[squid-users] Error accessing the 403 page

Alex Samad alex at samad.com.au
Sat Jan 2 01:57:11 UTC 2016


On 2 January 2016 at 12:23, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 2016-01-02 13:19, Alex Samad wrote:
>>
>> On 2 January 2016 at 09:22, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>>>
>>> On 2016-01-01 23:28, Alex Samad wrote:
>>>>
>>>>
>>>> Hi
>>>>
>>>> I installed 3.5.12 and when I try and get to a page that is blocked. I
>>>> used to get an message page that said contact the admin person.
>>>>
>>>> trying to get to
>>>> http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png
>>>>
>>>>
>>>> This is part of the error generated
>>>> The following error was encountered while trying to retrieve the URL:
>>>> http://alcdmz1:3128/squid-internal-static/icons/SN.png
>>>>
>>>> alcdmz1 is the proxy server
>>>>
>>>> I seemed to have blocked access to all error messages. not sure how as
>>>> I haven't made any changes except upgrading to .12 from .11
>>>
>>>
>>>
>>> We fixed the Host header output on CONNECT requests to cache_peer between
>>> those versions. That is likely the reason it has started being visible.
>>
>>
>> Sorry not sure how that is related to this.
>
>
> It is the only Squid change between those versions that seems related to the
> issue.
>
>

okay

>>
>>>
>>> The above URL is just an icon being served up by your Squid as part of
>>> the
>>> page display. The main error page text should have been sent as the body
>>> of
>>> the original 403 message itself.
>>>
>>
>> agree
>>
>>> Your http_access rules are the things rejecting it. Note that it contains
>>> the squid listening domain:port (alcdmz1:3128 or bcp.crwdcntrl.net:80)
>>> which
>>> your proxy machine is configured to announce publicly as its contain
>>> domain
>>> / FQDN.
>>>
>>
>> The original url was bcp.crwdcntrl.net:80, the page I got back
>> included the text
>> http://alcdmz1:3128/squid-internal-static/icons/SN.png
>>
>>
>>> The squid service needs to be publicly accessible at that domain:port
>>> that
>>> it is advertising as its public FQDN for this icon request to succeed.
>>> That
>>> means making the server hostname, or visible_hostname something that
>>> clients
>>> can access directly - and unique_hostname the private internal name the
>>> Squid instance uses to distinguish itself from other peers on the proxy
>>> farm.
>>
>>
>> so they can connect to alcdmz1:3128
>>
>>
>>
>> conf
>> auth_param negotiate program /usr/bin/ntlm_auth
>> --helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid
>> auth_param negotiate children 20 startup=0 idle=3
>> auth_param negotiate keep_alive on
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp --configfile
>> /etc/samba/smb.conf-squid
>> auth_param ntlm children 20 startup=0 idle=3
>> auth_param ntlm keep_alive on
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic --configfile
>> /etc/samba/smb.conf-squid
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>> acl sblMal dstdomain -i "/etc/squid/lists/squid-malicious.acl"
>> acl sblPorn dstdomain -i "/etc/squid/lists/squid-porn.acl"
>> acl localnet src 10.3.8.0/24
>> acl localnet_auth src 10.1.0.0/14
>> acl localnet_auth src 10.2.0.0/16
>> acl localnet_auth src 10.2.2.1/32
>
>
> NP: 10.1.0.0/14 contains and matches all of 10.2.*.*, therefore the other
> localnet_auth entries are all redundant and can be removed.
>
> (squid -k parse should be warning you about that)
>
>
>> acl localnet_guest src 10.1.22.0/24
>> acl localnet_appproxy src 10.172.23.3/32
>
>
> NP: localnet and localnet_appproxy are both of the same type and both only
> used to allow http_access within the same block of allows.
>
> You should simplify by adding 10.172.23.3 to the localnet definition and
> drop localnet_appproxy entirely.

I have change some of the ip addressing for the email

>
>> acl sblYBOveride dstdomain -i "/etc/squid/lists/yb-nonsquidblacklist.acl"
>> acl nonAuthDom dstdomain -i "/etc/squid/lists/nonAuthDom.lst"
>> acl nonAuthSrc src "/etc/squid/lists/nonAuthServer.lst"
>> acl FTP proto FTP
>> acl DMZSRV src 10.3.2.110
>> acl DMZSRV src 10.3.2.111
>> always_direct allow FTP
>> always_direct allow DMZSRV
>> ftp_passive off
>> ftp_epsv_all off
>> acl SSL_ports port 443
>> acl Safe_ports port 80          # http
>> acl Safe_ports port 21          # ftp
>> acl Safe_ports port 443         # https
>
>
> Aha. You have restricted the Safe_ports to exclude 3128. Thus
> "http://alcdmz1:3128/..." are rejected even if the remote client could
> resolve domains within the TLD "alcdmz1".

so  obvious once pointed out !  Wonder why it worked before though !

