On 17.10.2012 09:49, Mike Muir wrote:
> My acl section and http_access:
>
> acl manager proto cache_object COAP
> acl localhost src 127.0.0.1/32 ::1
> acl Whitelist dstdomain "/etc/squid/whitelist_sites"
> acl ncsa_users proxy_auth REQUIRED
> acl SSL_ports port 443
> acl Safe_ports port 80
> acl CONNECT method CONNECT
> acl all src all
>
>
> # cachemgr access
> http_access allow manager localhost
> http_access deny manager
> # http_access Section
> http_access allow ncsa_users Whitelist
> http_access deny CONNECT !SSL_ports
> http_access deny !Safe_ports
> http_access deny all
NP: sequence of "deny" lines followed by "deny all" is equivalent to
"deny all"....
Meaning your config is effectively:
http_access allow manager localhost
http_access deny manager
http_access allow ncsa_users Whitelist
http_access deny all
... notice how there are no controls/limits on CONNECT or even port
number any more.
>
> Squid version: 2.7
Please upgrade. 2.7 is deprecated now and has not been supported for
several years.
Squid-2.7 does not support coap:// protocol. You can remove that from
the manager ACL. If you actually want coap:// support upgrade to
squid-3.2 minimum.
Not that Squid coap://.../squid-internal-mgr/* URLs would get anywhere
near CoAP protocol anyway.
> Port: 443
> Browser: Chrome
> Site: gmail.com (although it's denying all https requests)
>
"net::ERR_TUNNEL_CONNECTION_FAILED" is a 'friendly' Chrome error
message, hiding all the relevant HTTP details about the *actual* HTTP
level problem. Check the HTTP traffic (will probably require a TCP dump,
or digging into the developer tools on Chrome).
This will give you both the HTTP headers for the transaction, and the
real Squid response error page - if any HTTP took place.
Your proxy requires authentication for whitelisted sites (even if they
are used in CONNECT), so unless Chrome is sending user credentials when
trying to open a new tunnel through Squid, it will be rejected with an
auth challenge response status. Squid-2 does not support keep-alive and
authentication exchange on CONNECT - resulting in the connection closing
after the challenge. Only CONNECT with pre-sent credentials are accepted
by your Squid - Chrome is responsible for re-opening the CONNECT tunnel
with credentials if it closes after a challenge.
Amos
> On Tue, Oct 16, 2012 at 5:41 PM, Eliezer Croitoru wrote:
>> On 10/16/2012 9:41 PM, Mike Muir wrote:
>>>
>>> Hello,
>>>
>>> I'm getting a TCP DENIED/403 in the access log when trying to
>>> access
>>> all HTTPS sites via web browser. The browser displays: Error 111
>>> (net::ERR_TUNNEL_CONNECTION_FAILED): Unknown error.
>>>
>>> I've included the following in my squid.conf (I'm using Squid 2.7)
>>> which to my understanding should allow traffic on 443:
>>>
>>> acl SSL_ports port 443
>>> acl CONNECT method CONNECT
>>>
>>> http_access deny CONNECT !SSL_ports
>>>
>>> I'll provide more info if necessary, but has anyone experienced
>>> this
>>> problem before? Any help would be appreciated.
>>>
>>> Regards
>>>
>> what version of squid?
>> what are the allow (not deny) acls?
>> what ports?
>> what browser?
>> what site?
>>
>> Regards,
>> Eliezer
>>
>> --
>> Eliezer Croitoru
>> https://www1.ngtech.co.il
>> IT consulting for Nonprofit organizations
>> eliezer <at> ngtech.co.il
Received on Tue Oct 16 2012 - 21:38:47 MDT
This archive was generated by hypermail 2.2.0 : Wed Oct 17 2012 - 12:00:02 MDT