[squid-dev] Squid 4.1 "- TCP_DENIED/403' and IPv6 while "dns_v4_first on"

Eliezer Croitoru eliezer at ngtech.co.il
Thu Jul 12 20:17:23 UTC 2018 

I'm testing Squid 4.1 and my proxy is showing TCP_DENIED when fetching
certificates like this:

 

1531425362.414 000000 - TCP_DENIED/403 3661 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8 Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-"
REP-CC: "-" REP-EXP: "-" VARY: "-" - REP-X-CACHE: "-" Adapted-X-Store-Id:
"-"

1531425364.299 000000 - TCP_DENIED/403 3661 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8 Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-"
REP-CC: "-" REP-EXP: "-" VARY: "-" - REP-X-CACHE: "-" Adapted-X-Store-Id:
"-"

 

If I'm not wrong Amos wrote that there is a special directive or ACL to
allow these since there is not originating from a client IP src address.

 

And also when I'm trying to access https://bugs.squid-cache.org/ with
SSL-BUMP on I am receiving the next page:


ERROR


The requested URL could not be retrieved

  _____  


The following error was encountered while trying to retrieve the URL:
https://bugs.squid-cache.org/*

Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.

The system returned: (101) Network is unreachable

The remote host or network may be down. Please try the request again.

Your cache administrator is webmaster.

 

  _____  

Generated Thu, 12 Jul 2018 20:01:40 GMT by squid4-testing (squid/4.1)

##END OF PAGE

 

With these access log lines:

1531425990.290 000000 - TCP_DENIED/403 3564 GET
http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- text/html;charset=utf-8
Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" -
REP-X-CACHE: "-" Adapted-X-Store-Id: "-"

1531425990.291 000355 10.0.0.28 NONE/200 0 CONNECT bugs.squid-cache.org:443
- HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed - Q-CC: "-" "-" Q-P:
"-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" 00:00:00:00:00:00
REP-X-CACHE: "-" Adapted-X-Store-Id: "-"

1531425990.294 000000 - TCP_DENIED/403 3564 GET
http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- text/html;charset=utf-8
Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" -
REP-X-CACHE: "-" Adapted-X-Store-Id: "-"

1531425990.295 000359 10.0.0.28 NONE/200 0 CONNECT bugs.squid-cache.org:443
- HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed - Q-CC: "-" "-" Q-P:
"-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" 00:00:00:00:00:00
REP-X-CACHE: "-" Adapted-X-Store-Id: "-"

1531425990.299 000000 10.0.0.28 NONE/503 4117 GET
https://bugs.squid-cache.org/index.cgi - HIER_NONE/- text/html Q-CC:
"no-cache" "no-cache" Q-P: "no-cache" "no-cache" Q-RANGE: "-" REP-CC: "-"
REP-EXP: "-" VARY: "Accept-Language" 00:00:00:00:00:00 REP-X-CACHE: "MISS
from squid4-testing" Adapted-X-Store-Id: "-"

1531425990.304 000000 - TCP_DENIED/403 3564 GET
http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- text/html;charset=utf-8
Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" -
REP-X-CACHE: "-" Adapted-X-Store-Id: "-"

1531425990.305 000365 10.0.0.28 NONE/200 0 CONNECT bugs.squid-cache.org:443
- HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed - Q-CC: "-" "-" Q-P:
"-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" 00:00:00:00:00:00
REP-X-CACHE: "-" Adapted-X-Store-Id: "-"

1531425990.307 000000 - TCP_DENIED/403 3564 GET
http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- text/html;charset=utf-8
Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" -
REP-X-CACHE: "-" Adapted-X-Store-Id: "-"

1531425990.307 000000 - TCP_DENIED/403 3564 GET
http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- text/html;charset=utf-8
Q-CC: "-" "-" Q-P: "-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" -
REP-X-CACHE: "-" Adapted-X-Store-Id: "-"

1531425990.307 000372 10.0.0.28 NONE/200 0 CONNECT bugs.squid-cache.org:443
- HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed - Q-CC: "-" "-" Q-P:
"-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" 00:00:00:00:00:00
REP-X-CACHE: "-" Adapted-X-Store-Id: "-"

1531425990.307 000368 10.0.0.28 NONE/200 0 CONNECT bugs.squid-cache.org:443
- HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed - Q-CC: "-" "-" Q-P:
"-" "-" Q-RANGE: "-" REP-CC: "-" REP-EXP: "-" VARY: "-" 00:00:00:00:00:00
REP-X-CACHE: "-" Adapted-X-Store-Id: "-"

1531425990.339 000000 10.0.0.28 NONE/503 4117 GET
http://squid4-testing:3128/squid-internal-static/icons/SN.png - HIER_NONE/-
text/html Q-CC: "no-cache" "no-cache" Q-P: "no-cache" "no-cache" Q-RANGE:
"-" REP-CC: "-" REP-EXP: "-" VARY: "Accept-Language" 00:00:00:00:00:00
REP-X-CACHE: "MISS from squid4-testing" Adapted-X-Store-Id: "-"

1531425990.374 000000 10.0.0.28 NONE/503 4117 GET
https://bugs.squid-cache.org/favicon.ico - HIER_NONE/- text/html Q-CC:
"no-cache" "no-cache" Q-P: "no-cache" "no-cache" Q-RANGE: "-" REP-CC: "-"
REP-EXP: "-" VARY: "Accept-Language" 00:00:00:00:00:00 REP-X-CACHE: "MISS
from squid4-testing" Adapted-X-Store-Id: "-"

 

So the issue is a bit strange, is the remote IP is the issue or another
thing?

I looked at the archives and also the docs and from what I managed to make
sure the next resolve both issues which are tangled to each other:

## START squid.conf addition

acl internal transaction_initiator internal

 

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

 

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

http_access allow internal

## END squid.conf addition

 

http://www.squid-cache.org/Versions/v4/cfgman/acl.html

 

Clarify that  there is a new type of ACL named "transaction_initiator" which
does couple good things.

 

I am not sure but it seems to me that some wiki page is missing regarding
this issue.
I can try to write one if no one else will sit on it in the next month.

 

All The Bests,

Eliezer

 

----

Eliezer Croitoru <http://ngtech.co.il/lmgtfy/> 
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20180712/92fee28d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 11326 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20180712/92fee28d/attachment-0001.png>

More information about the squid-dev mailing list