[squid-users] TAG_NONE/403 on www.mediavida.com
Kike
kike at elamedia.es
Wed May 29 09:47:58 UTC 2019
Amos Jeffries wrote
> "allow" is not a valid action for this directive.
> <https://wiki.squid-cache.org/Features/SslPeekAndSplice#Actions>
I don't know what I was thinking, thank you
I deleted the ssl_bump line, I try splicing too with ssl_bump peek all and
ssl_bump splice all, but it also didn't work too.
Amos Jeffries wrote
>> http_access deny blocksitelist
>> http_access allow whitelist
>> http_access allow CONNECT whitelist
>
> Complex access controls being done before even the most
> simple/fast/basic security check to prevent DOS attacks.
>
> Move the above http_access lines ...
>
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>
> ... down to here where custom access controls should be.
>
> Except for the "allow CONNECT whitelist" line which you can delete
> completely. It is pointless behind "allow whitelist".
Fixed it. Thanks!
Amos Jeffries wrote
> This is now an "open proxy" - not a good idea.
Of course is not a good idea. In my desperation I tried to keep the proxy
open as much as possible after the rules but it didn't work either.
This is not a long term configuration. I just need to bypass this issue just
because it could happen with other websites (funny think i couldn't find
another one). When this is solved I'll cap the proxy as much as possible.
Amos Jeffries wrote
> So port 3128 is simultaneously receiving TLS and non-TLS (plain-text)
> traffic syntax?
>
> That is not possible. With the above settings, Squid should log a
> complaint in cache.log and only open the first (http_port) to use the
> specific IP:port value.
>
> To work at all port directives need unique IP:port settings.
It turns out the cert line and the rest of it wasn't working at all. I just
left "http_port 0.0.0.0:3128". My concern was how about squid proxy manages
443 conections with the same port but all websites works just fine and in
the access.log I can see a lot TCP_TUNNEL/200 like:
TCP_TUNNEL/200 1093 CONNECT www.cisco.com:443 - HIER_DIRECT/104.126.39.51
TCP_TUNNEL/200 11488 CONNECT www.ultratools.com:443 -
HIER_DIRECT/156.154.208.10
Amos Jeffries wrote
> "403 Forbidden" can be sent by any HTTP agent.
It was 503, sorry.
Amos Jeffries wrote
> You are missing the rest of the access.log line. The parts which tell
> you (and us) what was being done that got forbidden, which agent was
> doing it, what other agents were involved with the decision, and when
> all this happened.
The rest of the access.log file? Sure
1559122901.583 16384 192.168.0.51 TCP_TUNNEL/200 4048 CONNECT
gum.criteo.com:443 - HIER_DIRECT/178.250.2.146 -
1559122902.462 40211 192.168.0.51 TCP_TUNNEL/200 68725 CONNECT
secure-ds.serving-sys.com:443 - HIER_DIRECT/184.25.40.188 -
1559122902.726 15313 192.168.0.51 TCP_TUNNEL/200 3277 CONNECT
gem.gbc.criteo.com:443 - HIER_DIRECT/185.235.84.183 -
1559122902.804 15595 192.168.0.51 TCP_TUNNEL/200 918 CONNECT
smetrics.el-mundo.net:443 - HIER_DIRECT/185.34.188.24 -
1559122904.127 17686 192.168.0.51 TCP_TUNNEL/200 135863 CONNECT
pixel.adsafeprotected.com:443 - HIER_DIRECT/199.166.0.26 -
1559122904.498 12987 192.168.0.51 TCP_TUNNEL/200 1177 CONNECT
dt.adsafeprotected.com:443 - HIER_DIRECT/104.244.36.20 -
1559122904.507 12996 192.168.0.51 TCP_TUNNEL/200 1177 CONNECT
dt.adsafeprotected.com:443 - HIER_DIRECT/104.244.36.20 -
1559122904.629 10142 192.168.0.51 TCP_TUNNEL/200 6787 CONNECT
secure.adnxs.com:443 - HIER_DIRECT/185.33.223.83 -
1559122904.746 1865256 192.168.0.60 TCP_TUNNEL/200 12205 CONNECT
manage.mediashuttle.com:443 - HIER_DIRECT/52.21.207.90 -
1559122904.872 10736 192.168.0.51 TCP_TUNNEL/200 847 CONNECT
dt.adsafeprotected.com:443 - HIER_DIRECT/104.244.36.20 -
1559122905.083 10999 192.168.0.51 TCP_TUNNEL/200 7364 CONNECT
x.bidswitch.net:443 - HIER_DIRECT/18.153.11.1 -
1559122905.676 13345 192.168.0.51 TCP_TUNNEL/200 7176 CONNECT
bs.serving-sys.com:443 - HIER_DIRECT/80.252.91.53 -
1559122906.414 19991 192.168.0.51 TCP_TUNNEL/200 9138 CONNECT
bs.serving-sys.com:443 - HIER_DIRECT/80.252.91.53 -
1559122906.716 11341 192.168.0.51 TCP_TUNNEL/200 3252 CONNECT
csm.fr.eu.criteo.net:443 - HIER_DIRECT/178.250.0.162 -
1559122906.917 18429 192.168.0.51 TCP_MISS/200 360 GET
http://192.168.0.15/v3/api/backchannel? - HIER_DIRECT/192.168.0.15
application/json
1559122907.774 130868 192.168.0.60 TCP_TUNNEL/200 1534 CONNECT
ps6.pubnub.com:443 - HIER_DIRECT/54.93.254.233 -
1559122914.376 19351 192.168.0.51 TCP_TUNNEL/200 6695 CONNECT
farm.plista.com:443 - HIER_DIRECT/176.9.103.51 -
1559122914.665 30180 192.168.0.51 TCP_TUNNEL/200 833 CONNECT
prisacom.sc.omtrdc.net:443 - HIER_DIRECT/172.82.228.19 -
1559122914.780 18976 192.168.0.51 TCP_MISS/200 360 GET
http://192.168.0.16/v3/api/backchannel? - HIER_DIRECT/192.168.0.16
application/json
1559122915.099 66824 192.168.0.51 TCP_TUNNEL/200 286551 CONNECT
newchat-001.servers.prgn.misp.co.uk:443 - HIER_DIRECT/185.52.25.72 -
1559122915.172 65116 192.168.0.51 TCP_TUNNEL/200 4392 CONNECT
newchat-001.servers.prgn.misp.co.uk:443 - HIER_DIRECT/185.52.25.72 -
1559122917.919 0 192.168.0.51 TAG_NONE/503 0 CONNECT
www.mediavida.com:443 - HIER_NONE/- -
1559122918.298 60477 192.168.0.51 TCP_TUNNEL/200 5691 CONNECT
mpc.nicequest.com:443 - HIER_DIRECT/34.224.49.39 -
All TCP_TUNNEL, TCP_MISS allows me to reach the web. The TCP_NONE doesn't.
This all is happening right now. 29/05/2019 at 11:40 pm.
Thank you for your dedicated efforts Amos!
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
More information about the squid-users
mailing list