https requests the squid rejects the connection

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

https requests the squid rejects the connection

Marcelo J. Martinez
hello,
sorry but I do not write in english I had to translate it with google.

I have a problem with the proxy server, install it with the default parameters with the following modifications:

acl SSL_ports port 443 21
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
#acl Safe_ports port 70 # gopher
#acl Safe_ports port 210 # wais
#acl Safe_ports port 1025-65535 # unregistered ports
#acl Safe_ports port 280 # http-mgmt
#acl Safe_ports port 488 # gss-http
#acl Safe_ports port 591 # filemaker
#acl Safe_ports port 777 # multilingual http
acl CONNECT method CONNECT

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny! Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT! SSL_ports
#

probe with several configurations but I can not save the problem.

what would be the correct configuration to work well?.

For http requests works fine.
example:

ERROR
El URL solicitado no se ha podido conseguir

Se encontró el siguiente error al intentar recuperar la dirección URL: http://argenteam.net/

    Acceso Denegado

La configuración de control de acceso evita que su solicitud sea permitida en este momento. Por favor, póngase en contacto con su proveedor de servicios si cree que esto es incorrecto.


For https requests the squid rejects the connection.
example:
url: https://www.youtube.com

El servidor proxy está rechazando las conexiones

Firefox está configurado para usar un servidor proxy que está rechazando las conexiones.

    Verifique las opciones de proxy para confirmar que están correctas.

--
--
--
Marcelo J. Martinez
PROGRAMADOR Y SOPORTE TÉCNICO
DEPARTAMENTO DE DESARROLLOS INFORMATICOS
---------------------------------
Asoprofarma Coop. Prov. Ltda.
Crisologo Larralde 6342 (C1431AQH)
C.A.B.A. Buenos Aires Argentina
Tel Directo (54 11) 4573 8034
[ mailto:[hidden email] | [hidden email] ]
El contenido del presente mensaje y sus adjuntos es privado, estrictamente confidencial y exclusivo para su destinatario, pudiendo contener informacion protegida por normas legales y de secreto profesional. Bajo ninguna circunstancia su contenido puede ser transmitido o revelado a terceros ni divulgado en forma alguna. En consecuencia de haberlo recibido por error, solicitamos contactar al remitente y eliminarlo de su sistema. AHORRE PAPEL. PIENSE ANTES DE IMPRIMIR.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: https requests the squid rejects the connection

Matus UHLAR - fantomas
On 20.08.18 14:20, Marcelo J. Martinez wrote:
>I have a problem with the proxy server, install it with the default parameters with the following modifications:

># Deny requests to unknown ports
>http_access deny! Safe_ports

this has to be:

http_access deny !Safe_ports

># Deny CONNECT to other than SSL ports
>http_access deny CONNECT! SSL_ports

and
http_access deny CONNECT !SSL_ports

...you put the ! to the bad place.

>example:
>
>ERROR
>El URL solicitado no se ha podido conseguir

relevant line from log file could show us, but first fix the above.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: https requests the squid rejects the connection

Marcelo J. Martinez
sorry, it's a mistake to copy and paste.
the configuration is:

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports




----- Mensaje original -----
De: "Matus UHLAR - fantomas" <[hidden email]>
Para: "Posting address" <[hidden email]>
Enviados: Lunes, 20 de Agosto 2018 15:26:08
Asunto: Re: [squid-users] https requests the squid rejects the connection

On 20.08.18 14:20, Marcelo J. Martinez wrote:
>I have a problem with the proxy server, install it with the default parameters with the following modifications:

># Deny requests to unknown ports
>http_access deny! Safe_ports

this has to be:

http_access deny !Safe_ports

># Deny CONNECT to other than SSL ports
>http_access deny CONNECT! SSL_ports

and
http_access deny CONNECT !SSL_ports

...you put the ! to the bad place.

>example:
>
>ERROR
>El URL solicitado no se ha podido conseguir

relevant line from log file could show us, but first fix the above.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
El contenido del presente mensaje y sus adjuntos es privado, estrictamente confidencial y exclusivo para su destinatario, pudiendo contener informacion protegida por normas legales y de secreto profesional. Bajo ninguna circunstancia su contenido puede ser transmitido o revelado a terceros ni divulgado en forma alguna. En consecuencia de haberlo recibido por error, solicitamos contactar al remitente y eliminarlo de su sistema. AHORRE PAPEL. PIENSE ANTES DE IMPRIMIR.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: https requests the squid rejects the connection

Antony Stone
In reply to this post by Marcelo J. Martinez
On Monday 20 August 2018 at 19:20:52, Marcelo J. Martinez wrote:

> hello,
> sorry but I do not write in english I had to translate it with google.
>
> I have a problem with the proxy server, install it with the default
> parameters with the following modifications:

1. Which version of Squid do you have installed?

2. Which operating system / distribution, and version, have you installed it
on?

3. Have you configured your browser to use the proxy, or are you using Squid's
intercept mode to proxy connectiosn which the browser thinks are going direct
from it to the web server?


