Squid problem
-
Hi,
I've got a little problem with pfsense 1.2
I've configured suqid packet. It work's fine with my local networwork (192.168.10.0/24), with the transparent setting.
But, when I tried to use my proxy with another network (192.168.20.0/24) pfsense block me :
_* Access Denied.Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect._
I can't find where are the ACL for the time in squid. I don't really want to change anything in squid.conf manually.
All my networks are allowed in squid's acl and my static routes are OK.Any Ideas ?
Thanks :)
-
Just go to "Access Control" and enter the subnets you want to allow in the field "Allowed Subnets".
-
Just go to "Access Control" and enter the subnets you want to allow in the field "Allowed Subnets".
This does not appear to work, I have the same problem. I had a look at the generated squid.conf, and saw the following line for the allowed subnets:
acl allowed_subnets src 192.168.1.0/24 192.168.10.0/24
But there is no http_access allow allowed_subnets , shouldn't there be one?
Allow users on interface is cleared BTW, as I would like finer control.
I forgot to add: squid package: 2.6.18.1_07
pfSense: 1.2-RELEASE -
Try ticking the Allow users on interface box and see if you can use both subnets then. I don't doubt there is an issue, just try it as a test.
Another thought - Is the second subnet you're trying to allow on a different interface? If so, hold control and select whichever interfaces need access in the Proxy Interface box.
-
I just added the 2nd subnet for a test, it is a dummy. I wanted to see if it maybe generates the rule then.
squid.conf with Allow users on interface on:
delay_access 1 allow allAllow local network(s) on interface(s)
http_access allow localnet
http_access allow allowed_subnetsDefault block all to be sure
http_access deny all
squid.conf with Allow users on interface off:
delay_access 1 allow allDefault block all to be sure
http_access deny all
As you can see, the http_access allow lines are missing when Allow users on interface is cleared.
-
Here is a patch to squid.inc to fix the above problem, can someone please apply it?
963a964,971 > else > { > $conf .= "# Allow network(s) in allowed_subnet(s)\n"; > $allowed = array('allowed_subnets'); > $allowed = array_filter($allowed, 'squid_is_valid_acl'); > foreach ($allowed as $acl) > $conf .= "http_access allow $acl\n"; > }