Squid problem



  • Hi,
    I've got a little problem with pfsense 1.2
    I've configured suqid packet. It work's fine with my local networwork (192.168.10.0/24), with the transparent setting.
    But, when I tried to use my proxy with another network (192.168.20.0/24) pfsense block me :
      _* Access Denied.

    Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect._
    I can't find where are the ACL for the time in squid. I don't really want to change anything in squid.conf manually.
    All my networks are allowed in squid's acl and my static routes are OK.

    Any Ideas ?

    Thanks  :)



  • Just go to "Access Control" and enter the subnets you want to allow in the field "Allowed Subnets".



  • @Monoecus:

    Just go to "Access Control" and enter the subnets you want to allow in the field "Allowed Subnets".

    This does not appear to work, I have the same problem. I had a look at the generated squid.conf, and saw the following line for the allowed subnets:

    acl allowed_subnets src 192.168.1.0/24 192.168.10.0/24

    But there is no http_access allow allowed_subnets , shouldn't there be one?

    Allow users on interface is cleared BTW, as I would like finer control.

    I forgot to add: squid package: 2.6.18.1_07
    pfSense: 1.2-RELEASE



  • Try ticking the Allow users on interface box and see if you can use both subnets then.  I don't doubt there is an issue, just try it as a test.

    Another thought - Is the second subnet you're trying to allow on a different interface?  If so, hold control and select whichever interfaces need access in the Proxy Interface box.



  • I just added the 2nd subnet for a test, it is a dummy. I wanted to see if it maybe generates the rule then.

    squid.conf with Allow users on interface on:
    delay_access 1 allow all

    Allow local network(s) on interface(s)

    http_access allow localnet
    http_access allow allowed_subnets

    Default block all to be sure

    http_access deny all

    squid.conf with Allow users on interface off:
    delay_access 1 allow all

    Default block all to be sure

    http_access deny all

    As you can see, the http_access allow lines are missing when Allow users on interface is cleared.



  • Here is a patch to squid.inc to fix the above problem, can someone please apply it?

    
    963a964,971
    >               else
    >               {
    >                         $conf .= "# Allow network(s) in allowed_subnet(s)\n";
    >                         $allowed = array('allowed_subnets');
    >                         $allowed = array_filter($allowed, 'squid_is_valid_acl');
    >                         foreach ($allowed as $acl)
    >                                 $conf .= "http_access allow $acl\n";
    >               }
    
    

Log in to reply