Squid does not send request to parent proxy

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid does not send request to parent proxy

Troiano Alessio
Hello all,
I'm not able to configure squid for using a parent proxy only for some domain. All the rest should be fetched directly. I tried this configuration:
cache_peer 172.31.3.70 parent 8080 0 no-query default name=HUBATLDB
acl domainAT dstdomain voeazul.com.br
cache_peer_access HUBATLDB allow domainAT
never_direct allow domainAT

But the site www.voeazul.com.br is fetched direct. This is the access log:
%SQUID-4: 172.31.0.82 59719 [17/Jan/2019:22:55:36 +0800] "CONNECT www.voeazul.com.br:443 HTTP/1.1" www.voeazul.com.br - - "-" 200 - 816 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" TCP_TUNNEL:HIER_DIRECT 23.77.9.57 443 53176

Can you help me?

Following the full conf:

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8# RFC1918 possible internal network
acl localnet src 172.16.0.0/12# RFC1918 possible internal network
acl localnet src 192.168.0.0/16# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SOC_NET src 172.31.0.0/24# SOC Network
acl SMD src 10.30.0.47/32    # SMD Proxy
acl Proxy_HK src 172.31.2.64/27    # Proxy Hong Kong Network
ignore_expect_100 on
acl nocachesite dstdomain /etc/squid/nocachesite.acl

acl SSL_ports port 443
acl SSL_ports port 8443
acl SSL_ports port 2096         # INC000000012740
acl SSL_ports port 9091
acl SSL_ports port 9444         # INC000000013855
acl SSL_ports port 6082
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT

forwarded_for delete
tcp_outgoing_address 172.31.2.71 SMD

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access allow manager SOC_NET
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user

cache_peer 172.31.3.70 parent 8080 0 no-query default name=HUBATLDB
acl domainAT dstdomain voeazul.com.br
cache_peer_access HUBATLDB allow domainAT
never_direct allow domainAT

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

acl PURGE method PURGE
http_access allow PURGE localhost
http_access deny PURGE

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 0.0.0.0:8080

# We recommend you to use at least the following line.
# migrated automatically by squid-migrate-conf, the original configuration was: hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
cache_effective_user squid
cache_effective_group squid
cache_dir diskd /home/squid 400000 64 512
cache_mem 4 GB
maximum_object_size_in_memory 2 MB
minimum_object_size 0 KB
maximum_object_size 100 MB
cache_swap_low 96
cache_swap_high 97
memory_replacement_policy lru
cache_replacement_policy heap LFUDA
cache deny nocachesite
cache allow all
max_filedesc 8192

# Leave coredumps in the first cache dir
coredump_dir /home/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern .020%4320

cache_mgr [hidden email]

### BEGIN LOG FOR SIEM ###

#logformat siem  %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %<a %>p
#access_log /var/log/squid/access.log siem
logformat custom_squid %%SQUID-4: %>a %>p [%tl] "%rm %ru HTTP/%rv" %<A %ui %un "%rp" %Hs %mt %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh %<a %<p %<lp
access_log /var/log/squid/rsa/access.log custom_squid

### END LOG FOR SIEM ###
dns_v4_first on
log_icp_queries off
via off

Il presente messaggio e-mail e ogni suo allegato devono intendersi indirizzati esclusivamente al destinatario indicato e considerarsi dal contenuto strettamente riservato e confidenziale. Se non siete l'effettivo destinatario o avete ricevuto il messaggio e-mail per errore, siete pregati di avvertire immediatamente il mittente e di cancellare il suddetto messaggio e ogni suo allegato dal vostro sistema informatico. Qualsiasi utilizzo, diffusione, copia o archiviazione del presente messaggio da parte di chi non ne è il destinatario è strettamente proibito e può dar luogo a responsabilità di carattere civile e penale punibili ai sensi di legge.
Questa e-mail ha valore legale solo se firmata digitalmente ai sensi della normativa vigente.

