[squid-users] [TECHNICAL QUESTION] try to resolve 403 error for specific website

killpilot killpilot at gmail.com
Mon Jan 13 11:24:13 UTC 2020 

hi squid community,

sorry for my bad english, i french, i try do my best for explain
cleary my issue.

i have a pfsense with squid plugin. the plugin contain :
squidclamav-6.16
squid_radius_auth-1.10
squid-3.5.27_3
c-icap-modules-0.5.3_1

my squid is config for transparent proxy for http only.

for on game Star Citizen i have a issue with voip feature, when i try
launch voip connection, she failed.

in my squid log i see this entry
1578684384.329 237 192.168.2.2 TCP_MISS/403 270 GET
http://foip-v02.robertsspaceindustries.com/ -
ORIGINAL_DST/35.153.171.151 text/html
1578684385.507 165 192.168.2.2 TCP_MISS/403 270 GET
http://foip-v02.robertsspaceindustries.com/ -
ORIGINAL_DST/35.153.171.151 text/html

when i disable squid, all working fine.
my squid conf file is :

------ My conf file -------
# This file is automatically generated by pfSense
# Do not edit manually !

http_port 192.168.2.1:3128
http_port 192.168.4.1:3128
http_port 192.168.8.1:3128
http_port 127.0.0.1:3128 intercept
icp_port 0
digest_generation off
dns_v4_first off
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language fr
icon_directory /usr/local/etc/squid/icons
visible_hostname localhost
cache_mgr xxxxxxxxxxxxxxxx
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger

logfile_rotate 7
debug_options rotate=7
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.2.0/24 192.168.4.0/24 192.168.8.0/24
forwarded_for on
httpd_suppress_version_string on
uri_whitespace strip


cache_mem 64 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 10 MB
cache_dir ufs /var/squid/cache 1024 16 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
acl donotcache dstdomain "/var/squid/acl/donotcache.acl"
cache deny donotcache
cache allow all
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
refresh_pattern .    0  20%  4320

#Remote proxies

# Setup some default acls
# ACLs all, manager, localhost, and to_localhost are predefined.
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 9443
3128 3129 1025-65535
acl sslports port 443 563 9443

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl"
acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
# Do not throttle unrestricted hosts
delay_access 1 deny unrestricted_hosts
delay_access 1 allow allsrc

# Reverse Proxy settings
acl rvm_uri_proxmox url_regex -i proxmox.killpilot.fr
never_direct allow rvm_uri_proxmox
http_access allow rvm_uri_proxmox


# Custom options before auth
acl voip_rsi dstdomain .robertsspaceindustries.com
always_direct allow voip_rsi
cache deny voip_rsi
http_access allow voip_rsi

# These hosts do not have any restrictions
http_access allow unrestricted_hosts
# Always allow access to whitelist domains
http_access allow whitelist
# Setup allowed ACLs
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny allsrc

icap_enable on
icap_send_client_ip off
icap_send_client_username off
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024

icap_service service_avi_req reqmod_precache
icap://127.0.0.1:1344/squid_clamav bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache
icap://127.0.0.1:1344/squid_clamav bypass=on
adaptation_access service_avi_resp allow all
------ END My conf file -------


i try to add this block
acl voip_rsi dstdomain .robertsspaceindustries.com
always_direct allow voip_rsi
cache deny voip_rsi
http_access allow voip_rsi

but, not resolved my issue,

i also try add this conf into this file :
my file /var/squid/acl/donotcache.acl  contain :
robertsspaceindustries.com

my file /var/squid/acl/unrestricted_hosts.acl contain my pc IP
192.168.2.2/32

my file /var/squid/acl/whitelist.acl contain
^.*\.robertsspaceindustries.com

same result, failed.... i don't understand why the request are denied .....
from my pc i try with curl command the result is :

curl -vvv -x http://192.168.2.1:3128 -I
http://foip-v02.robertsspaceindustries.com

Trying 192.168.2.1...
TCP_NODELAY set
Connected to 192.168.2.1 (192.168.2.1) port 3128 (#0)

HEAD http://foip-v02.robertsspaceindustries.com/ HTTP/1.1
Host: foip-v02.robertsspaceindustries.com
User-Agent: curl/7.64.1
Accept: /
Proxy-Connection: Keep-Alive

HTTP/1.1 403 Forbidden
Date: Fri, 10 Jan 2020 19:46:03 GMT
Content-Type: text/html
Content-Length: 38
X-Cache: MISS from localhost
X-Cache-Lookup: MISS from localhost:3128
Via: 1.1 localhost (squid)
Connection: keep-alive

someone can help for fix this issue ? i don't find the right
configuration. i try give some help in pfsense forum, but for the
moment the issue is not solved, i try here, may be i be more lucky  ;)

thank for your help.

have a good day, regards,

More information about the squid-users mailing list