[squid-users] Can't get squid with whitelist text file to work TCP_DENIED/403

Alex Rousskov rousskov at measurement-factory.com
Fri Apr 9 14:51:55 UTC 2021 

On 4/8/21 3:11 PM, Elliott Blake, Lisa Marie wrote:
> I am trying to get squid to work with a text file for a whitelist.  I
> get TCP_DENIED/403 on every url I try.  I am using curl to test.

> curl -x https://libaux-prod.lib.uic.edu:3128 -I https://arl.org

Is that the exact curl command you are using or a typo? The above
command tells curl to use an HTTPS proxy (https://libaux...) and your
squid.conf does not have an https_port so something does not add up.
Perhaps your curl version is as old and buggy as your Squid version and
it just ignores the "s" in "-x https", but I would remove it anyway.


> Server: squid/3.5.20

Could be a bug in that unsupported version, of course. If you share a
link to an debug_options ALL,9 cache.log with a problematic transaction,
somebody may be able to triage this further.

https://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction

Alex.


> Mime-Version: 1.0
> 
> Date: Wed, 07 Apr 2021 17:38:58 GMT
> 
> Content-Type: text/html;charset=utf-8
> 
> Content-Length: 3521
> 
> X-Squid-Error: ERR_ACCESS_DENIED 0
> 
> Vary: Accept-Language
> 
> Content-Language: en
> 
> X-Cache: MISS from libaux-prod.lib.uic.edu
> 
> X-Cache-Lookup: NONE from libaux-prod.lib.uic.edu:3128
> 
> Via: 1.1 libaux-prod.lib.uic.edu (squid/3.5.20)
> 
> Connection: keep-alive
> 
> curl: (56) Received HTTP code 403 from proxy after CONNECT
> 
>  
> 
> However, if I change my squid.conf to just the url it works.
> 
> acl whitelist dstdomain .arl.org
> 
> *curl -x https://libaux-prod.lib.uic.edu:3128
> <https://libaux-prod.lib.uic.edu:3128> -I https://arl.org
> <https://arl.org> *
> 
> HTTP/1.1 200 Connection established
> 
> HTTP/1.1 301 Moved Permanently
> 
> Server: nginx
> 
> Date: Wed, 07 Apr 2021 17:40:31 GMT
> 
> Content-Type: text/html
> 
> Content-Length: 178
> 
> Connection: keep-alive
> 
> Keep-Alive: timeout=20
> 
> Location: https://www.arl.org/ <https://www.arl.org/>
> 
> Expires: Wed, 07 Apr 2021 18:40:31 GMT
> 
> Cache-Control: max-age=3600
> 
>  
> 
> I am running a centos 7 os with squid version 3.5.20, which is the most
> recent yum version.
> 
> This is driving me crazy.  I have tried debugging in squid and cannot
> find the answer.  I have tried changing the squid.conf file.  I always
> restart squid after I change the squid.conf file.  
> 
> Any help would be appreciated.
> 
>  
> 
> My Squid.conf file:
> 
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
> 
> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
> 
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> 
> acl localnet src fc00::/7       # RFC 4193 local private network range
> 
> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
> machines
> 
>  
> 
> acl SSL_ports port 443
> 
> acl Safe_ports port 80          # http
> 
> acl Safe_ports port 443         # https
> 
> acl Safe_ports port 591         # filemaker
> 
> acl CONNECT method CONNECT
> 
>  
> 
> http_access deny !Safe_ports
> 
>  
> 
> http_access deny CONNECT !SSL_ports
> 
>  
> 
> http_access allow localhost manager
> 
> http_access deny manager
> 
>  
> 
> acl whitelist dstdomain "/etc/squid/whitelist.txt"
> 
> #acl whitelist dstdomain .arl.org
> 
> http_access allow whitelist
> 
> #http_access allow CONNECT whitelist
> 
>  
> 
> http_access deny !whitelist
> 
>  
> 
> http_access allow localnet
> 
> http_access allow localhost
> 
>  
> 
> http_access deny all
> 
>  
> 
> # Squid normally listens to port 3128
> 
> http_port 3128
> 
>  
> 
> # port 1338 is for Front Desk Machines
> 
> http_port 1338
> 
>  
> 
> coredump_dir /var/spool/squid
> 
>  
> 
> refresh_pattern ^ftp:           1440    20%     10080
> 
> refresh_pattern ^gopher:        1440    0%      1440
> 
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> 
> refresh_pattern .               0       20%     4320
> 
>  
> 
> Beginning of whitelist.txt
> 
> #A Page
> 
> .aacrjournals.org
> 
> .aai.org
> 
> .aaiddjournals.org
> 
> .aap.org
> 
> .aappublications.orga
> 
> .accessanesthesiology.com
> 
> .anthropology.org.uk
> 
> .archivegrid.org
> 
> .arl.org
> 
> .arlstatistics.org
> 
> .artstor.org
> 
>  
> 
> Thank you,
> 
> Lisa Blake
> 
>  
> 
>  
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list