The contents of this email message and any attachments are intended solely for the addressee(s) and contain confidential and/or privileged information.
If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately notify the sender and then delete this message and any attachments from your system. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. Unauthorized disclosure and/or use of information contained in this email message may result in civil and criminal liability. “
This e-mail has legal value according to the applicable laws only if it is digitally signed by the sender
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid does not send request to parent proxy

Alex Rousskov
On 1/17/19 8:28 AM, Troiano Alessio wrote:

> I'm not able to configure squid for using a parent proxy only for some domain. All the rest should be fetched directly. I tried this configuration:
> cache_peer 172.31.3.70 parent 8080 0 no-query default name=HUBATLDB
> acl domainAT dstdomain voeazul.com.br
> cache_peer_access HUBATLDB allow domainAT
> never_direct allow domainAT

Does turning nonhierarchical_direct off help?

Alex.


> But the site www.voeazul.com.br is fetched direct. This is the access log:
> %SQUID-4: 172.31.0.82 59719 [17/Jan/2019:22:55:36 +0800] "CONNECT www.voeazul.com.br:443 HTTP/1.1" www.voeazul.com.br - - "-" 200 - 816 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" TCP_TUNNEL:HIER_DIRECT 23.77.9.57 443 53176
>
> Can you help me?
>
> Following the full conf:
>
> #
> # Recommended minimum configuration:
> #
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8# RFC1918 possible internal network
> acl localnet src 172.16.0.0/12# RFC1918 possible internal network
> acl localnet src 192.168.0.0/16# RFC1918 possible internal network
> acl localnet src fc00::/7       # RFC 4193 local private network range
> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
> acl SOC_NET src 172.31.0.0/24# SOC Network
> acl SMD src 10.30.0.47/32    # SMD Proxy
> acl Proxy_HK src 172.31.2.64/27    # Proxy Hong Kong Network
> ignore_expect_100 on
> acl nocachesite dstdomain /etc/squid/nocachesite.acl
>
> acl SSL_ports port 443
> acl SSL_ports port 8443
> acl SSL_ports port 2096         # INC000000012740
> acl SSL_ports port 9091
> acl SSL_ports port 9444         # INC000000013855
> acl SSL_ports port 6082
> acl Safe_ports port 80# http
> acl Safe_ports port 21# ftp
> acl Safe_ports port 443# https
> acl Safe_ports port 70# gopher
> acl Safe_ports port 210# wais
> acl Safe_ports port 1025-65535# unregistered ports
> acl Safe_ports port 280# http-mgmt
> acl Safe_ports port 488# gss-http
> acl Safe_ports port 591# filemaker
> acl Safe_ports port 777# multiling http
> acl CONNECT method CONNECT
>
> forwarded_for delete
> tcp_outgoing_address 172.31.2.71 SMD
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access allow manager SOC_NET
> http_access deny manager
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
>
> cache_peer 172.31.3.70 parent 8080 0 no-query default name=HUBATLDB
> acl domainAT dstdomain voeazul.com.br
> cache_peer_access HUBATLDB allow domainAT
> never_direct allow domainAT
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
>
> acl PURGE method PURGE
> http_access allow PURGE localhost
> http_access deny PURGE
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 0.0.0.0:8080
>
> # We recommend you to use at least the following line.
> # migrated automatically by squid-migrate-conf, the original configuration was: hierarchy_stoplist cgi-bin ?
>
> # Uncomment and adjust the following to add a disk cache directory.
> cache_effective_user squid
> cache_effective_group squid
> cache_dir diskd /home/squid 400000 64 512
> cache_mem 4 GB
> maximum_object_size_in_memory 2 MB
> minimum_object_size 0 KB
> maximum_object_size 100 MB
> cache_swap_low 96
> cache_swap_high 97
> memory_replacement_policy lru
> cache_replacement_policy heap LFUDA
> cache deny nocachesite
> cache allow all
> max_filedesc 8192
>
> # Leave coredumps in the first cache dir
> coredump_dir /home/squid
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp:144020%10080
> refresh_pattern ^gopher:14400%1440
> refresh_pattern -i (/cgi-bin/|\?) 00%0
> refresh_pattern .020%4320
>
> cache_mgr [hidden email]
>
> ### BEGIN LOG FOR SIEM ###
>
> #logformat siem  %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %<a %>p
> #access_log /var/log/squid/access.log siem
> logformat custom_squid %%SQUID-4: %>a %>p [%tl] "%rm %ru HTTP/%rv" %<A %ui %un "%rp" %Hs %mt %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh %<a %<p %<lp
> access_log /var/log/squid/rsa/access.log custom_squid
>
> ### END LOG FOR SIEM ###
> dns_v4_first on
> log_icp_queries off
> via off