Antony.

--
"The future is already here.   It's just not evenly distributed yet."

 - William Gibson

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: https requests the squid rejects the connection

Marcelo J. Martinez
1. Squid's version is 3.5.27

2. That this run on an Ubuntu 18.04.1 LTS (GNU / Linux 4.15.0-32-generic x86_64)

3. Configure in browser to use proxy port 3128 http and use the same configuration for https, ftp and SOCKS.


----- Mensaje original -----
De: "Antony Stone" <[hidden email]>
Para: "Posting address" <[hidden email]>
Enviados: Lunes, 20 de Agosto 2018 15:49:47
Asunto: Re: [squid-users] https requests the squid rejects the connection

On Monday 20 August 2018 at 19:20:52, Marcelo J. Martinez wrote:

> hello,
> sorry but I do not write in english I had to translate it with google.
>
> I have a problem with the proxy server, install it with the default
> parameters with the following modifications:

1. Which version of Squid do you have installed?

2. Which operating system / distribution, and version, have you installed it
on?

3. Have you configured your browser to use the proxy, or are you using Squid's
intercept mode to proxy connectiosn which the browser thinks are going direct
from it to the web server?


Antony.

--
"The future is already here.   It's just not evenly distributed yet."

 - William Gibson

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
El contenido del presente mensaje y sus adjuntos es privado, estrictamente confidencial y exclusivo para su destinatario, pudiendo contener informacion protegida por normas legales y de secreto profesional. Bajo ninguna circunstancia su contenido puede ser transmitido o revelado a terceros ni divulgado en forma alguna. En consecuencia de haberlo recibido por error, solicitamos contactar al remitente y eliminarlo de su sistema. AHORRE PAPEL. PIENSE ANTES DE IMPRIMIR.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: https requests the squid rejects the connection

Amos Jeffries
Administrator
In reply to this post by Marcelo J. Martinez
On 21/08/18 6:45 AM, Marcelo J. Martinez wrote:

> sorry, it's a mistake to copy and paste.
> the configuration is:
>
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> # Deny requests to unknown ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
>

FYI: current recommended config has the manager lines after the CONNECT
line, that makes Squid a tiny bit faster and safer against CONNECT to
the manager URLs.

That will not solve your current issue though. As Matus said the log
entry (access.log) for the transaction is needed for more info about
what is going on - in particular the URL which is being denied.

I suspect it is simply a normal HTTP request to a port you were not
expecting. You did reduce the Safe_Ports ACL definition significantly.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: https requests the squid rejects the connection

Marcelo J. Martinez
access.log:

1534782486.761      0 10.10.1.101 TCP_DENIED/403 3917 CONNECT aus5.mozilla.org:443 - HIER_NONE/- text/html
1534782486.767      0 10.10.1.101 TCP_DENIED/403 3926 CONNECT redirector.gvt1.com:443 - HIER_NONE/- text/html
1534782486.768      0 10.10.1.101 TCP_DENIED/403 4221 GET http://ciscobinary.openh264.org/openh264-win64-0410d336bb748149a4f560eb6108090f078254b1.zip - HIER_NONE/- text/html
1534782606.751      0 10.10.1.101 TCP_DENIED/403 3989 CONNECT blocklists.settings.services.mozilla.com:443 - HIER_NONE/- text/html
1534782606.754      0 10.10.1.101 TCP_DENIED/403 3980 CONNECT firefox.settings.services.mozilla.com:443 - HIER_NONE/- text/html
1534783061.435      0 10.10.1.101 TCP_DENIED/403 3914 CONNECT www.youtube.com:443 - HIER_NONE/- text/html
1534783486.477      0 10.10.1.101 TCP_DENIED/403 4123 GET http://argenteam.net/ - HIER_NONE/- text/html
1534783486.506      0 10.10.1.101 TCP_DENIED/403 4169 GET http://smbserver2:3128/squid-internal-static/icons/SN.png - HIER_NONE/- text/html
1534785311.331      0 10.10.1.101 TCP_DENIED/403 3914 CONNECT www.youtube.com:443 - HIER_NONE/- text/html
1534788567.647      0 10.10.1.101 TCP_DENIED/403 3950 CONNECT safebrowsing.googleapis.com:443 - HIER_NONE/- text/html
1534791437.517      0 10.10.1.101 TCP_DENIED/403 3917 CONNECT aus5.mozilla.org:443 - HIER_NONE/- text/html

Bear in mind that the server is configured to reject the connection from my ip, the problem is that:
with http queries, the normal squid error page appears.
with https queries, the browser informs me that the proxy rejected the connection and the normal squid page does not appear.

