[squid-users] TCP_DENIED/403 on raspberrypi

Amos Jeffries squid3 at treenet.co.nz
Sat Dec 3 23:47:49 UTC 2016 

NOTE: please dont use fancy quoting when posting through the Nabble
interface. It erases the critical information about your problem from
any other copy of the list:

On 3/12/2016 9:30 a.m., domshyra wrote:
> So I have changed the file to a sample conf file. Here is what it looks like
> now
> 
> 
> 
> 
> authenticated_ips is a list of ip addresses that are going to be outgoing
> ips and 192.168.1.25 isn't part of it. I have received a new 403 error which
> is this below
> 
> 
> 192.168.1.25 is my macbook which is SSH'd into the raspberry pi 
> 
> 


There is the root cause of your problem. http_access matches the Squid
*incoming* traffic. The requests arriving into Squid from clients.

Outgoing traffic of a Squid (and thus its outgoing IP(s)) should never
be sent back into that Squid. That would be a loop in the traffic.

Your access.log says:

The client (src) of the requests is 192.168.1.25.

The destination is the server 127.0.0.1 port 19536.

(PS. why are you logging proxy traffic in web-server format anyway? web
servers do not have two TCP connections to deal with like proxies)


So like I said earlier:
> 
> Starting from the default config file you should only have to add the
> 19536 port to SSL_ports and replace localnet ACL with your
> authenticated_ips thing.
> 
> Just be extra paranoid about adding ports to SSL_Ports. Be sure you know
> that the protocol(s!) being used over that port are safe. Squid does not
> have any control or insight into whats happening over a CONNECT tunnel
> once its permitted.


1) Set your http_access lines to be this (notice that it is the default
config):

 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 http_access allow localhost manager
 http_access deny manager

 # INSERT YOUR OWN RULE(S) HERE ...

 http_access allow localnet
 http_access allow localhost
 http_access deny all


2) Since your client is using 192.168.* the localnet ACL should be reset
to the below:

 #acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
 #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
 acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
 acl localnet src fc00::/7       # RFC 4193 local private network range
 acl localnet src fe80::/10      # RFC 4291 link-local (directly
plugged) machines


3) Figure out what the strange port 19536 is about. If you actually want
that to happen then add the below to your squid.conf:

 # your reason for adding this port goes here.
 acl SSL_ports port 19536



Amos

More information about the squid-users mailing list