[squid-users] https requests the squid rejects the connection

Marcelo J. Martinez mmartinez at asoprofarma.com
Mon Aug 20 20:19:27 UTC 2018


1534782486.761      0 TCP_DENIED/403 3917 CONNECT aus5.mozilla.org:443 - HIER_NONE/- text/html
1534782486.767      0 TCP_DENIED/403 3926 CONNECT redirector.gvt1.com:443 - HIER_NONE/- text/html
1534782486.768      0 TCP_DENIED/403 4221 GET http://ciscobinary.openh264.org/openh264-win64-0410d336bb748149a4f560eb6108090f078254b1.zip - HIER_NONE/- text/html
1534782606.751      0 TCP_DENIED/403 3989 CONNECT blocklists.settings.services.mozilla.com:443 - HIER_NONE/- text/html
1534782606.754      0 TCP_DENIED/403 3980 CONNECT firefox.settings.services.mozilla.com:443 - HIER_NONE/- text/html
1534783061.435      0 TCP_DENIED/403 3914 CONNECT www.youtube.com:443 - HIER_NONE/- text/html
1534783486.477      0 TCP_DENIED/403 4123 GET http://argenteam.net/ - HIER_NONE/- text/html
1534783486.506      0 TCP_DENIED/403 4169 GET http://smbserver2:3128/squid-internal-static/icons/SN.png - HIER_NONE/- text/html
1534785311.331      0 TCP_DENIED/403 3914 CONNECT www.youtube.com:443 - HIER_NONE/- text/html
1534788567.647      0 TCP_DENIED/403 3950 CONNECT safebrowsing.googleapis.com:443 - HIER_NONE/- text/html
1534791437.517      0 TCP_DENIED/403 3917 CONNECT aus5.mozilla.org:443 - HIER_NONE/- text/html

Bear in mind that the server is configured to reject the connection from my ip, the problem is that:
with http queries, the normal squid error page appears.
with https queries, the browser informs me that the proxy rejected the connection and the normal squid page does not appear.

----- Mensaje original -----
De: "Amos Jeffries" <squid3 at treenet.co.nz>
Para: "Posting address" <squid-users at lists.squid-cache.org>
Enviados: Lunes, 20 de Agosto 2018 17:02:44
Asunto: Re: [squid-users] https requests the squid rejects the connection

On 21/08/18 6:45 AM, Marcelo J. Martinez wrote:
> sorry, it's a mistake to copy and paste.
> the configuration is:
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> # Deny requests to unknown ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports

FYI: current recommended config has the manager lines after the CONNECT
line, that makes Squid a tiny bit faster and safer against CONNECT to
the manager URLs.

That will not solve your current issue though. As Matus said the log
entry (access.log) for the transaction is needed for more info about
what is going on - in particular the URL which is being denied.

I suspect it is simply a normal HTTP request to a port you were not
expecting. You did reduce the Safe_Ports ACL definition significantly.

squid-users mailing list
squid-users at lists.squid-cache.org
El contenido del presente mensaje y sus adjuntos es privado, estrictamente confidencial y exclusivo para su destinatario, pudiendo contener informacion protegida por normas legales y de secreto profesional. Bajo ninguna circunstancia su contenido puede ser transmitido o revelado a terceros ni divulgado en forma alguna. En consecuencia de haberlo recibido por error, solicitamos contactar al remitente y eliminarlo de su sistema. AHORRE PAPEL. PIENSE ANTES DE IMPRIMIR.

More information about the squid-users mailing list