Blocked Access to iPhone/iPad App Store (Squid3, squidGuard-Develop, & ClamD)
-
Good Evening,
I have Squid3, squidGuard-Develop with Shallalist.de, & c-icap ClamD configured for transparent http & http(s). The challenge that I am having is that Squid3 appears to be blocking access to the iPhone/iPad App Store.
This is what I'm seeing in the Real-Time Squid Log.
19.03.2015 23:49:57 192.168.31.13 TCP_MISS/406 https://guzzoni.apple.com/ace - 17.174.8.5
I have been working on this for several days with no material progress. Any thoughts?
Best-
Darren
-
Good Evening,
I've made some progress getting Apple devices to communicate with the apple store through Squid Proxy. At this point and time the store works for browsing apps, etc. but when the user goes to download an app, it spins for a second & then stops without downloading. This process seems way to complicated for something so common. If anyone can help me close the gap, I would be moste appreciative.
Updated Settings:
Squid Transparent Proxy Settings
Bypass proxy for these destination IPs:
itunes.apple.com;apple.com;phobos.apple.com;albert.apple.com;gs.apple.com;guzzoni.apple.com;deimos3.apple.com;gspa21.ls.apple.com;ssl.gstatic.com;a1.mzstatic.com;a2.mzstatic.com;a3.mzstatic.com;a4.mzstatic.com;a5.mzstatic.com;init-p01st.push.apple.com;p17-content.icloud.com; query.ess.apple.com;cl5.apple.com;p26-buy.itunes.apple.com;setup.icloud.com;p06-keyvalueservice.icloud.com;itunes.com;icloud.com;p06-caldav.icloud.com;p06-contacts.icloud.comCustom Settings
Custom ACLS (Before_Auth):
acl SquidPass dstdomain windowsupdate.microsoft.com
acl SquidPass dstdomain update.microsoft.com
acl SquidPass dstdomain activex.microsoft.com
acl SquidPass dstdomain download.windowsupdate.com
acl SquidPass dstdomain codecs.microsoft.com
acl SquidPass dstdomain stats.updates.microsoft.com
acl SquidPass dstdomain c.microsoft.com
acl SquidPass dstdomain itunes.apple.com
acl SquidPass dstdomain apple.com
acl SquidPass dstdomain itunes.com
acl SquidPass dstdomain icloud.com
acl SquidPass dstdomain phobos.apple.com
acl SquidPass dstdomain albert.apple.com
acl SquidPass dstdomain gs.apple.com
acl SquidPass dstdomain guzzoni.apple.com
acl SquidPass dstdomain deimos3.apple.com
acl SquidPass dstdomain gspa21.ls.apple.com
acl SquidPass dstdomain ssl.gstatic.com
acl SquidPass dstdomain a1.mzstatic.com
acl SquidPass dstdomain a2.mzstatic.com
acl SquidPass dstdomain a3.mzstatic.com
acl SquidPass dstdomain a4.mzstatic.com
acl SquidPass dstdomain a5.mzstatic.com
acl SquidPass dstdomain init-p01st.push.apple.com
acl SquidPass dstdomain p17-content.icloud.com
acl SquidPass dstdomain query.ess.apple.com
acl SquidPass dstdomain cl5.apple.com
acl SquidPass dstdomain p26-buy.itunes.apple.com
acl SquidPass dstdomain setup.icloud.com
acl SquidPass dstdomain p06-keyvalueservice.icloud.com
acl SquidPass dstdomain p06-caldav.icloud.com
acl SquidPass dstdomain p06-contacts.icloud.com
ssl_bump none SquidPass
no_cache deny SquidPass
http_access allow SquidPass
always_direct allow all
ssl_bump server-first allFirewall: Aliases
Apple_Pass
Hosts:
itunes.apple.com
apple.com
phobos.apple.com
albert.apple.com
gs.apple.com
guzzoni.apple.com
deimos3.apple.com
gspa21.ls.apple.com
ssl.gstatic.com
a1.mzstatic.com
a2.mzstatic.com
a3.mzstatic.com
a4.mzstatic.com
a5.mzstatic.com
init-p01st.push.apple.com
p17-content.icloud.com
query.ess.apple.com
cl5.apple.com
p26-buy.itunes.apple.com
setup.icloud.com
p06-keyvalueservice.icloud.com
itunes.com;icloud.com
p06-caldav.icloud.com
p06-contacts.icloud.comFirewall Rule
TCP/UDP
Source: *
Destination: Apple_Pass -
did you end up solving the issue?
i am having the same issue.i needed to turn off squid to have access to itunes
-
Unfortunately, I have not. I believe I have narrowed it down to the C-ICAP inteface for squiclamav as being the culprit creating the issue. I removed squid & squidguard, manually deleted the folders & then reinstalled it. Squid worked fine with the Apple Store, until I configured the Antivirus section & turned it on. After squidclamav went live, apple store stopped working again. The ACL whitelist does not appear to have any affect either.
