RE: [squid-users] RE: https Webmin using port 12000 doesn't work anymore with Squid

From: Chris Robertson <[email protected]>
Date: Fri, 2 Dec 2005 09:25:31 -0900

> -----Original Message-----
> From: LeKeiserAmen [mailto:LeKeiser@lekeiser.com]
> Sent: Thursday, November 24, 2005 9:57 AM
> To: squid-users@squid-cache.org
> Subject: Re: [squid-users] RE: https Webmin using port 12000 doesn't
> work anymore with Squid
>
> Hello Chris,
>

SNIP

>>> 1132791052.505 11 192.168.1.10 TCP_MISS/200 2269 CONNECT
>>> 192.168.1.1:12000 - DIRECT/192.168.1.1 -
>>> 1132791052.584 10 192.168.1.10 TCP_MISS/200 2189 CONNECT
>>> 192.168.1.1:12000 - DIRECT/192.168.1.1 -
> CR> This indicates that the connection is proceeding properly. Note
> CR> the 200 after TCP_MISS? The TCP_MISS just indicates that the
> CR> connection was via TCP and the resultant data was not in the cache
> CR> (not a surprise, considering it's encrypted).
>
>>> When I open my browser, and I choose Webmin, I get the
>>> certificate window. Then the error Error - Access denied for
>>> 192.168.1.1
> CR> Odd. Access denied? That's not shown in the log snippet you
> CR> have provided. Perhaps this is Webmin preventing access from your
> CR> cache's IP address. Or it's cached data in your browser... Try
> CR> clearing your browser cache (or using a different browser) and
> CR> see if the result is the same.
>
> CR> Chris
>
> I emptied the cache of my browser, reloaded the configuration of
> Squid, and still have the same problem :(
> Error - Access denied for 192.168.1.1 for the browser
>
> and
> 1132858337.208 9 192.168.1.10 TCP_MISS/200 1850 CONNECT
> 192.168.1.1:12000 - DIRECT/192.168.1.1 -
> in access.log

I maintain this is no longer a Squid error. The TCP CONNECT is succeeding (200 status code). Check your WebMin config, and verify that connections from 192.168.1.10 are allowed. Otherwise you are going to have to increase your debug_options (use "ALL,1 33,2" at first. Progress to "ALL,1 33,2 28,9" if you need more details) and tail your cache_log.

>
> Here is the new ACLs and HTTP_ACCESS, so it's clearer :)
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl our_network src 192.168.1.0/25
> acl SSL_ports port 443 563 # https, snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl webmin port 12000
> acl purge method PURGE
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access allow webmin our_network
> http_access allow CONNECT webmin our_network
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow our_network
> http_access allow localhost
> http_access deny all
>
>

Looks good to me.

>
>
> Thanx for your help :)
>
> --
> Best regards,
> LeKeiserAmen
> mailto: LeKeiser@lekeiser.com
>
>

Chris
Received on Fri Dec 02 2005 - 11:25:34 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 31 2005 - 12:00:02 MST