[squid-users] Can't get squid with whitelist text file to work TCP_DENIED/403

Alex Rousskov rousskov at measurement-factory.com
Sat Apr 10 00:42:46 UTC 2021 

On 4/9/21 4:41 PM, Elliott Blake, Lisa Marie wrote:
> I realized that the whitelist is a symbolic link

Hi Lisa,

    Glad you figured it out! IMO, it is a Squid bug that Squid starts
with broken symbolic links:

> 2021/04/09 20:34:52| ERROR: Can not open file /tmp/link for reading
> 2021/04/09 20:34:52| Warning: empty ACL: acl testLink dstdomain "/tmp/link"
> 2021/04/09 20:34:52| Accepting HTTP Socket connections

The above ERROR should be a fatal (by default).

In fact, I would make the above Warning a fatal configuration error as
well, with a squid.conf option to explicitly allow for empty (hopefully
never matching) ACLs.

Alex.


> -----Original Message-----
> From: Alex Rousskov [mailto:rousskov at measurement-factory.com] 
> Sent: Friday, April 9, 2021 9:52 AM
> To: squid-users at lists.squid-cache.org
> Cc: Elliott Blake, Lisa Marie <loleary at uic.edu>
> Subject: Re: [squid-users] Can't get squid with whitelist text file to work TCP_DENIED/403
> 
> On 4/8/21 3:11 PM, Elliott Blake, Lisa Marie wrote:
>> I am trying to get squid to work with a text file for a whitelist.  I 
>> get TCP_DENIED/403 on every url I try.  I am using curl to test.
> 
>> curl -x https://libaux-prod.lib.uic.edu:3128/ -I 
>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Farl.
>> org%2F&data=04%7C01%7Cloleary%40uic.edu%7Cd7cfe4dfe984430c6e9108d8
>> fb6706c8%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C6375357678081347
>> 99%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI
>> 6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Adwdl4Cdzqutr6%2FmXhn7Dl19qtD
>> rG8%2FZG5G%2BYdCC0cA%3D&reserved=0
> 
> Is that the exact curl command you are using or a typo? The above command tells curl to use an HTTPS proxy (https://libaux...) and your squid.conf does not have an https_port so something does not add up.
> Perhaps your curl version is as old and buggy as your Squid version and it just ignores the "s" in "-x https", but I would remove it anyway.
> 
> 
>> Server: squid/3.5.20
> 
> Could be a bug in that unsupported version, of course. If you share a link to an debug_options ALL,9 cache.log with a problematic transaction, somebody may be able to triage this further.
> 
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.squid-cache.org%2FSquidFaq%2FBugReporting%23Debugging_a_single_transaction&data=04%7C01%7Cloleary%40uic.edu%7Cd7cfe4dfe984430c6e9108d8fb6706c8%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637535767808134799%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=VAmMhhAY6jdzY%2FK0tMsxbbEcS%2BB6dihOG5BWBJ%2BFAvw%3D&reserved=0
> 
> Alex.
> 
> 
>> Mime-Version: 1.0
>>
>> Date: Wed, 07 Apr 2021 17:38:58 GMT
>>
>> Content-Type: text/html;charset=utf-8
>>
>> Content-Length: 3521
>>
>> X-Squid-Error: ERR_ACCESS_DENIED 0
>>
>> Vary: Accept-Language
>>
>> Content-Language: en
>>
>> X-Cache: MISS from libaux-prod.lib.uic.edu
>>
>> X-Cache-Lookup: NONE from libaux-prod.lib.uic.edu:3128
>>
>> Via: 1.1 libaux-prod.lib.uic.edu (squid/3.5.20)
>>
>> Connection: keep-alive
>>
>> curl: (56) Received HTTP code 403 from proxy after CONNECT
>>
>>  
>>
>> However, if I change my squid.conf to just the url it works.
>>
>> acl whitelist dstdomain .arl.org
>>
>> *curl -x https://libaux-prod.lib.uic.edu:3128/
>> <https://libaux-prod.lib.uic.edu:3128/> -I 
>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Farl.
>> org%2F&data=04%7C01%7Cloleary%40uic.edu%7Cd7cfe4dfe984430c6e9108d8
>> fb6706c8%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C6375357678081347
>> 99%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI
>> 6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Adwdl4Cdzqutr6%2FmXhn7Dl19qtD
>> rG8%2FZG5G%2BYdCC0cA%3D&reserved=0
>> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Farl
>> .org%2F&data=04%7C01%7Cloleary%40uic.edu%7Cd7cfe4dfe984430c6e9108d