Anyone out there have any thoughts on this?
-
i have fixed the issue on my system by using the websites ip address in lieu of the websites names.
added
54.214.28.210; 17.158.28.83; 17.172.116.74; 17.172.116.75; 17.158.10.52; 17.172.116.36; 17.154.66.156; 23.9.237.102; 150.101.152.240; 17.173.255.108; 17.167.138.24; 150.101.98.211; 150.101.98.200; 150.101.98.226; 150.101.98.211; 150.101.98.234; 150.101.213.173; 150.101.98.211; 17.151.36.30; 17.142.160.7; 208.72.242.165; 173.192.76.134; 66.235.139.206; 150.101.96.224; 150.101.96.232; 17.154.66.11; 69.54.181.89; 17.111.65.223; 23.37.139.27; 23.37.139.27; 150.101.98.200; 23.7.18.217; 17.151.36.30; 17.149.240.70; 151.101.152.219; 150.101.152.234; 17.154.66.38;
to both
Bypass proxy for these source IPs and Bypass proxy for these destination IPslet me know if this was useful
-
this is only working halve the time i must be missing more ip address does anyone have a complete list
-
Did u try adding the itunes.apple.com or apple.com to the "Target Categories" in the squidguard and then white-listing that on "Group-ACL's."
-
Hey, what's up, I read that you were looking for a complete ip ranges of Apple, in this case of iTunes. I obtained the following ranges with the help of a tool in linux, whois:
17.0.0.0/8
192.35.50.0/24
198.183.17.0/24
198.183.16.0/24
204.179.120.0/24
204.79.190.0/24
205.180.175.0/24
209.144.162.0/24Actually, I used the ranges above to block the access from a LAN to the App Store. The users are available to search for apps but they're not able to download them. It works. You can use them to allow the access, just establishing in the rule "Pass" instead of "Block".
I hope this post help someone. Regards.
-
Hello everyone
I have the same problem, but nothing of the solution above works for me. :'(My system is a Pfsense Release 2.2.5 with a squid3 transparent proxy and squid guard on the latest PFsense Version
At this time I have Antivirus on squidgard disabled.
Has anyone a solution?
thx, Andre
-
Now i found a solution
when i put "akamaihd.net" in the "Bypass Proxy for These Destination IPs" field, then it works…
Hope this works for you, too. :)
-
Hey guys,
I added "akamaihd.net" in the bypass proxy in Squid. This also did the trick for me. Now it is nice it works but i want to understand why !
Greets,
HJ
-
I added "akamaihd.net" in the bypass proxy in Squid. This also did the trick for me. Now it is nice it works but i want to understand why !
by adding an adress that doesnt resolve to an IP you've effectively DISABLED squid passthrough.
check outpfctl -snoutput before and after the change ;)
-
Hi, can someone confirm which addresses we need to allow?
is it just
akamaihd.netor is it the above plus the following
17.0.0.0/8 192.35.50.0/24 198.183.17.0/24 198.183.16.0/24 204.179.120.0/24 204.79.190.0/24 205.180.175.0/24 209.144.162.0/24or is it the above 2 plus the following
54.214.28.210; 17.158.28.83; 17.172.116.74; 17.172.116.75; 17.158.10.52; 17.172.116.36; 17.154.66.156; 23.9.237.102; 150.101.152.240; 17.173.255.108; 17.167.138.24; 150.101.98.211; 150.101.98.200; 150.101.98.226; 150.101.98.211; 150.101.98.234; 150.101.213.173; 150.101.98.211; 17.151.36.30; 17.142.160.7; 208.72.242.165; 173.192.76.134; 66.235.139.206; 150.101.96.224; 150.101.96.232; 17.154.66.11; 69.54.181.89; 17.111.65.223; 23.37.139.27; 23.37.139.27; 150.101.98.200; 23.7.18.217; 17.151.36.30; 17.149.240.70; 151.101.152.219; 150.101.152.234; 17.154.66.38;Or is it the above 3 plus the OP.
Very confused here.
-
show advanced options
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf;url_rewrite_children 16 startup=8 idle=4 concurrency=0and deleted
url_rewrite_bypass off; -
If using a non transparent proxy keep in mind that with android and IOS that not all apps will use the proxy and need to use port 80 and 443. So an exception for mobile devices needs to be made in the firewall if port 80 and 443 is blocked.
-
url_rewrite_bypass off;how can i remove this code from squid permanently when rebooted pfsense my settings cleaning.