Squid error - access denied

beko

I always get 'access denied' from squid. I have tried transparent proxy (no auth) and also local auth.

i have pfsense 1.0 and squid 0.6

any idea?

Phusho

Add your internal network in allowed networks e.g. 192.168.0.0/24 ;) GL

raggamuffin

Same problem here - aside from the logging (or lack of) issue I mentioned in my other post, once I got squid running it insisted that everything was denied. I made sure my subnet was in the 'allowed hosts' section and even added my own IP to 'unlimited hosts' just to test - no effect. I also ticked the 'add interface's IP range to allowed hosts' shortcut option on the main config page. Bug or oversight on my part?

superwutze

there is a problem in the config files. the parameters (localnet, allowed_subnets) get set according to the config but the 'http_access allow' lines are missing. you can enter them by hand using 'edit file' on /usr/local/etc/squid/squid.conf' but they are lost again at the next config change. no solution so far.

Phusho

add them in squid.inc file i made some correction with caching options like this ;) GL

beko

@superwutze:

there is a problem in the config files. the parameters (localnet, allowed_subnets) get set according to the config but the 'http_access allow' lines are missing. you can enter them by hand using 'edit file' on /usr/local/etc/squid/squid.conf' but they are lost again at the next config change. no solution so far.

what exactly should i put there?

beko

@Phusho:

add them in squid.inc file i made some correction with caching options like this ;) GL

I have put it in squid.inc so it looks like this:

acl allowed_subnets src 192.168.90.0/24
acl blacklist url_regex -i "/var/squid/acl/blacklist.acl"
no_cache deny dynamic
http_access allow allowed_subnets
http_access allow manager localhost

but now i have problem that setting domain in blacklist doesn't work.

is it because of this 'allowed_subnets' or is it another error in pfsense package?

trendchiller

just fix it in the squid.conf file in /usr/local/etc/squid…

but another question in hope fernando reads this:

any idea when this will be fixed ?

fixing by hand is not the problem, but try to tell a colleague not familiar with bsd not to use the gui  :-\

BTW: http answers sometimes are terribly slow... so perhaps this dns-children problem should also be fixed  ;)

Thanks...

Martin

billm

@trendchiller:

just fix it in the squid.conf file in /usr/local/etc/squid…

but another question in hope fernando reads this:

any idea when this will be fixed ?

fixing by hand is not the problem, but try to tell a colleague not familiar with bsd not to use the gui  :-\

BTW: http answers sometimes are terribly slow... so perhaps this dns-children problem should also be fixed  ;)

Thanks...

Martin

There's a ticket open in cvstrac on this.  I'm trying to figure out where this is broke.

–Bill

gbelanger

Here is my solution to this :

in /usr/local/pkg/squid.inc at line 80

function squid_is_valid_acl($acl) {
        global $valid_acls;
        if(!is_array($valid_acls))
                return;
        //if(!is_array($acl))
        //return;
        return in_array($acl, $valid_acls);
}

Comment out the lines in red (as shown). The squid_is_valid_acl is called by array_filter, which compares each items (in this case, strings) with an array (in this case $valid_acls). So, returning prematurely when $acl is NOT an array means that this function will not allow the creation of the proper allow rules.

After making this change, just edit something in the squid configuration from the web interface and save, this will re-generate the squid.conf file properly.

Hope this helps!

Guillaume

billm

That fix looks right, I commited the actual removal of the logic vs commenting out of it :)  Re-install the squid package and you should see the updated code.  Thanks

gbelanger

There seems to be a problem when trying to set an empty Allowed Subnets fields (in the Access Control tab) :

The following input errors were detected:

• '' is not a valid CIDR range

I find that changing line 222 (thats line 222 after the new fix) to this :

if (!empty($subnet) && !is_subnet($subnet))

Fixes the issue. Its now possible to leave the Allow Subnets field empty and just use the 'Allow users on interface' checkbox.

billm

Thanks…this fix is now commited (line 220 btw ;))

--Bill

trendchiller

Just found another error with access control…

Squid uses the access allow / deny rules in the given order...

so it should read:

http_access allow unrestricted_hosts
http_access deny blacklist
http_access allow localnet
http_access allow allowed_subnets
http_access deny all

in squid.cfg and not

http_access allow localnet
http_access deny blacklist
http_access allow unrestricted_hosts
http_access allow allowed_subnets
http_access deny all

so be so kind to put the line unrestricted hosts first row to fix the problem.
the second line should then be the blacklist…
and after that the networks should be mentioned...

This config runs fine at my system  ;D

BTW: unrestricted mac should be the line under unrestricted hosts...

Thanks a lot !

Martin

trendchiller

I think it seems to be in lines 586-598 where squid.conf creation has to be reordered…

1. allow unrestricted_hosts
2. allow unrestricted_macs
3. allow whitelist
4. deny blacklist
5. allow localnet
6. allow allowed_subnets
7. deny all

so filtering can be done for all hosts and macs, but the unrestricted

billm

Try it now please.

–Bill

trendchiller

man, you're really fast  ;)

thanks a lot !

it's working now as it should !!!

gbelanger

Thats what you did?

// Unrestricted hosts take precendence over blacklist
if (squid_is_valid_acl('unrestricted_hosts'))
    $conf .= "http_access allow unrestricted_hosts\n";

?
Bill, what about the official package maintainer? Is he temporarily unreachable or is this a stale project? Cause I'd like to add a feature or two =)

Guillaume

billm

@gbelanger:

Thats what you did?

// Unrestricted hosts take precendence over blacklist
if (squid_is_valid_acl('unrestricted_hosts'))
    $conf .= "http_access allow unrestricted_hosts\n";

?

Yep, that and unrestricted_macs…at least now the behavior matches the comments.

@gbelanger:

Bill, what about the official package maintainer? Is he temporarily unreachable or is this a stale project? Cause I'd like to add a feature or two =)

Guillaume

Fernando is still around, but has been working on essentially a rewrite of the code (from what I understand) that isn't compatible with our 1.0 release.  If you have updates to the code, I'm more than willing to commit them although I'll caution that I don't completely understand what was written myself, so probably can't answer too many questions.

–Bill

raggamuffin

Thanks to the code update, Squid is now working for me. I'm still having a problem that I mentioned in an earlier post, though - there doesn't seem to be any logging (the 'package logs' page says that no loggable packages are installed). Am I missing something obvious, or is that where the logs should appear? (And yes, 'enable logging' is ticked on the Squid control panel).