[squid-users] TAG_NONE/403 on www.mediavida.com
Amos Jeffries
squid3 at treenet.co.nz
Fri May 24 15:29:03 UTC 2019
On 25/05/19 1:45 am, Enrique Calatayud wrote:
> Hello everyone!
>
> I'm getting a TAG_NONE/403 error with the basic configuration on my
> squid proxy server. I've been working on this since the last week but
> still no positive results.
>
> I tried several things, even a whitelist. Here is my squid.conf.
...
> ssl_bump allow all
"allow" is not a valid action for this directive.
<https://wiki.squid-cache.org/Features/SslPeekAndSplice#Actions>
...
> http_access deny blocksitelist
> http_access allow whitelist
> http_access allow CONNECT whitelist
Complex access controls being done before even the most
simple/fast/basic security check to prevent DOS attacks.
Move the above http_access lines ...
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
... down to here where custom access controls should be.
Except for the "allow CONNECT whitelist" line which you can delete
completely. It is pointless behind "allow whitelist".
> http_access allow localnet
> http_access allow localhost
> http_access allow all
This is now an "open proxy" - not a good idea.
> http_port 0.0.0.0:3128
> https_port 0.0.0.0:3128 ssl-bump
> cert=/etc/squid/squid-cert/cert.pem generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
So port 3128 is simultaneously receiving TLS and non-TLS (plain-text)
traffic syntax?
That is not possible. With the above settings, Squid should log a
complaint in cache.log and only open the first (http_port) to use the
specific IP:port value.
To work at all port directives need unique IP:port settings.
...
>
> I tried not using certs, using "http_access allow all" on top of the
> rules and disabling others, decrypting ssl...
> Is not happening with other websites. I'm starting to think that this is
> not my problem...
"403 Forbidden" can be sent by any HTTP agent.
>
> So, any of you have troubles with www.mediavida.com
> <http://www.mediavida.com> under your squid proxy server? Or any of you
> have any clue about what I am missing here?
You are missing the rest of the access.log line. The parts which tell
you (and us) what was being done that got forbidden, which agent was
doing it, what other agents were involved with the decision, and when
all this happened.
Amos
More information about the squid-users
mailing list