>
>
>> acl CONNECT method CONNECT
>> acl AuthorizedUsers proxy_auth REQUIRED
>> acl icp_allowed src 10.3.2.110/32
>> acl icp_allowed src 10.3.2.111/32
>> acl icp_allowed src 10.172.23.0/32
>> acl icp_allowed src 10.172.23.4/32
>
>
> NP: you do not need to put /32 on IPv4 addresses.
>
>> http_access allow manager localhost
>> http_access allow manager icp_allowed
>> http_access deny manager
>> http_access allow icp_allowed
>
>
> All the manager and icp_allowed stuff above should be down ...
>
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>
>
>  ... here.
>
> I would also restructure the manager tests as:
>   http_access allow icp_allowed
>   http_access allow localhost
>   http_access deny manager
>
> ... which avoids repeated checking of the (relatively) slow regex manager
> ACL, and allows removal of the lines checking "allow localhost" and "allow
> icp_allowed".
>
>
>> http_access allow localnet
>> http_access allow localhost
>> http_access allow localnet_appproxy
>> http_access deny !localnet_auth
>> http_access allow localnet_guest sblYBOveride
>> http_access deny localnet_guest sblMal
>> http_access deny localnet_guest sblPorn
>> http_access allow localnet_guest
>> http_access allow nonAuthSrc
>> http_access allow nonAuthDom
>
>
> Instead of repeating allows for FTP and Authorized users twice you could
> replace all these:
>
>> http_access allow sblYBOveride FTP
>> http_access allow sblYBOveride AuthorizedUsers
>> http_access deny sblMal
>> http_access deny sblPorn
>
>
> ... with these:
>>
>> http_access deny !sblYBOveride sblMal
>> http_access deny !sblYBOveride sblPorn

I will looking to this !

>
>
>
>> http_access allow FTP
>> http_access allow AuthorizedUsers
>> http_access deny all
>> http_port 3128
>> http_port 8080
>> cache_mem 40960 MB
>> cache_mgr operations.manager at abc.com
>> cache_dir aufs /var/spool/squid 550000 16 256
>> coredump_dir /var/spool/squid
>> range_offset_limit 200 MB
>> maximum_object_size 200 MB
>> quick_abort_min -1
>> refresh_pattern -i
>> microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
>> 43200 reload-into-ims
>> refresh_pattern -i
>> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320
>> 80% 43200 reload-into-ims
>> refresh_pattern -i
>> windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
>> 43200 reload-into-ims
>> refresh_pattern ^ftp:           1440    20%     10080
>> refresh_pattern ^gopher:        1440    0%      1440
>> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
>> refresh_pattern .               0       20%     4320
>> cache_peer gsdmz1.abc.com sibling 3128 4827 proxy-only htcp no-query
>> standby=10
>> icp_port 0
>> icp_access allow icp_allowed
>> icp_access deny all
>> htcp_port 4827
>> htcp_access allow icp_allowed
>> htcp_access deny all
>> acl nonCacheDom dstdomain -i "/etc/squid/lists/nonCacheDom.lst"
>> cache deny nonCacheDom
>> acl nonCacheURL urlpath_regex /x86_64/repodata/repomd.xml$
>> cache deny nonCacheURL
>> icap_enable on
>> icap_send_client_ip on
>> icap_send_client_username on
>> icap_client_username_header X-Authenticated-User
>> icap_service service_req reqmod_precache bypass=1
>> icap://127.0.0.1:1344/srv_clamav
>> adaptation_access service_req allow all
>> icap_service service_resp respmod_precache bypass=1
>> icap://127.0.0.1:1344/srv_clamav
>> adaptation_access service_resp allow all
>> ipcache_size 10240
>> forwarded_for delete
>> cache_swap_low 90
>> cache_swap_high 95
>> log_icp_queries off
>> icap_preview_enable on
>> icap_preview_size 1024
>> httpd_suppress_version_string on
>> max_filedesc 8192
>>
>>
>>
>> I'm not sure what I have to allow
>>
>> So if I understand rightly
>> client makes request for http://bcp.crwdcntrl.net/
>> squid sends back a 403
>>
>> client gets response text that includes a link to
>> http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png from this
>> code
>> background: url('/squid-internal-static/icons/SN.png') no-repeat left;
>>
>> browser / client make request for
>> http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png
>>
>> squid returns 403 ..
>>
>> which ACL or access_allow do I need to allow this.
>
>
> Either add 3128 back into your Safe_ports ACL, or add an ACL " urlpath_regex
> ^/squid-internal-static/ " and permit requests that match it.
>
> The second way is better because it should allow the
> "http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png" request to
> succeed, which is both faster and avoiding the proxy hostname:port exposure.

yes like the second method.


>
> Amos
>

Thanks


More information about the squid-users mailing list