<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px"><div id="yui_3_16_0_ym19_1_1495824217467_4092">Here's my squid.conf. For what it's worth, shellinabox can be made to use only HTTP if that's the issue.</div><div id="yui_3_16_0_ym19_1_1495824217467_4135"><br></div><div id="yui_3_16_0_ym19_1_1495824217467_3850"><br></div><pre style="margin: 0px; font-family: "DejaVu Sans Mono", "Everson Mono", FreeMono, "Andale Mono", Consolas, monospace; color: rgb(0, 0, 0); font-size: medium; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;" id="yui_3_16_0_ym19_1_1495824217467_4007"><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4008"><span id="yui_3_16_0_ym19_1_1495824217467_4009">auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwd </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4010" dir="ltr"><span id="yui_3_16_0_ym19_1_1495824217467_4011">auth_param digest realm myrealm </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4012"><span id="yui_3_16_0_ym19_1_1495824217467_4013">auth_param digest children 2 </span></div><span id="yui_3_16_0_ym19_1_1495824217467_4033"> </span><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4034"><span id="yui_3_16_0_ym19_1_1495824217467_4035">acl auth_users proxy_auth REQUIRED </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4036"><span id="yui_3_16_0_ym19_1_1495824217467_4037">acl SSL_ports port 443 </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4038"><span id="yui_3_16_0_ym19_1_1495824217467_4039">acl SSL_ports port SHELLINABOX_PORT </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4040" dir="ltr"><span id="yui_3_16_0_ym19_1_1495824217467_4121">acl Safe_ports port </span><span id="yui_3_16_0_ym19_1_1495824217467_4123">SHELLINABOX_PORT</span><span id="yui_3_16_0_ym19_1_1495824217467_4041"> </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4042"><span id="yui_3_16_0_ym19_1_1495824217467_4043">acl Safe_ports port 80 # http </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4044"><span id="yui_3_16_0_ym19_1_1495824217467_4045">acl Safe_ports port 21 # ftp </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4046"><span id="yui_3_16_0_ym19_1_1495824217467_4047">acl Safe_ports port 443 # https </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4048"><span id="yui_3_16_0_ym19_1_1495824217467_4049">acl Safe_ports port 70 # gopher </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4050"><span id="yui_3_16_0_ym19_1_1495824217467_4051">acl Safe_ports port 210 # wais </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4052"><span id="yui_3_16_0_ym19_1_1495824217467_4053">#acl Safe_ports port 1025-65535 # unregistered ports </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4054"><span id="yui_3_16_0_ym19_1_1495824217467_4055">acl Safe_ports port 280 # http-mgmt </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4056"><span id="yui_3_16_0_ym19_1_1495824217467_4057">acl Safe_ports port 488 # gss-http </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4058"><span id="yui_3_16_0_ym19_1_1495824217467_4059">acl Safe_ports port 591 # filemaker </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4060"><span id="yui_3_16_0_ym19_1_1495824217467_4061">acl Safe_ports port 777 # multiling http </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4062"><span id="yui_3_16_0_ym19_1_1495824217467_4063">acl CONNECT method CONNECT </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4064"><span id="yui_3_16_0_ym19_1_1495824217467_4065">http_access deny !Safe_ports </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4066"><span id="yui_3_16_0_ym19_1_1495824217467_4067">http_access deny CONNECT !SSL_ports </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4068"><span id="yui_3_16_0_ym19_1_1495824217467_4069">http_access allow auth_users </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4070"><span id="yui_3_16_0_ym19_1_1495824217467_4071">http_access allow all </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4074"><span id="yui_3_16_0_ym19_1_1495824217467_4075">https_port SQUID_PORT cert=/etc/squid/squid.pem </span></div><div style="min-height: 19px;" id="yui_3_16_0_ym19_1_1495824217467_4076"><span id="yui_3_16_0_ym19_1_1495824217467_4077">cache deny all </span></div><div style="min-height: 19px;" dir="ltr" id="yui_3_16_0_ym19_1_1495824217467_4080"><span id="yui_3_16_0_ym19_1_1495824217467_4081">netdb_filename none </span></div></pre><div