[squid-users] domain in whitelist being denied

Thu Apr 11 03:59:28 UTC 2019

On 11/04/19 2:37 am, Erick Perez - Quadrian Enterprises wrote:
> Hi,
> I have added a new domain in my whitelist in squid (no caching, just
> block/deny) and the domain is being blocked. suggestions?

The domain is not being blocked. Either the client or the tunnel is.

> I have included the relevant bits in the config.

The relevant config is not what you think it is.

> Nothing has changed
> except for adding the new domain.

To me it looks like you added the whitelist ACLs and the access control
checking them.

> 
> url: https://www.sqlsoftware.nom.co:8441
> 
> #/etc/squid/alloweddomains
> .sqlsoftware.nom.co
> 
> #access.log
> #
> 1554650994.238      0 10.231.0.53 TCP_DENIED/403 3742 CONNECT
> www.sqlsoftware.nom.co:8441 - NONE/- text/html
> 1554650994.254      0 10.231.0.53 TCP_DENIED/403 3742 CONNECT
> www.sqlsoftware.nom.co:8441 - NONE/- text/html
> #
> 
> #squid.conf
> #
> acl mylan src 10.230.0.0/16

The client 10.231.0.53 is not within that CIDR range.

You need to test from a client within the LAN range or extend the
"mylan" to *actually* list your LAN.

> acl allowedsites dstdomain "/etc/squid/alloweddomains"
> acl Safe_ports port 8441 # sqlsoftware.nom.co

If you use the default Safe_ports ACL definition this port was already
included there. No need for this line unless you have reduced the
provided Safe_ports ACL.

> acl CONNECT method CONNECT
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports

Port 8441 is not port 443 (HTTPS). Assuming that you don't have any
previous http_access rules doing weird things this is where the denial
comes from right now.

You need check that the traffic to this port is actually safe for
bypassing the proxy controls completely (that is what happens with CONNECT).

If that is what you actually want, add this port to the SSL_Ports list.

Amos