[squid-users] TCP 403 Denied on new squid build out

Amos Jeffries squid3 at treenet.co.nz
Thu Jan 12 04:06:09 UTC 2017 

On 12/01/2017 5:32 a.m., roadrage27 wrote:
> Built out Squid 3.5 on ubuntu 14.04  logs showing 403 denied when accessing
> any resources, any help is appreciated
> 
> here is my conf file for reference.
> 
> 
> acl localhost src 127.0.0.1/32
> 
> acl to_localhost dst 127.0.0.0/8
> 

Remove the above two lines, they are built-in ACLs.

Please run 'squid -k parse' it will tell you about these things and
maybe more.


> acl localnet src 0.0.0.0/8 10.145.68.0/24
> 
> acl myip src 10.145.68.148/32
> 
> acl to_localnet dst 10.145.68.0/24
> 
> acl search_engines dstdomain .yahoo.com .google.com
> 
> acl SSL_ports port 443
> 
> acl Safe_ports port 80          # http
> 
> acl Safe_ports port 21          # ftp
> 
> acl Safe_ports port 443         # https
> 
> acl Safe_ports port 70          # gopher
> 
> acl Safe_ports port 210         # wais
> 
> acl Safe_ports port 1025-65535  # unregistered ports
> 
> acl Safe_ports port 280         # http-mgmt
> 
> acl Safe_ports port 488         # gss-http
> 
> acl Safe_ports port 591         # filemaker
> 
> acl Safe_ports port 777         # multiling http
> 
>  
> 
> acl CONNECT method CONNECT
> 
> never_direct allow all
> 

As others mentioned, remove the above line - it is preventing Squid
contacting any web server.

> http_access allow search_engines
> 
> http_access allow manager localhost
> 
> http_access deny manager
> 
> http_access deny !Safe_ports
> 
> http_access allow localnet
> 
> http_access allow to_localnet
> 
> http_access allow myip
> 
> http_access allow all
> 
> http_access deny to_localhost
> 
> icp_access deny all

You can remove the above line, you dont have ICP ports open in this proxy.


> 
> http_access deny all
> 

Your http_access lines should look like this:

 # default security checks
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 http_access allow manager localhost
 http_access deny manager

 # local network policy
 http_access allow localnet

 # default action for unidentified traffic
 http_access deny all


NOTE 1: the 'myip' ACL is not used. That is because the 'allow locanet'
already accepts the 'allow myip' traffic.

NOTE 2: the search_engines ACL is dropped. It was being used to allow
anyone anywhere on the Intenret to use your proxy to access those
domains. Which is very bad for a forward proxy to do.
 - Also, the 'allow localnet' line already allows any LAN machines to
access those domains without having to name them.

NOTE 3: the to_localnet ACL is removed because it makes your proxy an
open-proxy. Anyone on the Internet who can reach your proxy can attack
your network.
 - If you are tring to setup a CDN proxy / reverse-proxy then this is
absolutely the worst way to do it.



>  
> 
> http_port 3128
> 
> hierarchy_stoplist cgi-bin ?
> 

Also remove the above line. It is no longer good.


> access_log /var/log/squid3/access.log squid
> 
>  
> 
>  
> 
> #Suggested default:
> 
> refresh_pattern ^ftp:           1440    20%     10080
> 
> refresh_pattern ^gopher:        1440    0%      1440
> 
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> 
> refresh_pattern .               0       20%     4320
> 
> # Leave coredumps in the first cache dir
> 
> coredump_dir /var/spool/squid3
> 


Amos

More information about the squid-users mailing list