Re: [squid-users] CONNECT acl protocol

From: China <davide.belloni_at_gmail.com>
Date: Tue, 7 May 2013 17:13:01 +0200

The default config restrict methods, not protocol.

The problem can be translated as: what I've to put in 'acl
allowed_protocols proto ...' to permit https traffic with CONNECT
method?

If I start Squid in debugging mode this is the trace with problems:

kid1| Eui48.cc(262) lookup: Looking up ARP address for X.X.X.X on eth0
kid1| Eui48.cc(262) lookup: Looking up ARP address for X.X.X.X on eth1
kid1| Eui48.cc(303) lookup: Got address MAC on eth1
kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
destroyed 0x7fff13776720
kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
destroyed 0x7fff13776720
kid1| Checklist.cc(153) preCheck: 0x1476118 checking slow rules
kid1| Checklist.cc(160) checkAccessList: 0x1476118 checking
'http_access deny Gopher'
kid1| Acl.cc(336) matches: ACLList::matches: checking Gopher
kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'Gopher'
kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for
'Gopher' is 0
kid1| Acl.cc(339) matches: ACLList::matches: result is false
kid1| Checklist.cc(275) matchNode: 0x1476118 matched=0 async=0 finished=0
kid1| Checklist.cc(299) matchNode: 0x1476118 simple mismatch
kid1| Checklist.cc(160) checkAccessList: 0x1476118 checking
'http_access deny !allowed_ports'
kid1| Acl.cc(336) matches: ACLList::matches: checking !allowed_ports
kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking
'allowed_ports'
kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for
'allowed_ports' is 1
kid1| Acl.cc(339) matches: ACLList::matches: result is false
kid1| Checklist.cc(275) matchNode: 0x1476118 matched=0 async=0 finished=0
kid1| Checklist.cc(299) matchNode: 0x1476118 simple mismatch
kid1| Checklist.cc(160) checkAccessList: 0x1476118 checking
'http_access deny !allowed_protocols'
kid1| Acl.cc(336) matches: ACLList::matches: checking !allowed_protocols
kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking
'allowed_protocols'
kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for
'allowed_protocols' is 0
kid1| Acl.cc(343) matches: ACLList::matches: result is true
kid1| Checklist.cc(275) matchNode: 0x1476118 matched=1 async=0 finished=0
kid1| Checklist.cc(260) matchNodes: 0x1476118 success: all ACLs matched
kid1| Checklist.cc(146) markFinished: 0x1476118 answer DENIED for
first matching rule won
kid1| Checklist.cc(88) matchNonBlocking: ACLChecklist::check:
0x1476118 match found, calling back with DENIED
kid1| Checklist.cc(182) checkCallback: ACLChecklist::checkCallback:
0x1476118 answer=DENIED
kid1| Gadgets.cc(85) aclIsProxyAuth: aclIsProxyAuth: called for
allowed_protocols
kid1| Acl.cc(61) FindByName: ACL::FindByName 'allowed_protocols'
kid1| Gadgets.cc(93) aclIsProxyAuth: aclIsProxyAuth: returning 0
kid1| Gadgets.cc(58) aclGetDenyInfoPage: got called for allowed_protocols
kid1| Gadgets.cc(77) aclGetDenyInfoPage: aclGetDenyInfoPage: no match
kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
destroyed 0x7fff13775b80
kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
destroyed 0x7fff13775b80
kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
destroyed 0x7fff13775a60
kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
destroyed 0x7fff13775a60
kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
destroyed 0x1476118
kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
destroyed 0x1476118
kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
destroyed 0x1476118
kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
destroyed 0x1476118
kid1| client_side.cc(784) swanSong: local=Y.Y.Y.Y:Y remote=X.X.X.X:X flags=1

Thank you

On Tue, May 7, 2013 at 4:54 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>
> On 8/05/2013 1:31 a.m., China wrote:
>>
>> Hi,
>> I've some squid servers (until 3.1.20 version) which has the following
>> configuration and works great:
>>
>> acl allowed_protocols proto HTTP HTTPS CONNECT FTP
>> http_access deny !allowed_protocols
>>
>> After the upgrade to 3.3.3 version, sqiud print the following warning
>> in the configuration check:
>>
>> WARNING: Ignoring unknown protocol 'CONNECT' in the ACL named
>> 'allowed_protocols'
>
>
> Squid does not at this time support URL starting with "connect://". That is all this means. The older versions accepted it, but did nothing with it. So it would seem to be unrelated to the actual problem you are now having.
>
>
>
>> and squid clients can't no more connect to HTTPS sites.
>
>
> There is a CONNECT *method* in HTTP protocol, which is used to pass HTTPS traffic through HTTP proxies.
>
> Please check your http_access lines to see what they do when an HTTP request with method CONNECT happens. The default config provided with Squid restricts CONNECT requests to opening tunnels to a specific set of SSL_Ports where HTTPS is normally seen - if you have altered that set or changed the http_access lines those changes may be the cause of your problem.
>
>
>>
>> How can I check the protocols like configuration in old versions?--
>
>
> Please run "squid -k parse" on your squid.conf file. It should highlight any other problems you have in the config.
>
>
>
> Amos
>

--
Davide Belloni
Received on Tue May 07 2013 - 15:13:09 MDT

This archive was generated by hypermail 2.2.0 : Tue May 07 2013 - 12:00:04 MDT