[squid-users] TCP_DENIED/407 accessing webserver on same machine as squid

j m acctforjunk at yahoo.com
Fri May 26 18:46:50 UTC 2017


Here's my squid.conf.  For what it's worth, shellinabox can be made to use only HTTP if that's the issue.

auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwd auth_param digest realm myrealm auth_param digest children 2  acl auth_users proxy_auth REQUIRED acl SSL_ports port 443 acl SSL_ports port SHELLINABOX_PORT acl Safe_ports port SHELLINABOX_PORT acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais #acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow auth_users http_access allow all https_port SQUID_PORT cert=/etc/squid/squid.pem cache deny all netdb_filename none 

      From: Amos Jeffries <squid3 at treenet.co.nz>
 To: squid-users at lists.squid-cache.org 
 Sent: Friday, May 26, 2017 12:29 PM
 Subject: Re: [squid-users] TCP_DENIED/407 accessing webserver on same machine as squid
   


On 27/05/17 04:17, j m wrote:
> I have a webserver and squid 3.5 running on the same Linux machine.  > The webserver is actually part of shellinabox, so it's only for me 
to > access.  Shellinabox simply presents a terminal and login in a web 
 > browser.  I want it to be accessible only through squid for more > 
security. > > shellinabox works fine if I access it directly, but 
through squid I > see this in access.log: > > 1495813953.860    79 
204.155.22.30 TCP_TUNNEL/200 1440 CONNECT > IP:PORT USER HIER_DIRECT/IP 
 > > > 1495813962.001      0 204.155.22.30 TCP_DENIED/407 4397 CONNECT > 
IP:PORT USER HIER_NONE/- text/html > > > I've replaced the real IP, 
PORT, and USER with those words, however > the real PORT is a 
nonstandard port number.There are some other > posts I found mentioning 
a 407 error and it was said it occurs when > the webpage is asking for 
authentication.  However I don't understand > this, since shellinabox 
only display a login prompt which I wouldn't > think would be a 
problem.  Another post said a 407 is when squid auth > is failing, but I 
can get to external websites through squid. > > Does it matter that what 
I'm trying to access is HTTPS instead of > HTTP?
Yes it does. Beyond the obvious encryption there are messaging 
differences that directly effect what the proxy can do.


The first log entry indicates that something has already been done to 
let the port "work", so your config is already non-standard and probably 
doing something weird. The presence of a USER value other than "-" 
indicates that the proxy-auth is working at least for that transaction.

Yes the 407 is login to *Squid*. Nothing to do with the shellinabox 
software, the HEIR_NONE/- on the second line says shellinabox is not 
even being contacted yet for that transaction.


It is not possible to say why anything is happening here without knowing 
your config structure and intended policy. You will need to provide your 
squid.conf details to get much help.

If you need to obfuscate IP's please map them as if you were using the 
10/8 or 192.168/16 ranges so we can still identify any subtle things 
like TCP connections going wrong without revealing your public addresses.

Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170526/730f37c0/attachment-0001.html>


More information about the squid-users mailing list