[squid-users] Unable to access a device over port 4434

Piana, Josh Josh.Piana at hexcel.com
Wed Oct 9 19:59:07 UTC 2024 

Hello Squid users,

I'm running into an issue wherein, when using Squid proxy, I'm unable to get to one of our management devices from port 4434.

I've already verified that this device is not blocking access from the proxy directly, and should be allowed to get to the access page.

-          When reviewing the access logs, I can see that we're running into a generic 503 error

-          When browsing to this page, it will attempt to load for about 30 seconds, and then fail

-          The webpage response is a generic "The system returned: (110) Connection timed out"

-          When we forgo the proxy, we can access it without an issue

This device is located on a 172.0.0.0/8 internal network.

-          Other devices which do NOT use this port are accessible

-          Changing the access port is not an option (not up to me)

Access Log entry:
09/Oct/2024:15:54:21 -0400.758 10.46.49.190 TCP_MISS/503 4448 GET http://172.27.46.253:4434/ jpiana \ HIER_DIRECT/172.27.46.253 text/html ERR_CONNECT_FAIL/WITH_SERVER

Please see below for relevant squid.conf rules:

auth_param basic program /usr/lib64/squid/basic_pam_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param basic credentialsttl 1 week
acl kerb-auth proxy_auth REQUIRED

acl src_self src 10.46.11.69            # proxy IP Address
acl localnet src 10.0.0.0/8              # hexcel networks
acl localnet src 172.0.0.0/8           # internal management network

acl SSL_ports port 443
acl Safe_ports port 21                    # ftp
acl Safe_ports port 22                    # ssh
acl Safe_ports port 80                    # http
acl Safe_ports port 443                  # https
acl Safe_ports port 4434                # firewall management port
acl Safe_ports port 8080                # http alternative
acl Safe_ports port 8443                # https alternative
acl Safe_ports port 1025-65535  # unregistered ports

# deny requests to certain unsafe ports
http_access deny !Safe_ports

# deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# this only allows changes to be made on the host itself
http_access allow localhost

# keep this deny here because other ACL's may unintentionally allow access
http_access deny to_localhost

# allow safe ports to CONNECT
http_access allow Safe_ports

# allow localnet parameter to CONNECT
http_access allow localnet

# allow authenticated users
http_access allow kerb-auth

# deny any request we missed in the above
http_access deny all
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20241009/ab826a9a/attachment-0001.htm>

More information about the squid-users mailing list