Help
Juan A. Becerril Castillo
Any sugestion ?
946942914.397 4 192.168.1.14 TCP_DENIED/403 970 GET
http://moz.com.mx/ - NONE/- -
946942914.830 4 192.168.1.14 TCP_DENIED/403 970 GET
http://moz.com.mx/ - NONE/- -
946942921.935 9 192.168.1.14 TCP_DENIED/403 970 GET
http://moz.com.mx/ - NONE/- -
946943036.408 11 192.168.1.13 TCP_DENIED/403 970 GET
http://moz.com.mx/ - NONE/- -
946943056.991 173 192.168.1.13 TCP_DENIED/403 1058 GET
http://messenger.netscape.com/bookmark/4_5/messengerstart.html - NONE/-
-
946943457.781 3 192.168.1.10 TCP_DENIED/403 970 GET
http://moz.com.mx/ - NONE/- -
946943481.378 12 192.168.1.10 TCP_DENIED/403 992 GET
http://www.tatilandia.com.mx/ - NONE/- -
946943489.117 11 192.168.1.10 TCP_DENIED/403 986 GET
http://www.tatilandia.com/ - NONE/- -
946943497.416 5 192.168.1.10 TCP_DENIED/403 970 GET
http://moz.com.mx/ - NONE/- -
946943499.312 5 192.168.1.10 TCP_DENIED/403 970 GET
http://moz.com.mx/ - NONE/- -
946943500.549 5 192.168.1.10 TCP_DENIED/403 1034 GET
http://home.netscape.com/bookmark/4_7/tsearch.html - NONE/- -
946943502.538 5 192.168.1.10 TCP_DENIED/403 1034 GET
http://home.netscape.com/bookmark/4_7/tsearch.html - NONE/- -
946943503.343 5 192.168.1.10 TCP_DENIED/403 1032 GET
http://home.netscape.com/bookmark/4_7/tstart.html - NONE/- -
946943504.328 5 192.168.1.10 TCP_DENIED/403 1032 GET
http://home.netscape.com/bookmark/4_7/tstart.html - NONE/- -
946943539.625 5 192.168.1.10 TCP_DENIED/403 986 GET
http://www.tatilandia.com/ - NONE/- -
Andrew Kenna
not allow http requests.
Regards
Andrew
Juan A. Becerril Castillo
squid.conf
Thanks.
---->
ACCESS CONTROLS
#
-----------------------------------------------------------------------------
# TAG: acl
# Defining an Access List
#
# acl aclname acltype string1 ...
# acl aclname acltype "file" ...
#
# when using "file", the file should contain one item per line
#
# acltype is one of src dst srcdomain dstdomain url_pattern
# urlpath_pattern time port proto method browser user
#
# By default, regular expressions are CASE-SENSITIVE. To make
# them case-insensitive, use the -i option.
#
# acl aclname src ip-address/netmask ... (clients IP address)
# acl aclname src addr1-addr2/netmask ... (range of
addresses)
# acl aclname dst ip-address/netmask ... (URL host's IP
address)
# acl aclname myip ip-address/netmask ... (local socket IP
address)
