Home / server / Questions / 678005
Accepted
Flint
Asked: 2015-03-25 14:16:41 +0800 CST

Squid running in intercept mode on same machine as browser keeps giving access denied

  • 772

It's been a while since I last touched squid and I've been sitting here figuring out this problem since the last few hours why my squid setup on this standalone server machine (behind router nat) failed to process any outgoing http requests from the machine itself and threw access denied messages on all the requests. I think I might have overlooked something obvious here but I can't spot it. Any idea what's wrong here?

% egrep -v "^\s*(#|$)" /etc/squid3/squid.conf
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 intercept
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .       0   20% 4320


% sudo iptables -t nat -nvL  
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 113 packets, 7598 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   25  1500 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 3128

Chain POSTROUTING (policy ACCEPT 138 packets, 9098 bytes)
 pkts bytes target     prot opt in     out     source               destination         


% sudo sysctl net.ipv4.ip_forward  
net.ipv4.ip_forward = 1

% sudo tail -f /var/log/squid3/access.log
1427233173.711      1 192.168.0.3 TCP_MISS/403 4050 GET http://serverfault.com/favicon.ico - HIER_NONE/- text/html
1427233173.713      4 192.168.0.3 TCP_MISS/403 4130 GET http://serverfault.com/favicon.ico - HIER_DIRECT/190.93.247.183 text/html
1427233173.998      1 192.168.0.3 TCP_MISS/403 4082 GET http://serverfault.com/favicon.ico - HIER_NONE/- text/html
1427233174.000      5 192.168.0.3 TCP_MISS/403 4162 GET http://serverfault.com/favicon.ico - HIER_DIRECT/190.93.247.183 text/html
1427233189.293      1 192.168.0.3 TCP_MISS/403 4132 GET http://serverfault.com/ - HIER_NONE/- text/html
1427233189.295      5 192.168.0.3 TCP_MISS/403 4212 GET http://serverfault.com/ - HIER_DIRECT/190.93.246.183 text/html
linux

1 Answers

  1. Best Answer

    You will need to add local host to the localnet definition. 

    acl localnet src 127.0.0.1 # localhost 
acl localnet src ::1  # IPv6 localhost

    Using a firewall to force transparent proxy access on localhost will require some additional parameters to ignore traffic from squid.

    • 1