[squid-users] TCP_MISS/502 - audio stream - none default http ports

L.P.H. van Belle belle at bazuin.nl
Tue Sep 18 13:02:35 UTC 2018 

Hai, 

You missed a few points in your config. 
And thank you for the music link, something different then the radio here. ;-) 

Ive installed a debian stretch server. 
This is the debian default config with 2 modifications. 

## Squid 3.5.23 
## First enable the acl for YOUR localnet ( here i enable all 5) 
: acl localnet src 10.0.0.0/8   # RFC1918 possible internal network
: acl localnet src 172.16.0.0/12        # RFC1918 possible internal network
: acl localnet src 192.168.0.0/16       # RFC1918 possible internal network
: acl localnet src fc00::/7       # RFC 4193 local private network range
: acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
: acl SSL_ports port 443
## PS in your config you did miss to add the extra SSL_Ports also to the Safe_port. 
: acl Safe_ports port 80                # http
: acl Safe_ports port 21                # ftp
: acl Safe_ports port 443               # https
: acl Safe_ports port 70                # gopher
: acl Safe_ports port 210               # wais
: acl Safe_ports port 1025-65535        # unregistered ports
: acl Safe_ports port 280               # http-mgmt
: acl Safe_ports port 488               # gss-http
: acl Safe_ports port 591               # filemaker
: acl Safe_ports port 777               # multiling http

: acl CONNECT method CONNECT
: http_access deny !Safe_ports
: http_access deny CONNECT !SSL_ports
: http_access allow localhost manager
: http_access deny manager
: http_access allow localnet
## And here you missed the "allow localnet" 
: http_access allow localhost
: http_access deny all
: http_port 3128
: coredump_dir /var/spool/squid
: refresh_pattern ^ftp:         1440    20%     10080
: refresh_pattern ^gopher:      1440    0%      1440
: refresh_pattern -i (/cgi-bin/|\?) 0   0%      0
: refresh_pattern .             0       20%     4320


As extra test. 
I've installed squid 4.2 rebuilded from debian sid. 
This is the exact config used, the used script is below the email. 
I made 2 modifications. 
Configuration File: /etc/squid/conf.d/debian.conf (depth 1) : enabled localnet
Configuration File: /etc/squid/conf.d/headers.conf (depth 1): added your headers.

: acl localnet src 0.0.0.1-0.255.255.255        # RFC 1122 "this" network (LAN)
: acl localnet src 10.0.0.0/8           # RFC 1918 local private network (LAN)
: acl localnet src 100.64.0.0/10                # RFC 6598 shared address space (CGN)
: acl localnet src 169.254.0.0/16       # RFC 3927 link-local (directly plugged) machines
: acl localnet src 172.16.0.0/12                # RFC 1918 local private network (LAN)
: acl localnet src 192.168.0.0/16               # RFC 1918 local private network (LAN)
: acl localnet src fc00::/7             # RFC 4193 local private network range
: acl localnet src fe80::/10            # RFC 4291 link-local (directly plugged) machines
: acl SSL_ports port 443
: acl Safe_ports port 80                # http
: acl Safe_ports port 21                # ftp
: acl Safe_ports port 443               # https
: acl Safe_ports port 70                # gopher
: acl Safe_ports port 210               # wais
: acl Safe_ports port 1025-65535        # unregistered ports
: acl Safe_ports port 280               # http-mgmt
: acl Safe_ports port 488               # gss-http
: acl Safe_ports port 591               # filemaker
: acl Safe_ports port 777               # multiling http
: acl CONNECT method CONNECT
: http_access deny !Safe_ports
: http_access deny CONNECT !SSL_ports
: http_access allow localhost manager
: http_access deny manager
: include /etc/squid/conf.d/*
 Configuration File: /etc/squid/conf.d/debian.conf (depth 1)
: logfile_rotate 0
: http_access allow localnet
 Configuration File: /etc/squid/conf.d/headers.conf (depth 1)
: request_header_access From deny all
: request_header_access Referer deny all
: request_header_access Server deny all
: request_header_access WWW-Authenticate deny all
: request_header_access Link deny all
: forwarded_for delete
: http_access allow localhost
: http_access deny all
: http_port 3128
: coredump_dir /var/spool/squid
: refresh_pattern ^ftp:         1440    20%     10080
: refresh_pattern ^gopher:      1440    0%      1440
: refresh_pattern -i (/cgi-bin/|\?) 0   0%      0
: refresh_pattern .             0       20%     4320

If you want the 4.2 for stretch, you can find it here : 
https://downloads.van-belle.nl/squid/squid4.2/ 
Buildlogs are all included, or rebuild it yourself from sid/testing. 
Its a pretty easy rebuild imo. 

Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: squid-users 
> [mailto:squid-users-bounces at lists.squid-cache.org] Namens 
> Dörfler, Andreas
> Verzonden: dinsdag 18 september 2018 14:07
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: [squid-users] TCP_MISS/502 - audio stream - none 
> default http ports
> 
> hello there,
> 
> i try to get mp3/audio streams working on a "kinda default" debian
> stretch installation.
> 
> after i failed with the default debian squid configuration, i 
> tried the
> working config from the old proxy (Squid Cache: Version 3.1.20), 
> but no luck either.
> 
> audio streams work when it's a web-based radio on port 
> 80/443, but once
> the radio leaves the default ports, it stops working.
> 
> since the new squid is 4 minor releases above the old server, i think
> something major changed, but i have no clue, i touch the squid
> configuration only once every few years...
> 
> 
> ###>
> Squid Cache: Version 3.5.23
> <###
> 
> config below is the one i copied from the old squid server, 
> but as said,
> it won't work. security is handled by the firewall, so "allow 
> all" isn't
> a issue.
> 
> ###>config
> 
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> acl SSL_ports port 443 9418 5001
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow all
> http_port 8080
> access_log /var/log/squid/access.log squid
> debug_options ALL,1
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
>                 request_header_access From deny all
>                 request_header_access Referer deny all
>                 request_header_access Server deny all
>                 request_header_access WWW-Authenticate deny all
>                 request_header_access Link deny all
> forwarded_for delete
> 
> <###
> 
> 
> ###>example stream
> https://tunein.com/radio/Americana-Breakdown-s281469/
> <###
> 
> ###squid access.log errors
> 
> 172.16.x.x TCP_MISS/502 4307 GET http://91.121.164.210:8104/ -
> HIER_DIRECT/91.121.164.210 text/html
> 
> 172.16.x.x TCP_MISS/502 4312 GET http://91.121.164.210:8104/; -
> HIER_DIRECT/91.121.164.210 text/html
> <###
> 
> and ideas?
> 
> thanks in advance,
> andy
>

More information about the squid-users mailing list