[squid-users] Can't get squid with whitelist text file to work TCP_DENIED/403
Alex Rousskov
rousskov at measurement-factory.com
Mon Apr 12 14:57:25 UTC 2021
On 4/11/21 12:10 AM, Elliott Blake, Lisa Marie wrote:
> I never got that error. Wish I had. It would have made figuring it
> out much easier.
That can be another Squid UX problem (e.g., Squid reported the error but
not where you normally look for Squid errors) OR a sign that there is
something else going on (i.e. something other than a bad link, bad link
permissions, SE Linux policy violation, etc.). Feel free to investigate
further and report, of course, but without more information, we would
not be able to understand what actually went wrong.
Needless to say, any such investigation is unlikely to benefit you at
this point -- you will only be helping future others in your situation.
I am glad you have a working setup now!
Cheers,
Alex.
> -----Original Message-----
> From: Alex Rousskov [mailto:rousskov at measurement-factory.com]
> Sent: Friday, April 9, 2021 7:43 PM
> To: squid-users at lists.squid-cache.org
> Cc: Elliott Blake, Lisa Marie <loleary at uic.edu>
> Subject: Re: [squid-users] Can't get squid with whitelist text file to work TCP_DENIED/403
>
> On 4/9/21 4:41 PM, Elliott Blake, Lisa Marie wrote:
>> I realized that the whitelist is a symbolic link
>
> Hi Lisa,
>
> Glad you figured it out! IMO, it is a Squid bug that Squid starts with broken symbolic links:
>
>> 2021/04/09 20:34:52| ERROR: Can not open file /tmp/link for reading
>> 2021/04/09 20:34:52| Warning: empty ACL: acl testLink dstdomain "/tmp/link"
>> 2021/04/09 20:34:52| Accepting HTTP Socket connections
>
> The above ERROR should be a fatal (by default).
>
> In fact, I would make the above Warning a fatal configuration error as well, with a squid.conf option to explicitly allow for empty (hopefully never matching) ACLs.
>
> Alex.
>
>
>> -----Original Message-----
>> From: Alex Rousskov [mailto:rousskov at measurement-factory.com]
>> Sent: Friday, April 9, 2021 9:52 AM
>> To: squid-users at lists.squid-cache.org
>> Cc: Elliott Blake, Lisa Marie <loleary at uic.edu>
>> Subject: Re: [squid-users] Can't get squid with whitelist text file to
>> work TCP_DENIED/403
>>
>> On 4/8/21 3:11 PM, Elliott Blake, Lisa Marie wrote:
>>> I am trying to get squid to work with a text file for a whitelist. I
>>> get TCP_DENIED/403 on every url I try. I am using curl to test.
>>
>>> curl -x https://libaux-prod.lib.uic.edu:3128/ -I
>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Farl.
>>> org%2F&data=04%7C01%7Cloleary%40uic.edu%7Cd7cfe4dfe984430c6e9108d
>>> 8
>>> fb6706c8%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637535767808134
>>> 7
>>> 99%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>>> I
>>> 6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Adwdl4Cdzqutr6%2FmXhn7Dl19qt
>>> D
>>> rG8%2FZG5G%2BYdCC0cA%3D&reserved=0
>>
>> Is that the exact curl command you are using or a typo? The above command tells curl to use an HTTPS proxy (https://libaux...) and your squid.conf does not have an https_port so something does not add up.
>> Perhaps your curl version is as old and buggy as your Squid version and it just ignores the "s" in "-x https", but I would remove it anyway.
>>
>>
>>> Server: squid/3.5.20
>>
>> Could be a bug in that unsupported version, of course. If you share a link to an debug_options ALL,9 cache.log with a problematic transaction, somebody may be able to triage this further.
>>
>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki
>> .squid-cache.org%2FSquidFaq%2FBugReporting%23Debugging_a_single_transa
>> ction&data=04%7C01%7Cloleary%40uic.edu%7C35e72a5ccd6f4f3e4ff908d8f
>> bb99128%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C63753612172678777
>> 3%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6
>> Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=J0q3V%2F3VqxVLw6C7QBY4eCrs69BH
>> pHhCLOfJErWev90%3D&reserved=0
>>
>> Alex.
>>
>>
>>> Mime-Version: 1.0
>>>
>>> Date: Wed, 07 Apr 2021 17:38:58 GMT
>>>
>>> Content-Type: text/html;charset=utf-8
>>>
>>> Content-Length: 3521
>>>
>>> X-Squid-Error: ERR_ACCESS_DENIED 0
>>>
>>> Vary: Accept-Language
>>>
>>> Content-Language: en
>>>
>>> X-Cache: MISS from libaux-prod.lib.uic.edu
>>>
>>> X-Cache-Lookup: NONE from libaux-prod.lib.uic.edu:3128
>>>
>>> Via: 1.1 libaux-prod.lib.uic.edu (squid/3.5.20)
>>>
>>> Connection: keep-alive
>>>
>>> curl: (56) Received HTTP code 403 from proxy after CONNECT
>>>
>>>
>>>
>>> However, if I change my squid.conf to just the url it works.
>>>
>>> acl whitelist dstdomain .arl.org
>>>
>>> *curl -x https://libaux-prod.lib.uic.edu:3128/
>>> <https://libaux-prod.lib.uic.edu:3128/> -I
>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Farl.