>> 8fb6706c8%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637535767808134
>> 799%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Adwdl4Cdzqutr6%2FmXhn7Dl19qt
>> DrG8%2FZG5G%2BYdCC0cA%3D&reserved=0> *
>>
>> HTTP/1.1 200 Connection established
>>
>> HTTP/1.1 301 Moved Permanently
>>
>> Server: nginx
>>
>> Date: Wed, 07 Apr 2021 17:40:31 GMT
>>
>> Content-Type: text/html
>>
>> Content-Length: 178
>>
>> Connection: keep-alive
>>
>> Keep-Alive: timeout=20
>>
>> Location: 
>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
>> arl.org%2F&data=04%7C01%7Cloleary%40uic.edu%7Cd7cfe4dfe984430c6e91
>> 08d8fb6706c8%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637535767808
>> 134799%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=obQUl59%2FNceepVKW4YMlCSF
>> rOobHRl8LtnVZaAV23ks%3D&reserved=0 
>> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
>> .arl.org%2F&data=04%7C01%7Cloleary%40uic.edu%7Cd7cfe4dfe984430c6e9
>> 108d8fb6706c8%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C63753576780
>> 8134799%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC
>> JBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=obQUl59%2FNceepVKW4YMlCS
>> FrOobHRl8LtnVZaAV23ks%3D&reserved=0>
>>
>> Expires: Wed, 07 Apr 2021 18:40:31 GMT
>>
>> Cache-Control: max-age=3600
>>
>>  
>>
>> I am running a centos 7 os with squid version 3.5.20, which is the 
>> most recent yum version.
>>
>> This is driving me crazy.  I have tried debugging in squid and cannot 
>> find the answer.  I have tried changing the squid.conf file.  I always 
>> restart squid after I change the squid.conf file.
>>
>> Any help would be appreciated.
>>
>>  
>>
>> My Squid.conf file:
>>
>> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
>>
>> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
>>
>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>
>> acl localnet src fc00::/7       # RFC 4193 local private network range
>>
>> acl localnet src fe80::/10      # RFC 4291 link-local (directly 
>> plugged) machines
>>
>>  
>>
>> acl SSL_ports port 443
>>
>> acl Safe_ports port 80          # http
>>
>> acl Safe_ports port 443         # https
>>
>> acl Safe_ports port 591         # filemaker
>>
>> acl CONNECT method CONNECT
>>
>>  
>>
>> http_access deny !Safe_ports
>>
>>  
>>
>> http_access deny CONNECT !SSL_ports
>>
>>  
>>
>> http_access allow localhost manager
>>
>> http_access deny manager
>>
>>  
>>
>> acl whitelist dstdomain "/etc/squid/whitelist.txt"
>>
>> #acl whitelist dstdomain .arl.org
>>
>> http_access allow whitelist
>>
>> #http_access allow CONNECT whitelist
>>
>>  
>>
>> http_access deny !whitelist
>>
>>  
>>
>> http_access allow localnet
>>
>> http_access allow localhost
>>
>>  
>>
>> http_access deny all
>>
>>  
>>
>> # Squid normally listens to port 3128
>>
>> http_port 3128
>>
>>  
>>
>> # port 1338 is for Front Desk Machines
>>
>> http_port 1338
>>
>>  
>>
>> coredump_dir /var/spool/squid
>>
>>  
>>
>> refresh_pattern ^ftp:           1440    20%     10080
>>
>> refresh_pattern ^gopher:        1440    0%      1440
>>
>> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
>>
>> refresh_pattern .               0       20%     4320
>>
>>  
>>
>> Beginning of whitelist.txt
>>
>> #A Page
>>
>> .aacrjournals.org
>>
>> .aai.org
>>
>> .aaiddjournals.org
>>
>> .aap.org
>>
>> .aappublications.orga
>>
>> .accessanesthesiology.com
>>
>> .anthropology.org.uk
>>
>> .archivegrid.org
>>
>> .arl.org
>>
>> .arlstatistics.org
>>
>> .artstor.org
>>
>>  
>>
>> Thank you,
>>
>> Lisa Blake
>>
>>  
>>
>>  
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists
>> .squid-cache.org%2Flistinfo%2Fsquid-users&data=04%7C01%7Cloleary%4
>> 0uic.edu%7Cd7cfe4dfe984430c6e9108d8fb6706c8%7Ce202cd477a564baa99e3e3b7
>> 1a7c77dd%7C0%7C0%7C637535767808134799%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi
>> MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&
>> sdata=xR28PqxDa3d3aQhOqB9b142qoY2x8rSNTZOGTACIMLg%3D&reserved=0
>>

More information about the squid-users mailing list