Wrong ports denied as SSL_ports

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Wrong ports denied as SSL_ports

Jan Groenewald
Hi

I have an Ubuntu Feisty box running squid:
ii  squid          2.6.5-4ubuntu2 Internet Object Cache (WWW proxy cache)

And I get these non-SSL ports denied as SSL ports:

<snip>
2007/06/10 22:07:37| aclCheck: checking 'http_access deny CONNECT
!SSL_ports'
2007/06/10 22:07:37| aclMatchAclList: checking CONNECT
2007/06/10 22:07:37| aclMatchAcl: checking 'acl CONNECT method CONNECT'
2007/06/10 22:07:37| aclMatchAclList: checking !SSL_ports
2007/06/10 22:07:37| aclMatchAcl: checking 'acl SSL_ports port 443 563
# https, snews'
2007/06/10 22:07:37| aclMatchAclList: returning 1
2007/06/10 22:07:37| aclCheck: match found, returning 0
2007/06/10 22:07:37| cbdataUnlock: 0x82adec0
2007/06/10 22:07:37| aclCheckCallback: answer=0
2007/06/10 22:07:37| cbdataValid: 0x85e0b50
2007/06/10 22:07:37| The request CONNECT 209.204.61.7:4000 is DENIED,
because it matched 'SSL_ports'
2007/06/10 22:07:37| Access Denied: 209.204.61.7:4000
2007/06/10 22:07:37| AclMatchedName = SSL_ports
2007/06/10 22:07:37| Proxy Auth Message = <null>
2007/06/10 22:07:37| storeCreateEntry: '209.204.61.7:4000'
2007/06/10 22:07:37| new_MemObject: returning 0x8ce8a68
</snip>

Other ports are in the range 1025-6000 and are getting the same problem.
My squid.conf below. Any tips appreciated.

0 root@kontiki:/etc/squid#grep -v ^\# squid.conf|grep .
http_port 10.0.0.1:3128 transparent
http_port 127.0.0.1:3128
cache_peer proxy.aims.ac.za       parent    3128 0 no-query
cache_peer_domain proxy.aims.ac.za      !.aims.ac.za
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
debug_options ALL,1
hosts_file /etc/hosts
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563      # https, snews
acl SSL_ports port 873          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
acl our_networks src 10.0.0.0/8
http_access allow our_networks
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname kontiki.aims.ac.za
forwarded_for off
acl aims dstdomain .aims.ac.za
no_cache deny aims
always_direct allow aims
acl kontiki dst 10.0.0.1/32
no_cache deny kontiki
always_direct allow kontiki
never_direct allow all
coredump_dir /var/spool/squid

regards,
Jan

--
   .~.
   /V\     Jan Groenewald
  /( )\    www.aims.ac.za
  ^^-^^
Reply | Threaded
Open this post in threaded view
|

Re: Wrong ports denied as SSL_ports

Adrian Chadd
On Mon, Jun 11, 2007, Jan Groenewald wrote:

> <snip>
> 2007/06/10 22:07:37| aclCheck: checking 'http_access deny CONNECT
> !SSL_ports'
> 2007/06/10 22:07:37| aclMatchAclList: checking CONNECT
> 2007/06/10 22:07:37| aclMatchAcl: checking 'acl CONNECT method CONNECT'
> 2007/06/10 22:07:37| aclMatchAclList: checking !SSL_ports
> 2007/06/10 22:07:37| aclMatchAcl: checking 'acl SSL_ports port 443 563
> # https, snews'
> 2007/06/10 22:07:37| aclMatchAclList: returning 1
> 2007/06/10 22:07:37| aclCheck: match found, returning 0
> 2007/06/10 22:07:37| cbdataUnlock: 0x82adec0
> 2007/06/10 22:07:37| aclCheckCallback: answer=0
> 2007/06/10 22:07:37| cbdataValid: 0x85e0b50
> 2007/06/10 22:07:37| The request CONNECT 209.204.61.7:4000 is DENIED,
> because it matched 'SSL_ports'

Thats right, because the http_access matches on method CONNECT and then
finds the port isn't in the SSL_ports ACL. The behaviour is correct.

There's no special meaning for the ACL name SSL_ports; its just a name.
In the default squid configuration its generally for "forwarding SSL requests
through a proxy" which is whats happening with the "CONNECT" method.