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

R: Squid does not send request to parent proxy

Troiano Alessio
Same result Alex:
%SQUID-4: 172.31.0.82 54345 [18/Jan/2019:16:16:10 +0800] "GET http://www.voeazul.com.br/ HTTP/1.1" www.voeazul.com.br - - "/" 403 text/html 726 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" TCP_MISS:HIER_DIRECT 23.77.9.57 80 40266



Il presente messaggio e-mail e ogni suo allegato devono intendersi indirizzati esclusivamente al destinatario indicato e considerarsi dal contenuto strettamente riservato e confidenziale. Se non siete l'effettivo destinatario o avete ricevuto il messaggio e-mail per errore, siete pregati di avvertire immediatamente il mittente e di cancellare il suddetto messaggio e ogni suo allegato dal vostro sistema informatico. Qualsiasi utilizzo, diffusione, copia o archiviazione del presente messaggio da parte di chi non ne è il destinatario è strettamente proibito e può dar luogo a responsabilità di carattere civile e penale punibili ai sensi di legge.
Questa e-mail ha valore legale solo se firmata digitalmente ai sensi della normativa vigente.

The contents of this email message and any attachments are intended solely for the addressee(s) and contain confidential and/or privileged information.
If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately notify the sender and then delete this message and any attachments from your system. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. Unauthorized disclosure and/or use of information contained in this email message may result in civil and criminal liability. “
This e-mail has legal value according to the applicable laws only if it is digitally signed by the sender
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid does not send request to parent proxy

Amos Jeffries
Administrator
In reply to this post by Troiano Alessio
On 18/01/19 4:28 am, Troiano Alessio wrote:
> Hello all,
> I'm not able to configure squid for using a parent proxy only for some domain. All the rest should be fetched directly. I tried this configuration:
> cache_peer 172.31.3.70 parent 8080 0 no-query default name=HUBATLDB
> acl domainAT dstdomain voeazul.com.br
> cache_peer_access HUBATLDB allow domainAT
> never_direct allow domainAT

That is the correct design.  It does not work for you because you put
the wrong domain name in the domainAT ACL.


Look at the log carefully. See how the domain the client is asking for
is actually "www.voeazul.com.br". Even a single character difference
makes it an entirely different domain name - the "www." bit matters.


If you want domainAT to do exact-match then you need to add the www.*
sub-domain to the list. Like this:
 acl domainAT dstdomain voeazul.com.br www.voeazul.com.br


Or, you can use a wildcard (start with a '.') to match that domain and
all its sub-domains. Like this:

  acl domainAT dstdomain .voeazul.com.br



>
> But the site www.voeazul.com.br is fetched direct. This is the access log:
> %SQUID-4: 172.31.0.82 59719 [17/Jan/2019:22:55:36 +0800] "CONNECT www.voeazul.com.br:443 HTTP/1.1" www.voeazul.com.br - - "-" 200 - 816 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" TCP_TUNNEL:HIER_DIRECT 23.77.9.57 443 53176
>
> Can you help me?
>

What Squid version are you using?

