[squid-users] ACL rules allow localhost, but I still get an Access Denied in transparent setup...

From: GoogleGuy <googleguy@dont-contact.us>
Date: Mon, 30 Jul 2007 14:46:59 +0300

Hi All,

I installed squid on Debian Etch, and I although the ACL rules allow
localhost, I still get an Access Denied message with a transparent
setup.

My squid.conf is:
-----------------------------------------------------------
# grep -v '^#\|^$' squid.conf
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_group proxy
coredump_dir /var/spool/squid
-----------------------------------------------------------
It's a default Debian Etch config, I only changed the first
non-commented line:

http_port 3128

to this:
http_port 3128 transparent

...since I want a transparent setup.

The weird thing is, if I manually configure Firefox to access the Web
via localhost:3128, it works fine, no matter whether I use the
"transparent" keyword or not. The ACL rule that allows localhost is
in effect in this case, since if I change

http_access allow localhost

to:

http_access deny localhost

I get an Access Denied.

But when I try to setup a simple iptables rule to intercept traffic at
port 80 and redirect it to 3128 without configuring Firefox to use a
proxy:

/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port
3128

...I ALWAYS get an Access Denied in Squid.

The firewall is allowing traffic to port 3128, I can see it in the logs.
So it *looks* like for some reason Squid is not recognizing this
traffic as coming from localhost, since the message says access control
setup does not allow me to view the page I requested.

In /var/log/squid/access.log I can see that the denied connections are
not coming from 127.0.0.1, but from my host's public IP, 1.2.3.4

However, adding a rule like this:

acl ME src 1.2.3.4
http_access allow ME

doesn't help at all.

Even adding "http_access allow all" doesn't help.

I read through the Wiki, and googled the problem, but to no avail. Any
pointers about how I can diagnose or fix the problem will therefore be
very much appreciated.

Thanks,
Andrei

PS: Almost forgot, my squid is:
-----------------------------------------------------------
# squid -v
Squid Cache: Version 2.6.STABLE5
configure options: '--prefix=/usr' '--exec_prefix=/usr'
'--bindir=/usr/sbin' '--sbindir=/usr/sbin'
'--libexecdir=/usr/lib/squid' '--sysconfdir=/etc/squid'
'--localstatedir=/var/spool/squid' '--datadir=/usr/share/squid'
'--enable-async-io' '--with-pthreads'
'--enable-storeio=ufs,aufs,coss,diskd,null'
'--enable-linux-netfilter'
'--enable-arp-acl' '--enable-epoll'
'--enable-removal-policies=lru,heap' '--enable-snmp'
'--enable-delay-pools' '--enable-htcp' '--enable-cache-digests'
'--enable-underscores' '--enable-referer-log'
'--enable-useragent-log' '--enable-auth=basic,digest,ntlm'
'--enable-carp' '--with-large-files' 'i386-debian-linux'
'build_alias=i386-debian-linux' 'host_alias=i386-debian-linux'
'target_alias=i386-debian-linux'
-----------------------------------------------------------
Received on Mon Jul 30 2007 - 05:45:12 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Aug 01 2007 - 12:00:04 MDT