Adrian

> 2007/06/10 22:07:37| Access Denied: 209.204.61.7:4000
> 2007/06/10 22:07:37| AclMatchedName = SSL_ports
> 2007/06/10 22:07:37| Proxy Auth Message = <null>
> 2007/06/10 22:07:37| storeCreateEntry: '209.204.61.7:4000'
> 2007/06/10 22:07:37| new_MemObject: returning 0x8ce8a68
> </snip>
>
> Other ports are in the range 1025-6000 and are getting the same problem.
> My squid.conf below. Any tips appreciated.
>
> 0 root@kontiki:/etc/squid#grep -v ^\# squid.conf|grep .
> http_port 10.0.0.1:3128 transparent
> http_port 127.0.0.1:3128
> cache_peer proxy.aims.ac.za       parent    3128 0 no-query
> cache_peer_domain proxy.aims.ac.za      !.aims.ac.za
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> access_log /var/log/squid/access.log squid
> debug_options ALL,1
> hosts_file /etc/hosts
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern .               0       20%     4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563      # https, snews
> acl SSL_ports port 873          # rsync
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443 563     # https, snews
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl Safe_ports port 631         # cups
> acl Safe_ports port 873         # rsync
> acl Safe_ports port 901         # SWAT
> acl purge method PURGE
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> acl our_networks src 10.0.0.0/8
> http_access allow our_networks
> http_access allow localhost
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> visible_hostname kontiki.aims.ac.za
> forwarded_for off
> acl aims dstdomain .aims.ac.za
> no_cache deny aims
> always_direct allow aims
> acl kontiki dst 10.0.0.1/32
> no_cache deny kontiki
> always_direct allow kontiki
> never_direct allow all
> coredump_dir /var/spool/squid
>
> regards,
> Jan
>
> --
>    .~.
>    /V\     Jan Groenewald
>   /( )\    www.aims.ac.za
>   ^^-^^

--
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level bandwidth-capped VPSes available in WA -
Reply | Threaded
Open this post in threaded view
|

Re: Wrong ports denied as SSL_ports

Neil A. Hillard-2
In reply to this post by Jan Groenewald
Jan,

Jan Groenewald wrote:

> I have an Ubuntu Feisty box running squid:
> ii  squid          2.6.5-4ubuntu2 Internet Object Cache (WWW proxy cache)
>
> And I get these non-SSL ports denied as SSL ports:
>
> <snip>
> 2007/06/10 22:07:37| aclCheck: checking 'http_access deny CONNECT
> !SSL_ports'
> 2007/06/10 22:07:37| aclMatchAclList: checking CONNECT
> 2007/06/10 22:07:37| aclMatchAcl: checking 'acl CONNECT method CONNECT'
> 2007/06/10 22:07:37| aclMatchAclList: checking !SSL_ports
> 2007/06/10 22:07:37| aclMatchAcl: checking 'acl SSL_ports port 443 563
> # https, snews'
> 2007/06/10 22:07:37| aclMatchAclList: returning 1
> 2007/06/10 22:07:37| aclCheck: match found, returning 0
> 2007/06/10 22:07:37| cbdataUnlock: 0x82adec0
> 2007/06/10 22:07:37| aclCheckCallback: answer=0
> 2007/06/10 22:07:37| cbdataValid: 0x85e0b50
> 2007/06/10 22:07:37| The request CONNECT 209.204.61.7:4000 is DENIED,
> because it matched 'SSL_ports'
> 2007/06/10 22:07:37| Access Denied: 209.204.61.7:4000
> 2007/06/10 22:07:37| AclMatchedName = SSL_ports
> 2007/06/10 22:07:37| Proxy Auth Message = <null>
> 2007/06/10 22:07:37| storeCreateEntry: '209.204.61.7:4000'
> 2007/06/10 22:07:37| new_MemObject: returning 0x8ce8a68
> </snip>
>
> Other ports are in the range 1025-6000 and are getting the same problem.
> My squid.conf below. Any tips appreciated.

Although you have 1024-6000 listed in safe_ports, that will only allow
access for http.  You are attempting to use https so you will also need
to list it in ssl_ports.

HTH,


                                Neil.

--
Neil Hillard                    [hidden email]
AgustaWestland                  http://www.whl.co.uk/

Disclaimer: This message does not necessarily reflect the
            views of Westland Helicopters Ltd.
Reply | Threaded
Open this post in threaded view
|

Re: Wrong ports denied as SSL_ports

Jan Groenewald
Hi

On Mon, Jun 11, 2007 at 01:15:02PM +0100, Neil A. Hillard wrote:
> Although you have 1024-6000 listed in safe_ports, that will only allow
> access for http.  You are attempting to use https so you will also need
> to list it in ssl_ports.

It is not normal to have an application request CONNECT on many ports
in 4000-6000, right?

regards,
Jan

--
   .~.
   /V\     Jan Groenewald
  /( )\    www.aims.ac.za
  ^^-^^
Reply | Threaded
Open this post in threaded view
|

Re: Wrong ports denied as SSL_ports

Neil A. Hillard-2
Jan,

Jan Groenewald wrote:
> Hi
>
> On Mon, Jun 11, 2007 at 01:15:02PM +0100, Neil A. Hillard wrote:
>> Although you have 1024-6000 listed in safe_ports, that will only allow
>> access for http.  You are attempting to use https so you will also need
>> to list it in ssl_ports.
>
> It is not normal to have an application request CONNECT on many ports
> in 4000-6000, right?

Definitely not!  It would allow the user to create a tunnel to anything!
 You could just add port 4000 to ssl_ports if that's what you want.

Here, we need to connect to some services on non-standard ports
(although we do our best to get the service provider to change it to a
standard port) so I combine the port, CONNECT and dstdomain to only
allow them out to that one service.

HTH,


                                Neil.

--
Neil Hillard                    [hidden email]
AgustaWestland                  http://www.whl.co.uk/

Disclaimer: This message does not necessarily reflect the
            views of Westland Helicopters Ltd.