----- Mensaje original -----
De: "Amos Jeffries" <[hidden email]>
Para: "Posting address" <[hidden email]>
Enviados: Lunes, 20 de Agosto 2018 17:02:44
Asunto: Re: [squid-users] https requests the squid rejects the connection

On 21/08/18 6:45 AM, Marcelo J. Martinez wrote:

> sorry, it's a mistake to copy and paste.
> the configuration is:
>
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> # Deny requests to unknown ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
>

FYI: current recommended config has the manager lines after the CONNECT
line, that makes Squid a tiny bit faster and safer against CONNECT to
the manager URLs.

That will not solve your current issue though. As Matus said the log
entry (access.log) for the transaction is needed for more info about
what is going on - in particular the URL which is being denied.

I suspect it is simply a normal HTTP request to a port you were not
expecting. You did reduce the Safe_Ports ACL definition significantly.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
El contenido del presente mensaje y sus adjuntos es privado, estrictamente confidencial y exclusivo para su destinatario, pudiendo contener informacion protegida por normas legales y de secreto profesional. Bajo ninguna circunstancia su contenido puede ser transmitido o revelado a terceros ni divulgado en forma alguna. En consecuencia de haberlo recibido por error, solicitamos contactar al remitente y eliminarlo de su sistema. AHORRE PAPEL. PIENSE ANTES DE IMPRIMIR.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: https requests the squid rejects the connection

Amos Jeffries
Administrator
On 21/08/18 8:19 AM, Marcelo J. Martinez wrote:

> access.log:
>
> 1534782486.761      0 10.10.1.101 TCP_DENIED/403 3917 CONNECT aus5.mozilla.org:443 - HIER_NONE/- text/html
> 1534782486.767      0 10.10.1.101 TCP_DENIED/403 3926 CONNECT redirector.gvt1.com:443 - HIER_NONE/- text/html
> 1534782486.768      0 10.10.1.101 TCP_DENIED/403 4221 GET http://ciscobinary.openh264.org/openh264-win64-0410d336bb748149a4f560eb6108090f078254b1.zip - HIER_NONE/- text/html
> 1534782606.751      0 10.10.1.101 TCP_DENIED/403 3989 CONNECT blocklists.settings.services.mozilla.com:443 - HIER_NONE/- text/html
> 1534782606.754      0 10.10.1.101 TCP_DENIED/403 3980 CONNECT firefox.settings.services.mozilla.com:443 - HIER_NONE/- text/html
> 1534783061.435      0 10.10.1.101 TCP_DENIED/403 3914 CONNECT www.youtube.com:443 - HIER_NONE/- text/html
> 1534783486.477      0 10.10.1.101 TCP_DENIED/403 4123 GET http://argenteam.net/ - HIER_NONE/- text/html
> 1534783486.506      0 10.10.1.101 TCP_DENIED/403 4169 GET http://smbserver2:3128/squid-internal-static/icons/SN.png - HIER_NONE/- text/html
> 1534785311.331      0 10.10.1.101 TCP_DENIED/403 3914 CONNECT www.youtube.com:443 - HIER_NONE/- text/html
> 1534788567.647      0 10.10.1.101 TCP_DENIED/403 3950 CONNECT safebrowsing.googleapis.com:443 - HIER_NONE/- text/html
> 1534791437.517      0 10.10.1.101 TCP_DENIED/403 3917 CONNECT aus5.mozilla.org:443 - HIER_NONE/- text/html
>
> Bear in mind that the server is configured to reject the connection from my ip, the problem is that:
> with http queries, the normal squid error page appears.
> with https queries, the browser informs me that the proxy rejected the connection and the normal squid page does not appear.
>

This is intentional behaviour by the Browsers. Squid does send the same
error page if the CONNECT tunnel is rejected, but they all refuse to
display anything but their own text. There were some workarounds that
worked some time ago, but those have also been blocked in recent years.

I do mean "refuse" above. The Browser authors have repeatedly been asked
to re-asses and always close the bugs as WONTFIX citing security risks
which are demonstrably false, or ignore it.


There is nothing Squid (or we) can do about it these days short of fully
decrypting the client TLS and injecting a fake response containing the
error page. Yes that is as nasty as it sounds (maybe more) and assumes
that the traffic on port 443 actually is HTTPS instead of something else.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: https requests the squid rejects the connection

Amos Jeffries
Administrator
In reply to this post by Marcelo J. Martinez
On 21/08/18 8:19 AM, Marcelo J. Martinez wrote:
> access.log:
> 1534783486.506      0 10.10.1.101 TCP_DENIED/403 4169 GET http://smbserver2:3128/squid-internal-static/icons/SN.png - HIER_NONE/- text/html

Note that this port 3128 for showing the Squid error page details is
itself being blocked. That would be your Safe_Ports restriction in this
case.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users