Squid error - access denied

gbelanger

There seems to be a problem when trying to set an empty Allowed Subnets fields (in the Access Control tab) :

The following input errors were detected:

• '' is not a valid CIDR range

I find that changing line 222 (thats line 222 after the new fix) to this :

if (!empty($subnet) && !is_subnet($subnet))

Fixes the issue. Its now possible to leave the Allow Subnets field empty and just use the 'Allow users on interface' checkbox.

billm

Thanks…this fix is now commited (line 220 btw ;))

--Bill

trendchiller

Just found another error with access control…

Squid uses the access allow / deny rules in the given order...

so it should read:

http_access allow unrestricted_hosts
http_access deny blacklist
http_access allow localnet
http_access allow allowed_subnets
http_access deny all

in squid.cfg and not

http_access allow localnet
http_access deny blacklist
http_access allow unrestricted_hosts
http_access allow allowed_subnets
http_access deny all

so be so kind to put the line unrestricted hosts first row to fix the problem.
the second line should then be the blacklist…
and after that the networks should be mentioned...

This config runs fine at my system  ;D

BTW: unrestricted mac should be the line under unrestricted hosts...

Thanks a lot !

Martin

trendchiller

I think it seems to be in lines 586-598 where squid.conf creation has to be reordered…

1. allow unrestricted_hosts
2. allow unrestricted_macs
3. allow whitelist
4. deny blacklist
5. allow localnet
6. allow allowed_subnets
7. deny all

so filtering can be done for all hosts and macs, but the unrestricted

billm

Try it now please.

–Bill

trendchiller

man, you're really fast  ;)

thanks a lot !

it's working now as it should !!!

gbelanger

Thats what you did?

// Unrestricted hosts take precendence over blacklist
if (squid_is_valid_acl('unrestricted_hosts'))
    $conf .= "http_access allow unrestricted_hosts\n";

?
Bill, what about the official package maintainer? Is he temporarily unreachable or is this a stale project? Cause I'd like to add a feature or two =)

Guillaume

billm

@gbelanger:

Thats what you did?

// Unrestricted hosts take precendence over blacklist
if (squid_is_valid_acl('unrestricted_hosts'))
    $conf .= "http_access allow unrestricted_hosts\n";

?

Yep, that and unrestricted_macs…at least now the behavior matches the comments.

@gbelanger:

Bill, what about the official package maintainer? Is he temporarily unreachable or is this a stale project? Cause I'd like to add a feature or two =)

Guillaume

Fernando is still around, but has been working on essentially a rewrite of the code (from what I understand) that isn't compatible with our 1.0 release.  If you have updates to the code, I'm more than willing to commit them although I'll caution that I don't completely understand what was written myself, so probably can't answer too many questions.

–Bill

raggamuffin

Thanks to the code update, Squid is now working for me. I'm still having a problem that I mentioned in an earlier post, though - there doesn't seem to be any logging (the 'package logs' page says that no loggable packages are installed). Am I missing something obvious, or is that where the logs should appear? (And yes, 'enable logging' is ticked on the Squid control panel).

gbelanger

I believe the squid log goes directly into /var/squid/log/access.log. So far, I havent found a good way to access this from the GUI.

I'm guessing the squid package rewrite will handle this. Maybe you can just hit

[#] tail -n50 /var/squid/log/access.log

from the command interface in the meantime? =P

That works for me, except the very large lines escape the DIV layer, that should be set to scoll.

-G

hoba

hint: diagnostics>edit file or diagnostics>command, download file? ;-)