Squid error - access denied



  • I always get 'access denied' from squid. I have tried transparent proxy (no auth) and also local auth.

    i have pfsense 1.0 and squid 0.6

    any idea?



  • Add your internal network in allowed networks e.g. 192.168.0.0/24 ;) GL



  • Same problem here - aside from the logging (or lack of) issue I mentioned in my other post, once I got squid running it insisted that everything was denied. I made sure my subnet was in the 'allowed hosts' section and even added my own IP to 'unlimited hosts' just to test - no effect. I also ticked the 'add interface's IP range to allowed hosts' shortcut option on the main config page. Bug or oversight on my part?



  • there is a problem in the config files. the parameters (localnet, allowed_subnets) get set according to the config but the 'http_access allow' lines are missing. you can enter them by hand using 'edit file' on /usr/local/etc/squid/squid.conf' but they are lost again at the next config change. no solution so far.



  • add them in squid.inc file i made some correction with caching options like this ;) GL



  • @superwutze:

    there is a problem in the config files. the parameters (localnet, allowed_subnets) get set according to the config but the 'http_access allow' lines are missing. you can enter them by hand using 'edit file' on /usr/local/etc/squid/squid.conf' but they are lost again at the next config change. no solution so far.

    what exactly should i put there?



  • @Phusho:

    add them in squid.inc file i made some correction with caching options like this ;) GL

    I have put it in squid.inc so it looks like this:

    acl allowed_subnets src 192.168.90.0/24
    acl blacklist url_regex -i "/var/squid/acl/blacklist.acl"
    no_cache deny dynamic
    http_access allow allowed_subnets
    http_access allow manager localhost

    but now i have problem that setting domain in blacklist doesn't work.

    is it because of this 'allowed_subnets' or is it another error in pfsense package?



  • just fix it in the squid.conf file in /usr/local/etc/squid…

    but another question in hope fernando reads this:

    any idea when this will be fixed ?

    fixing by hand is not the problem, but try to tell a colleague not familiar with bsd not to use the gui  :-\

    BTW: http answers sometimes are terribly slow... so perhaps this dns-children problem should also be fixed  ;)

    Thanks...

    Martin



  • @trendchiller:

    just fix it in the squid.conf file in /usr/local/etc/squid…

    but another question in hope fernando reads this:

    any idea when this will be fixed ?

    fixing by hand is not the problem, but try to tell a colleague not familiar with bsd not to use the gui  :-\

    BTW: http answers sometimes are terribly slow... so perhaps this dns-children problem should also be fixed  ;)

    Thanks...

    Martin

    There's a ticket open in cvstrac on this.  I'm trying to figure out where this is broke.

    –Bill



  • Here is my solution to this :

    in /usr/local/pkg/squid.inc at line 80

    function squid_is_valid_acl($acl) {
            global $valid_acls;
            if(!is_array($valid_acls))
                    return;
            //if(!is_array($acl))
            //return;
            return in_array($acl, $valid_acls);
    }

    Comment out the lines in red (as shown). The squid_is_valid_acl is called by array_filter, which compares each items (in this case, strings) with an array (in this case $valid_acls). So, returning prematurely when $acl is NOT an array means that this function will not allow the creation of the proper allow rules.

    After making this change, just edit something in the squid configuration from the web interface and save, this will re-generate the squid.conf file properly.

    Hope this helps!

    Guillaume



  • That fix looks right, I commited the actual removal of the logic vs commenting out of it :)  Re-install the squid package and you should see the updated code.  Thanks



  • There seems to be a problem when trying to set an empty Allowed Subnets fields (in the Access Control tab) :

    The following input errors were detected:

    • '' is not a valid CIDR range

    I find that changing line 222 (thats line 222 after the new fix) to this :

    
    if (!empty($subnet) && !is_subnet($subnet))
    
    

    Fixes the issue. Its now possible to leave the Allow Subnets field empty and just use the 'Allow users on interface' checkbox.



  • Thanks…this fix is now commited (line 220 btw ;))

    --Bill



  • Just found another error with access control…

    Squid uses the access allow / deny rules in the given order...

    so it should read:

    http_access allow unrestricted_hosts
    http_access deny blacklist
    http_access allow localnet
    http_access allow allowed_subnets
    http_access deny all

    in squid.cfg and not

    http_access allow localnet
    http_access deny blacklist
    http_access allow unrestricted_hosts
    http_access allow allowed_subnets
    http_access deny all

    so be so kind to put the line unrestricted hosts first row to fix the problem.
    the second line should then be the blacklist…
    and after that the networks should be mentioned...

    This config runs fine at my system  ;D

    BTW: unrestricted mac should be the line under unrestricted hosts...

    Thanks a lot !

    Martin



  • I think it seems to be in lines 586-598 where squid.conf creation has to be reordered…

    1. allow unrestricted_hosts
    2. allow unrestricted_macs
    3. allow whitelist
    4. deny blacklist
    5. allow localnet
    6. allow allowed_subnets
    7. deny all

    so filtering can be done for all hosts and macs, but the unrestricted



  • Try it now please.

    –Bill



  • man, you're really fast  ;)

    thanks a lot !

    it's working now as it should !!!



  • Thats what you did?

    // Unrestricted hosts take precendence over blacklist
    if (squid_is_valid_acl('unrestricted_hosts'))
        $conf .= "http_access allow unrestricted_hosts\n";

    ?
    Bill, what about the official package maintainer? Is he temporarily unreachable or is this a stale project? Cause I'd like to add a feature or two =)

    Guillaume



  • @gbelanger:

    Thats what you did?

    // Unrestricted hosts take precendence over blacklist
    if (squid_is_valid_acl('unrestricted_hosts'))
        $conf .= "http_access allow unrestricted_hosts\n";

    ?

    Yep, that and unrestricted_macs…at least now the behavior matches the comments.

    @gbelanger:

    Bill, what about the official package maintainer? Is he temporarily unreachable or is this a stale project? Cause I'd like to add a feature or two =)

    Guillaume

    Fernando is still around, but has been working on essentially a rewrite of the code (from what I understand) that isn't compatible with our 1.0 release.  If you have updates to the code, I'm more than willing to commit them although I'll caution that I don't completely understand what was written myself, so probably can't answer too many questions.

    –Bill



  • Thanks to the code update, Squid is now working for me. I'm still having a problem that I mentioned in an earlier post, though - there doesn't seem to be any logging (the 'package logs' page says that no loggable packages are installed). Am I missing something obvious, or is that where the logs should appear? (And yes, 'enable logging' is ticked on the Squid control panel).



  • I believe the squid log goes directly into /var/squid/log/access.log. So far, I havent found a good way to access this from the GUI.

    I'm guessing the squid package rewrite will handle this. Maybe you can just hit

    [#] tail -n50 /var/squid/log/access.log

    from the command interface in the meantime? =P

    That works for me, except the very large lines escape the DIV layer, that should be set to scoll.

    -G



  • hint: diagnostics>edit file or diagnostics>command, download file? ;-)


Log in to reply