strange thing in the squid logs ...

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

strange thing in the squid logs ...

Walter H.
Hello,

in iptables I have this:

*nat
...
-A PREROUTING -i br0 -p tcp -s 192.168.1.100 --dport 80 -j DNAT
--to-destination 192.168.1.1:3129



192.168.1.100 is my PC and 192.168.1.1 is my NAT-Router, that has squid,
... running

here the log

192.168.1.100 - - [05/Feb/2019:20:57:09 +0100] "CONNECT 77.74.177.233:80
HTTP/1.1" 403 1516 "-" "-" TCP_DENIED:HIER_NONE
192.168.1.100 - - [05/Feb/2019:20:58:41 +0100] "CONNECT
130.117.190.168:80 HTTP/1.1" 403 1520 "-" "-" TCP_DENIED:HIER_NONE
192.168.1.100 - - [05/Feb/2019:21:06:12 +0100] "CONNECT
207.123.56.252:80 HTTP/1.1" 403 1518 "-" "-" TCP_DENIED:HIER_NONE
this are only examples in real there are many of these with exakt these
IP addresses

what is causing such strange?


here the squid.conf

acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines

acl localnet src 192.168.1.0/24

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 3128        # squid (ftp-icons, /squid-internal) [me]
acl CONNECT method CONNECT

http_access allow localhost manager
http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports    # i guess this rule is causing
DENIED in the log, but why port 80 there???

http_access deny to_localhost

http_access allow localnet
http_access allow localhost

http_access deny all

http_reply_access allow all

http_port 127.0.0.1:3128
http_port [::1]:3128
http_port 192.168.1.1:3128
http_port 192.168.1.1:3129 intercept

cache_dir ufs /var/spool/squid 16400 16 256
coredump_dir /var/spool/squid

always_direct allow all

acl crl-mime rep_mime_type application/x-pkcs7-crl
no_cache deny crl-mime

cache_mem 2560 MB

icon_directory /usr/share/squid/icons
error_directory /etc/squid/errors

as_whois_server whois.ra.net

logformat combined %>A %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: strange thing in the squid logs ...

Amos Jeffries
Administrator
On 6/02/19 9:27 am, Walter H. wrote:

> Hello,
>
> in iptables I have this:
>
> *nat
> ...
> -A PREROUTING -i br0 -p tcp -s 192.168.1.100 --dport 80 -j DNAT
> --to-destination 192.168.1.1:3129
>
>
>
> 192.168.1.100 is my PC and 192.168.1.1 is my NAT-Router, that has squid,
> ... running
>
> here the log
>
> 192.168.1.100 - - [05/Feb/2019:20:57:09 +0100] "CONNECT 77.74.177.233:80
> HTTP/1.1" 403 1516 "-" "-" TCP_DENIED:HIER_NONE
> 192.168.1.100 - - [05/Feb/2019:20:58:41 +0100] "CONNECT
> 130.117.190.168:80 HTTP/1.1" 403 1520 "-" "-" TCP_DENIED:HIER_NONE
> 192.168.1.100 - - [05/Feb/2019:21:06:12 +0100] "CONNECT
> 207.123.56.252:80 HTTP/1.1" 403 1518 "-" "-" TCP_DENIED:HIER_NONE
> this are only examples in real there are many of these with exakt these
> IP addresses
>
> what is causing such strange?
>

Unknown.


>
> here the squid.conf
>
...
>
> http_access deny CONNECT !SSL_ports    # i guess this rule is causing
> DENIED in the log, but why port 80 there???
>

Yes. This is the rule blocking those transactions.

The answer to your question though is known only to the client software
requesting those tunnels be opened.

Could be some form of attack against those servers or abusive use of
port 80 for non-HTTP. At very least it is trying to bypass the proxy for
some type of port 80 traffic.

If it worries you, then investigation of the traffic may prove fruitful.
Then you can decide what to do based on better information that your log
contains.


[ following is just some comments about polish to your squid.conf ]

>
> http_reply_access allow all

Does the default action, but in a slow way. You can simplify your config
and speed up Squid a little by removing the above line.


>
> always_direct allow all

Does the default action, but in a slow way. You can simplify your config
and speed up Squid a little by removing the above line.


>
> acl crl-mime rep_mime_type application/x-pkcs7-crl
> no_cache deny crl-mime
>

"no_cache" does not exist since Squid-1.x. It is called just "cache" so
at very least please remove that "no_" part.

Also, the "cache" directive is tested for HTTP *requests*. There is no
HTTP *reply* mime type in request messages.

Either;

a) use req_mime_type (note the 'q'), or

b) remove both the above lines as pointless config, or

c) replace the "no_cache" name with "store_miss" in latest Squid-3.5+
proxies.


FWIW: it is not clear why you forbid CRL objects from being cached. They
are public information and caching works as well as with any other HTTP
objects.


>
> logformat combined %>A %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
> "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
> access_log /var/log/squid/access.log combined
>

FYI: The Apache "common" format is designed for use by web servers.
Which are quite different software from proxies. In particular they
typically do not have upstream origin-server connection and multiplexing
to deal with - which is a core part of being a proxy. So you are missing
out on several useful details the "squid" native log format provides.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users