id="yui_3_16_0_ym19_1_1495824217467_3849"><span></span></div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1495824217467_3830"><br><br></div><div class="yahoo_quoted" id="yui_3_16_0_ym19_1_1495824217467_3821" style="display: block;"> <div style="font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 13px;" id="yui_3_16_0_ym19_1_1495824217467_3820"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1495824217467_3819"> <div dir="ltr" id="yui_3_16_0_ym19_1_1495824217467_3823"> <font id="yui_3_16_0_ym19_1_1495824217467_3822" size="2" face="Arial"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Amos Jeffries <squid3@treenet.co.nz><br> <b><span style="font-weight: bold;">To:</span></b> squid-users@lists.squid-cache.org <br> <b><span style="font-weight: bold;">Sent:</span></b> Friday, May 26, 2017 12:29 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [squid-users] TCP_DENIED/407 accessing webserver on same machine as squid<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_ym19_1_1495824217467_3818"><br><div dir="ltr" id="yui_3_16_0_ym19_1_1495824217467_3817"><br clear="none"><div class="yqt5775498932" id="yqtfd06185"><br clear="none">On 27/05/17 04:17, j m wrote:<br clear="none">> I have a webserver and squid 3.5 running on the same Linux machine. > The webserver is actually part of shellinabox, so it's only for me <br clear="none">to > access. Shellinabox simply presents a terminal and login in a web <br clear="none"> > browser. I want it to be accessible only through squid for more > <br clear="none">security. > > shellinabox works fine if I access it directly, but <br clear="none">through squid I > see this in access.log: > > 1495813953.860 79 <br clear="none">204.155.22.30 TCP_TUNNEL/200 1440 CONNECT > IP:PORT USER HIER_DIRECT/IP <br clear="none"> > > > 1495813962.001 0 204.155.22.30 TCP_DENIED/407 4397 CONNECT > <br clear="none">IP:PORT USER HIER_NONE/- text/html > > > I've replaced the real IP, <br clear="none">PORT, and USER with those words, however > the real PORT is a <br clear="none">nonstandard port number.There are some other > posts I found mentioning <br clear="none">a 407 error and it was said it occurs when > the webpage is asking for <br clear="none">authentication. However I don't understand > this, since shellinabox <br clear="none">only display a login prompt which I wouldn't > think would be a <br clear="none">problem. Another post said a 407 is when squid auth > is failing, but I <br clear="none">can get to external websites through squid. > > Does it matter that what <br clear="none">I'm trying to access is HTTPS instead of > HTTP?</div><br clear="none">Yes it does. Beyond the obvious encryption there are messaging <br clear="none">differences that directly effect what the proxy can do.<br clear="none"><br clear="none"><br clear="none">The first log entry indicates that something has already been done to <br clear="none">let the port "work", so your config is already non-standard and probably <br clear="none">doing something weird. The presence of a USER value other than "-" <br clear="none">indicates that the proxy-auth is working at least for that transaction.<br clear="none"><br clear="none">Yes the 407 is login to *Squid*. Nothing to do with the shellinabox <br clear="none">software, the HEIR_NONE/- on the second line says shellinabox is not <br clear="none">even being contacted yet for that transaction.<br clear="none"><br clear="none"><br clear="none">It is not possible to say why anything is happening here without knowing <br clear="none">your config structure and intended policy. You will need to provide your <br clear="none">squid.conf details to get much help.<br clear="none"><br clear="none">If you need to obfuscate IP's please map them as if you were using the <br clear="none">10/8 or 192.168/16 ranges so we can still identify any subtle things <br clear="none">like TCP connections going wrong without revealing your public addresses.<br clear="none"><br clear="none">Amos<br clear="none"><br clear="none">_______________________________________________<br clear="none">squid-users mailing list<br clear="none"><a shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br clear="none"><a shape="rect" href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><div class="yqt5775498932" id="yqtfd73039"><br clear="none"></div></div><br><br></div> </div> </div> </div></div></body></html>