Re: [squid-users] can�t access site fna.gov.co:8081

From: Eliezer Croitoru <eliezer_at_ec.hadorhabaac.com>
Date: Thu, 28 Apr 2011 18:37:28 +0300

On 28/04/2011 18:05, Amos Jeffries wrote:

> On 29/04/11 00:49, Eliezer Croitoru wrote:
>> On 27/04/2011 22:53, Oscar Andr�s Eraso Moncayo wrote:
>>
>>> Hi,
>>>
>>> squid.conf:
>>> ******************************************************************************************************************
>>>
>>>
>>> http_port 127.0.0.1:3030
>>> hierarchy_stoplist cgi-bin ?
>>> acl QUERY urlpath_regex cgi-bin \?
>>> cache deny QUERY
>>>
>>> acl apache rep_header Server ^Apache
>>> broken_vary_encoding allow apache
>>>
>>> cache_mem 1024 MB
>>> cache_dir ufs /var/spool/squid 4096 16 256
>>> access_log /var/log/squid/access.log squid
>>> authenticate_ip_ttl 1 hours
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern . 0 20% 4320
>>> acl all src 0.0.0.0/0.0.0.0
>>> acl localhost src 127.0.0.1/255.255.255.255
>>> #acl msn_messenger req_mime_type -i ^application/x-msn-messenger$
>>> #acl msn_url url_regex -i gateway.dll
>> add here these lines:
>>
>> acl fnagov dstdomain .fna.gov.co
>> acl fnagovport port 8081
>> #add if dosnt exist already the nexet line
>> acl CONNECT method CONNECT
>> #remember that the next line must be in the top of any deny rule that is
>> related to one of the acls that in the rule.
>> http_access allow all fnagov CONNECT fnagovport
>>
>> should give you what you need.
> >
> > Regards
> > Eliezer
> >
>
> I would be a bit surprised if it did. It is technically right, but...
>
> To fetch through a proxy on 127.0.0.1:3030 one must use the source IP
> 127.0.0.1 to do so.
>
> He already has:
> acl localhost src 127.0.0.1/255.255.255.255
> ...
> http_access allow localhost
>
> Which is an open proxy for any requests made by the same machine as
> the proxy.
>
> I would guess the 403 was coming from the remote server, but with
> CONNECT and no cache_peer that seems not possible either.
>
> It looks suspiciously like there is more config hidden away somewhere.
> Or the log comes from some other proxy. Or the log detail (403) is
> corrupt data in the tunnel state.

i suppose he doesnt have or dont want to give more info.
if the acls was as he sent it's pretty simple to understand the problems
he is having.
the log was: 10.120.5.41
so whatever is happening on the server still stays a mystery for the us.

a little funny and ironic.

Eliezer
>>> http_access allow localhost
>>> #http_access deny msn_messenger
>>> #http_access deny msn_method msn_url
>>> http_access deny all
>>> http_reply_access allow all
>>> icp_access allow all
>>> error_directory /usr/share/squid/errors/Spanish
>>> client_db off
>>> log_fqdn off
>>> *******************************************************************************************************************************
>>>
>>>
>>> Best regards,
>>>
>
> Amos
Received on Thu Apr 28 2011 - 15:37:37 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 28 2011 - 12:00:03 MDT