Access Denied for manager

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Access Denied for manager

James Moe
Hello,
  squid v3.5.21
  linux v4.4.120-45-default x86_64

  The "manager" is suddenly denied access. I am not aware of any recent
updates. This did work 3 days ago.
  Is the ACL correct?

acl manager_admin src 192.168.69.115
#
acl localnet src fc00::/7
acl localnet src fe80::/10
#
# https, cups
acl SSL_ports port 443
acl SSL_ports port 631
#
# Jumpline cPanel ports
acl SSL_ports port 2083
acl SSL_ports port 2096
#
# sma-nas-02, cgatePro, webadmin
acl SSL_ports port 5000
acl SSL_ports port 5001
acl SSL_ports port 9010
acl SSL_ports port 9100
acl SSL_ports port 10000
#
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 563
acl Safe_ports port 631
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 9100
#
acl CONNECT method CONNECT
acl localnet src 192.168.69.0/24

access_log /var/log/squid/access.log

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager_admin
http_access allow manager localhost
http_access deny manager
http_access allow localnet
http_access deny all



--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Access Denied for manager

Amos Jeffries
Administrator
On 18/04/18 08:50, James Moe wrote:
> Hello,
>   squid v3.5.21
>   linux v4.4.120-45-default x86_64
>
>   The "manager" is suddenly denied access. I am not aware of any recent
> updates. This did work 3 days ago.
>   Is the ACL correct?

Maybe, maybe not.

>
> acl manager_admin src 192.168.69.115

Yet you have two other localnet ranges this machine can potentially be
part of:

> #
> acl localnet src fc00::/7
> acl localnet src fe80::/10
...
> acl localnet src 192.168.69.0/24

If the manager_admin machine ever tries to use those IPv6 localnet it
will not be permitted access to the "manager" reports. It can only
access them over its IP address in that manager_admin ACL.

For better ideas look as what your access.log states when the manager
report is attempted.

>
> access_log /var/log/squid/access.log
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow manager_admin
> http_access allow manager localhost
> http_access deny manager
> http_access allow localnet
> http_access deny all
>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Access Denied for manager

Amos Jeffries
Administrator
[ please keep replies on-list so others having this problem can also get
answers. ]


On 19/04/18 05:39, James Moe wrote:

> On 04/18/2018 12:08 AM, Amos Jeffries wrote:
>
>> For better ideas look as what your access.log states when the manager
>> report is attempted.
>>
>   I commented the IPv6 "localnet" ACLs, reloaded squid.
>   Still denied access. I do not see any new information here:
>
> 1524072494.191      1 192.168.69.246 TCP_DENIED/403 4361 GET
> http://sma-server3:3128/squid-internal-mgr/info - HIER_NONE/- text/html
> 1524072494.193   5508 192.168.69.115 TCP_MISS/403 4469 GET
> http://proxy1.sma.com:3128/squid-internal-mgr/info -
> HIER_DIRECT/192.168.69.246 text/html


I see you have a forwarding loop:

 192.168.69.115 -> Squid -> 192.168.69.246 -> Squid -> DENIED.


That 192.168.69.115 is trying to fetch "http://proxy1.sma.com". But the
Squid appears to think its hostname is "sma-server3".


Hmm, "sma-server" name rings a bell. I see you brought this same issue
up on 1 Nov 2017 as well and we do not seem to have resolved the issue then.

[ the following requires an understanding of host vs domain vs FQDN names
<https://support.suso.com/supki/What_is_the_difference_between_a_hostname_and_a_domain_name>
]


To get any type of access to Squid internal resources working properly
you need both Squid and the external tools to be aware of what its
machines host name is AND that hostname to be publicly resolvable -
meaning it also has to be an FQDN.

 - for the icons ANY receiving Squid can (and usually will) respond if
it has the relevant icon.

 - for manager reports ONLY the individual proxy targeted by the URL
will respond with a successful report. The reasons for that should be
obvious.

If the machines hostname service is broken and cannot be fixed. For
example; producing something like "sma-server3" instead of the proper
sma-server3.sma.com hostname. You can workaround that with
visible_hostname and/or unique_hostname in squid.conf.
 <http://www.squid-cache.org/Doc/config/visible_hostname/>
 <http://www.squid-cache.org/Doc/config/unique_hostname/>

Be aware that any tools running on the localhost will probably still use
the machines hostname and may now appear to be broken when they "worked"
before. Those directives in squid.conf are _workarounds_ not fixes.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Access Denied for manager

James Moe
On 04/19/2018 12:15 AM, Amos Jeffries wrote:

> I see you have a forwarding loop:
>
>  192.168.69.115 -> Squid -> 192.168.69.246 -> Squid -> DENIED.
>
> That 192.168.69.115 is trying to fetch "http://proxy1.sma.com". But the
> Squid appears to think its hostname is "sma-server3".
>
  Ah.
  It would seem the proxy configuration for opensuse LEAP 42.3 is a bit,
um, defective. I have the local domain listed as do-not-proxy; yet it
does anyway.
  Using a browser with the same proxy configuration, a manual config,
works correctly.

--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (188 bytes) Download Attachment