>>> org%2F&data=04%7C01%7Cloleary%40uic.edu%7Cd7cfe4dfe984430c6e9108d
>>> 8
>>> fb6706c8%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637535767808134
>>> 7
>>> 99%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>>> I
>>> 6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Adwdl4Cdzqutr6%2FmXhn7Dl19qt
>>> D
>>> rG8%2FZG5G%2BYdCC0cA%3D&reserved=0
>>> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Far
>>> l
>>> .org%2F&data=04%7C01%7Cloleary%40uic.edu%7Cd7cfe4dfe984430c6e9108
>>> d
>>> 8fb6706c8%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C63753576780813
>>> 4
>>> 799%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
>>> i
>>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Adwdl4Cdzqutr6%2FmXhn7Dl19q
>>> t DrG8%2FZG5G%2BYdCC0cA%3D&reserved=0> *
>>>
>>> HTTP/1.1 200 Connection established
>>>
>>> HTTP/1.1 301 Moved Permanently
>>>
>>> Server: nginx
>>>
>>> Date: Wed, 07 Apr 2021 17:40:31 GMT
>>>
>>> Content-Type: text/html
>>>
>>> Content-Length: 178
>>>
>>> Connection: keep-alive
>>>
>>> Keep-Alive: timeout=20
>>>
>>> Location:
>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
>>> arl.org%2F&data=04%7C01%7Cloleary%40uic.edu%7Cd7cfe4dfe984430c6e9
>>> 1
>>> 08d8fb6706c8%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C63753576780
>>> 8
>>> 134799%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC
>>> J
>>> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=obQUl59%2FNceepVKW4YMlCS
>>> F
>>> rOobHRl8LtnVZaAV23ks%3D&reserved=0
>>> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
>>> w
>>> .arl.org%2F&data=04%7C01%7Cloleary%40uic.edu%7Cd7cfe4dfe984430c6e
>>> 9
>>> 108d8fb6706c8%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C6375357678
>>> 0
>>> 8134799%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
>>> C
>>> JBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=obQUl59%2FNceepVKW4YMlC
>>> S FrOobHRl8LtnVZaAV23ks%3D&reserved=0>
>>>
>>> Expires: Wed, 07 Apr 2021 18:40:31 GMT
>>>
>>> Cache-Control: max-age=3600
>>>
>>>
>>>
>>> I am running a centos 7 os with squid version 3.5.20, which is the
>>> most recent yum version.
>>>
>>> This is driving me crazy. I have tried debugging in squid and cannot
>>> find the answer. I have tried changing the squid.conf file. I
>>> always restart squid after I change the squid.conf file.
>>>
>>> Any help would be appreciated.
>>>
>>>
>>>
>>> My Squid.conf file:
>>>
>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>>
>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>>
>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>>
>>> acl localnet src fc00::/7 # RFC 4193 local private network
>>> range
>>>
>>> acl localnet src fe80::/10 # RFC 4291 link-local (directly
>>> plugged) machines
>>>
>>>
>>>
>>> acl SSL_ports port 443
>>>
>>> acl Safe_ports port 80 # http
>>>
>>> acl Safe_ports port 443 # https
>>>
>>> acl Safe_ports port 591 # filemaker
>>>
>>> acl CONNECT method CONNECT
>>>
>>>
>>>
>>> http_access deny !Safe_ports
>>>
>>>
>>>
>>> http_access deny CONNECT !SSL_ports
>>>
>>>
>>>
>>> http_access allow localhost manager
>>>
>>> http_access deny manager
>>>
>>>
>>>
>>> acl whitelist dstdomain "/etc/squid/whitelist.txt"
>>>
>>> #acl whitelist dstdomain .arl.org
>>>
>>> http_access allow whitelist
>>>
>>> #http_access allow CONNECT whitelist
>>>
>>>
>>>
>>> http_access deny !whitelist
>>>
>>>
>>>
>>> http_access allow localnet
>>>
>>> http_access allow localhost
>>>
>>>
>>>
>>> http_access deny all
>>>
>>>
>>>
>>> # Squid normally listens to port 3128
>>>
>>> http_port 3128
>>>
>>>
>>>
>>> # port 1338 is for Front Desk Machines
>>>
>>> http_port 1338
>>>
>>>
>>>
>>> coredump_dir /var/spool/squid
>>>
>>>
>>>
>>> refresh_pattern ^ftp: 1440 20% 10080
>>>
>>> refresh_pattern ^gopher: 1440 0% 1440
>>>
>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>>
>>> refresh_pattern . 0 20% 4320
>>>
>>>
>>>
>>> Beginning of whitelist.txt
>>>
>>> #A Page
>>>
>>> .aacrjournals.org
>>>
>>> .aai.org
>>>
>>> .aaiddjournals.org
>>>
>>> .aap.org
>>>
>>> .aappublications.orga
>>>
>>> .accessanesthesiology.com
>>>
>>> .anthropology.org.uk
>>>
>>> .archivegrid.org
>>>
>>> .arl.org
>>>
>>> .arlstatistics.org
>>>
>>> .artstor.org
>>>
>>>
>>>
>>> Thank you,
>>>
>>> Lisa Blake
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Flist
>>> s
>>> .squid-cache.org%2Flistinfo%2Fsquid-users&data=04%7C01%7Cloleary%
>>> 4
>>> 0uic.edu%7Cd7cfe4dfe984430c6e9108d8fb6706c8%7Ce202cd477a564baa99e3e3b
>>> 7
>>> 1a7c77dd%7C0%7C0%7C637535767808134799%7CUnknown%7CTWFpbGZsb3d8eyJWIjo
>>> i
>>> MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&
>>> ;
>>> sdata=xR28PqxDa3d3aQhOqB9b142qoY2x8rSNTZOGTACIMLg%3D&reserved=0
>>>
More information about the squid-users
mailing list