HMANshallalist/urlshortener/domains"

http_access deny explicit !ORG_all
http_access deny explicit SSL_ports
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet

http_access allow localnet !restricted_ips allowed_domains
http_access allow localnet !restricted_ips allowed_ips
http_reply_access allow localnet !restricted_ips allowed_ips
http_reply_access allow localnet !restricted_ips allowed_domains
http_access allow restricted_ips restricted_domains
http_access deny restricted_ips

http_access deny !allowed_ips denied_urlshorteners
http_access deny CONNECT !allowed_ips denied_urlshorteners
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_urlshorteners denied_urlshorteners

http_access allow denied_restricted1_mimetypes_req allowed_restricted1_domains
http_access allow denied_restricted1_mimetypes_req allowed_restricted1_ips
http_reply_access allow denied_restricted1_mimetypes_rep allowed_restricted1_domains
http_reply_access allow denied_restricted1_mimetypes_rep allowed_restricted1_ips

http_access allow denied_extra1_mimetypes_req allowed_extra1_ips denied_extra1_domains
http_reply_access allow denied_extra1_mimetypes_rep allowed_extra1_ips denied_extra1_domains

http_access deny denied_restricted1_mimetypes_req
http_reply_access deny denied_restricted1_mimetypes_rep

http_access deny denied_extra1_mimetypes_req
http_reply_access deny denied_extra1_mimetypes_rep

http_access deny !allowed_ips denied_domains
http_access deny CONNECT !allowed_ips denied_domains
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_domains denied_domains

http_access allow allowed_extra1_ips denied_extra1_domains
http_access deny denied_extra1_domains
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_extra1_domains denied_extra1_domains

http_access deny denied_filetypes !allowed_domains_filetypes
http_reply_access deny denied_filetypes !allowed_domains_filetypes
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_filetypes denied_filetypes

http_access deny denied_mimetypes_req !allowed_domains_mimetypes
http_reply_access deny denied_mimetypes_rep !allowed_domains_mimetypes
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes denied_mimetypes_req
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes denied_mimetypes_rep

http_access allow localnet bl_lookup

----

I understand Squid accepts the REQUEST, but not the REPLY as it matches denied_restricted1_mimetypes_rep. However, I don't understand why the client browser doesn't display the deny_info page at http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes. Instead, it shows ERR_ACCESS_DENIED.

Thanks,

Vieri

More information about the squid-users mailing list