I see config options which are only valid for Squid-3.1 your setup. If
you are using an old Squid please try an upgrade, or start planning to
do one. There are many security vulnerabilities which affect those very
old Squid-3 and some cannot be fixed there, so even versions with LTS
security support are vulnerable.


Cheers
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

R: Squid does not send request to parent proxy

Troiano Alessio
Thank you Amos in this way it works.
But that was an example, in my config I should use acl from file, and it doesn't work. So this is the relevant config:

acl parentproxyHUBAT dstdomain /etc/squid/hubatsite.acl
cache_peer 172.31.3.70 parent 8080 0 no-query default name=HUBATLDB
cache_peer_access HUBATLDB allow parentproxyHUBAT
never_direct allow parentproxyHUBAT

the file is:
[root@HUB-HK-PRX-03 squid]# ll hubatsite.acl
-rw-r--r-- 1 squid squid 168 Jan 17 23:18 hubatsite.acl
[root@HUB-HK-PRX-03 squid]# cat hubatsite.acl
.carefirst.com
employer.carefirst.com
cfsecuremail.carefirst.com
broker.carefirst.com
.wbmason.com
www.wbmason.com
images.wbmason.com
.voeazul.com.br
www.voeazul.com.br[root@HUB-HK-PRX-03 squid]#

Il presente messaggio e-mail e ogni suo allegato devono intendersi indirizzati esclusivamente al destinatario indicato e considerarsi dal contenuto strettamente riservato e confidenziale. Se non siete l'effettivo destinatario o avete ricevuto il messaggio e-mail per errore, siete pregati di avvertire immediatamente il mittente e di cancellare il suddetto messaggio e ogni suo allegato dal vostro sistema informatico. Qualsiasi utilizzo, diffusione, copia o archiviazione del presente messaggio da parte di chi non ne è il destinatario è strettamente proibito e può dar luogo a responsabilità di carattere civile e penale punibili ai sensi di legge.
Questa e-mail ha valore legale solo se firmata digitalmente ai sensi della normativa vigente.

The contents of this email message and any attachments are intended solely for the addressee(s) and contain confidential and/or privileged information.
If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately notify the sender and then delete this message and any attachments from your system. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. Unauthorized disclosure and/or use of information contained in this email message may result in civil and criminal liability. “
This e-mail has legal value according to the applicable laws only if it is digitally signed by the sender
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: R: Squid does not send request to parent proxy

Amos Jeffries
Administrator
On 18/01/19 10:25 pm, Troiano Alessio wrote:
> Thank you Amos in this way it works.
> But that was an example, in my config I should use acl from file, and it doesn't work. So this is the relevant config:
>
> acl parentproxyHUBAT dstdomain /etc/squid/hubatsite.acl


Filenames need to be double-quoted.

   acl parentproxyHUBAT dstdomain "/etc/squid/hubatsite.acl"


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

R: R: Squid does not send request to parent proxy

Troiano Alessio
Nice! Thank you so much Amos.

Il presente messaggio e-mail e ogni suo allegato devono intendersi indirizzati esclusivamente al destinatario indicato e considerarsi dal contenuto strettamente riservato e confidenziale. Se non siete l'effettivo destinatario o avete ricevuto il messaggio e-mail per errore, siete pregati di avvertire immediatamente il mittente e di cancellare il suddetto messaggio e ogni suo allegato dal vostro sistema informatico. Qualsiasi utilizzo, diffusione, copia o archiviazione del presente messaggio da parte di chi non ne è il destinatario è strettamente proibito e può dar luogo a responsabilità di carattere civile e penale punibili ai sensi di legge.
Questa e-mail ha valore legale solo se firmata digitalmente ai sensi della normativa vigente.

The contents of this email message and any attachments are intended solely for the addressee(s) and contain confidential and/or privileged information.
If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately notify the sender and then delete this message and any attachments from your system. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. Unauthorized disclosure and/or use of information contained in this email message may result in civil and criminal liability. “
This e-mail has legal value according to the applicable laws only if it is digitally signed by the sender
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users