[squid-users] TCP_DENIED/407 accessing webserver on same machine as squid

Amos Jeffries squid3 at treenet.co.nz
Fri May 26 17:28:51 UTC 2017



On 27/05/17 04:17, j m wrote:
> I have a webserver and squid 3.5 running on the same Linux machine.  > The webserver is actually part of shellinabox, so it's only for me 
to > access.  Shellinabox simply presents a terminal and login in a web 
 > browser.  I want it to be accessible only through squid for more > 
security. > > shellinabox works fine if I access it directly, but 
through squid I > see this in access.log: > > 1495813953.860     79 
204.155.22.30 TCP_TUNNEL/200 1440 CONNECT > IP:PORT USER HIER_DIRECT/IP 
 > > > 1495813962.001      0 204.155.22.30 TCP_DENIED/407 4397 CONNECT > 
IP:PORT USER HIER_NONE/- text/html > > > I've replaced the real IP, 
PORT, and USER with those words, however > the real PORT is a 
nonstandard port number.There are some other > posts I found mentioning 
a 407 error and it was said it occurs when > the webpage is asking for 
authentication.  However I don't understand > this, since shellinabox 
only display a login prompt which I wouldn't > think would be a 
problem.  Another post said a 407 is when squid auth > is failing, but I 
can get to external websites through squid. > > Does it matter that what 
I'm trying to access is HTTPS instead of > HTTP?
Yes it does. Beyond the obvious encryption there are messaging 
differences that directly effect what the proxy can do.


The first log entry indicates that something has already been done to 
let the port "work", so your config is already non-standard and probably 
doing something weird. The presence of a USER value other than "-" 
indicates that the proxy-auth is working at least for that transaction.

Yes the 407 is login to *Squid*. Nothing to do with the shellinabox 
software, the HEIR_NONE/- on the second line says shellinabox is not 
even being contacted yet for that transaction.


It is not possible to say why anything is happening here without knowing 
your config structure and intended policy. You will need to provide your 
squid.conf details to get much help.

If you need to obfuscate IP's please map them as if you were using the 
10/8 or 192.168/16 ranges so we can still identify any subtle things 
like TCP connections going wrong without revealing your public addresses.

Amos



More information about the squid-users mailing list