#
# acl aclname srcdomain foo.com ... # reverse lookup, client
IP
# acl aclname dstdomain foo.com ... # Destination server
from URL
# acl aclname srcdom_regex [-i] xxx ... # regex matching client
name
# acl aclname dstdom_regex [-i] xxx ... # regex matching server
# # For dstdomain and dstdom_regex a reverse lookup is tried if
a IP
# # based URL is used. The name "none" is used if the reverse
lookup
# # fails.
#
# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
# day-abbrevs:
# S - Sunday
# M - Monday
# T - Tuesday
# W - Wednesday
# H - Thursday
# F - Friday
# A - Saturday
# h1:m1 must be less than h2:m2
# acl aclname url_regex [-i] ^http:// ... # regex matching on
whole URL
# acl aclname urlpath_regex [-i] \.gif$ ... # regex matching
on URL path
# acl aclname port 80 70 21 ...
# acl aclname port 0-1024 ... # ranges allowed
# acl aclname proto HTTP FTP ...
# acl aclname method GET POST ...
# acl aclname browser [-i] regexp
# # pattern match on User-Agent header
# acl aclname ident username ...
# # string match on ident output.
# # use REQUIRED to accept any non-null ident.
# acl aclname src_as number ...
# acl aclname dst_as number ...
# # Except for access control, AS numbers can be used for
# # routing of requests to specific caches. Here's an
# # example for routing all requests for AS#1241 and only
# # those to mycache.mydomain.net:
# # acl asexample dst_as 1241
# # cache_peer_access mycache.mydomain.net allow asexample
# # cache_peer_access mycache_mydomain.net deny all
#
# acl aclname proxy_auth username ...
# # list of valid usernames
# # use REQUIRED to accept any valid username.
# #
# # NOTE: when a Proxy-Authentication header is sent but it is
not
# # needed during ACL checking the username is NOT logged
# # in access.log.
# #
# # NOTE: proxy_auth requires a EXTERNAL authentication program
# # to check username/password combinations (see
# # authenticate_program).
# #
# # WARNING: proxy_auth can't be used in a transparent proxy. It
# # collides with any authentication done by origin servers. It
may
# # seem like it works at first, but it doesn't.
#
# acl aclname snmp_community string ...
# # A community string to limit access to your SNMP Agent
# # Example:
# #
# # acl snmppublic snmp_community public
#
#
#Examples:
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#
#Defaults:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl CONNECT method CONNECT
# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# Access to the ICP port:
# icp_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to allow
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, then the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default configuration:
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access deny all
# TAG: icp_access
# Reply to all ICP queries we receive
#
icp_access allow all
# TAG: miss_access
# Use to force your neighbors to use you as a sibling instead of
# a parent. For example:
#
# acl localclients src 172.16.0.0/16
# miss_access allow localclients
# miss_access deny !localclients
#
# This means that only your local clients are allowed to fetch
# MISSES and all other clients can only fetch HITS.
#
# By default, allow all clients who passed the http_access rules
# to fetch MISSES from us.
miss_access allow all
# TAG: cache_peer_access
# Similar to 'cache_peer_domain' but provides more flexibility by
# using ACL elements.
#
# cache_peer_access cache-host allow|deny [!]aclname ...
#
# The syntax is identical to 'http_access' and the other lists of
# ACL elements. See the comments for 'http_access' below, or
# the Squid FAQ (http://squid.nlanr.net/Squid/FAQ/FAQ-10.html).
# TAG: proxy_auth_realm
# Specifies the realm name which is to be reported to the client
for
# proxy authentication (part of the text the user will see when
# prompted their username and password).
#
#proxy_auth_realm Squid proxy-caching web server
# TAG: ident_lookup_access
# A list of ACL elements which, if matched, cause an ident
# (RFC 931) lookup to be performed for this request. For
# example, you might choose to always perform ident lookups
# for your main multi-user Unix boxes, but not for your Macs
# and PCs. By default, ident lookups are not performed for
# any requests.
#
# To enable ident lookups for specific client addresses, you
# can follow this example:
#
# acl ident_aware_hosts src 198.168.1.0/255.255.255.0
# ident_lookup_access allow ident_aware_hosts
# ident_lookup_access deny all
#
# This option may be disabled by using --disable-ident with
# the configure script.
#ident_lookup_access deny all
Thomas Wahyudi
----- Original Message -----
From: "Juan A. Becerril Castillo" <ja...@moz.com.mx>
To: "Andrew Kenna" <and...@stamina.com.au>
Cc: <squid...@ircache.net>
Sent: Tuesday, January 04, 2000 9:52 AM
Subject: Re: Help
> I have default config...
>
> squid.conf
>
> Thanks.
>
> #Defaults:
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl SSL_ports port 443 563
> acl Safe_ports port 80 21 443 563 70 210 1025-65535
> acl CONNECT method CONNECT
> #Default configuration:
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> http_access deny all
^^^^^^^^^^^^^^^^^
i believe this is the reason
=)
change to http_access allow all
Duane Wessels
On Tue, 4 Jan 2000, Thomas Wahyudi wrote:
> > #Default configuration:
> > http_access allow manager localhost
> > http_access deny manager
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > #
> > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> > #
> > http_access deny all
>
> ^^^^^^^^^^^^^^^^^
>
> i believe this is the reason
> =)
>
> change to http_access allow all
No, do not change it to "allow all".
If you do that, then anyone will be able to use your proxy
cache. Eventually your cache will end up on the "open proxy list"
and you will be proxying traffic from all over the world.
Duane W.
Juan A. Becerril Castillo
>
> ----- Original Message -----
> From: "Juan A. Becerril Castillo" <ja...@moz.com.mx>
> To: "Andrew Kenna" <and...@stamina.com.au>
> Cc: <squid...@ircache.net>
> Sent: Tuesday, January 04, 2000 9:52 AM
> Subject: Re: Help
>
> > I have default config...
> >
> > squid.conf
> >
> > Thanks.
> >
>
> > #Defaults:
> > acl all src 0.0.0.0/0.0.0.0
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl SSL_ports port 443 563
> > acl Safe_ports port 80 21 443 563 70 210 1025-65535
> > acl CONNECT method CONNECT
>
> > http_access allow manager localhost
> > http_access deny manager
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > #
> > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> > #
> > http_access deny all
>
> ^^^^^^^^^^^^^^^^^
>
> i believe this is the reason
> =)
>
> change to http_access allow all
Yes... this rule was the problem....
Now it work very fine.
Thanks !
--
Juan Becerril Castillo
mailto:ja...@moz.com.mx
MOZ Agencias Aduanales, S.C.
http://moz.com.mx
Tilman Schmidt
>I have default config...
>
>squid.conf
>
>Thanks.
>
>---->
>#Default configuration:
>http_access allow manager localhost
>http_access deny manager
>http_access deny !Safe_ports
>http_access deny CONNECT !SSL_ports
>#
># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>#
>http_access deny all
You didn't follow the instructions written here. (In capital letters, even.)
Squid doesn't allow your clients to access it because you didn't tell it who
your clients are. Insert the correct rules, and it will work.
--
Tilman Schmidt E-Mail: Tilman....@sema.de (office)
Sema Group Koeln, Germany til...@schmidt.bn.uunet.de (private)
Tilman Schmidt
>Thomas Wahyudi wrote:
>> > #
>> > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>> > #
>> > http_access deny all
>>
>>
>> i believe this is the reason
>> =)
>>
>> change to http_access allow all
>
>Yes... this rule was the problem....
>
>Now it work very fine.
Well I hope you have some other protection against abuse of your
cache then, because now your cache will merrily fulfill requests
no matter where they are coming from.