# Squid access denied



## wolffnx (Aug 25, 2017)

no matter if i put 
	
	



```
http_access allow all
```
 in squid.conf,
always gime a access denied

mi PF config:


```
#external
ext="bce0"
#internal
int="bce1"
#i dont put 443 for testing squid
ports="(53,3130,3129,3121,80)"
ports-udp="(53)"
nat on $ext inet from !(ext) -> ($ext)
set skip on lo0

rdr pass inet proto tcp from any to any port 80 -> 127.0.0.1 port 3130

block in on $ext all
block in on $int all

pass in on $int inet proto tcp from any to any port $ports keep state
pass in on $int inet proto udp from any to any port $ports-udp

pass in on $ext inet proto tcp from any to any port 22 keep state
pass out on $ext inet proto tcp from any to any port $ports keep state
pass out on $ext inet proto udp from any to any port $ports-udp

pass in on $ext proto icmp
pass in on $int proto icmp
```


my squid.conf


```
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8   # RFC1918 possible internal network
acl localnet src 172.16.0.0/12   # RFC1918 possible internal network
acl localnet src 192.168.0.0/16   # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80       # http
acl Safe_ports port 21       # ftp
acl Safe_ports port 443       # https
acl Safe_ports port 70       # gopher
acl Safe_ports port 210       # wais
acl Safe_ports port 1025-65535   # unregistered ports
acl Safe_ports port 280       # http-mgmt
acl Safe_ports port 488       # gss-http
acl Safe_ports port 591       # filemaker
acl Safe_ports port 777       # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access allow all


# Squid normally listens to port 3128
http_port 127.0.0.1:3121
http_port 127.0.0.1:3130 intercept
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache 100 16 256
```

cache.log (access to http://google.com):


```
2017/08/25 11:53:31 kid1| Set Current Directory to /var/squid/cache
2017/08/25 11:53:31 kid1| Starting Squid Cache version 3.5.26 for amd64-portbld-freebsd11.0...
2017/08/25 11:53:31 kid1| Service Name: squid
2017/08/25 11:53:31 kid1| Process ID 2483
2017/08/25 11:53:31 kid1| Process Roles: worker
2017/08/25 11:53:31 kid1| With 234864 file descriptors available
2017/08/25 11:53:31 kid1| Initializing IP Cache...
2017/08/25 11:53:31 kid1| DNS Socket created at [::], FD 6
2017/08/25 11:53:31 kid1| DNS Socket created at 0.0.0.0, FD 8
2017/08/25 11:53:31 kid1| Adding nameserver 200.0.243.10 from /etc/resolv.conf
2017/08/25 11:53:31 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2017/08/25 11:53:31 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2017/08/25 11:53:31 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2017/08/25 11:53:31 kid1| Store logging disabled
2017/08/25 11:53:31 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2017/08/25 11:53:31 kid1| Target number of buckets: 1008
2017/08/25 11:53:31 kid1| Using 8192 Store buckets
2017/08/25 11:53:31 kid1| Max Mem  size: 262144 KB
2017/08/25 11:53:31 kid1| Max Swap size: 0 KB
2017/08/25 11:53:31 kid1| Using Least Load store dir selection
2017/08/25 11:53:31 kid1| Set Current Directory to /var/squid/cache
2017/08/25 11:53:31 kid1| Finished loading MIME types and icons.
2017/08/25 11:53:31 kid1| HTCP Disabled.
2017/08/25 11:53:31 kid1| Pinger socket opened on FD 14
2017/08/25 11:53:31 kid1| Squid plugin modules loaded: 0
2017/08/25 11:53:31 kid1| Adaptation support is off.
2017/08/25 11:53:31 kid1| Accepting HTTP Socket connections at local=127.0.0.1:3121 remote=[::] FD 11 flags=9
2017/08/25 11:53:31 kid1| Accepting NAT intercepted HTTP Socket connections at local=127.0.0.1:3130 remote=[::] FD 12 flags=41
2017/08/25 11:53:31| pinger: Initialising ICMP pinger ...
2017/08/25 11:53:31| pinger: ICMP socket opened.
2017/08/25 11:53:31| pinger: ICMPv6 socket opened
2017/08/25 11:53:32 kid1| storeLateRelease: released 0 objects
2017/08/25 11:53:34| Error sending to ICMPv6 packet to [2800:3f0:4001:808::200e]. ERR: (65) No route to host
2017/08/25 11:53:34 kid1| WARNING: Forwarding loop detected for:
GET /favicon.ico HTTP/1.1
User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 Lightning/5.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: NID=102=Cs1oYjfIaZZAKFp-aAR2I4U_keKjeuTSD5u7Vxstw9NRtxmZ2eKuq9ZkY_2O4MGKRMyfklXbwDfMyULWczULOabbmSWqsIw0J-izCgt24ZvaYsZ0Qor1PTIyf8K9oCb5
Via: 1.1 "rtr" (squid/3.5.26)
X-Forwarded-For: 192.168.50.3
Cache-Control: max-age=259200
Connection: keep-alive
Host: google.com

2017/08/25 11:53:37 kid1| WARNING: Forwarding loop detected for:
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 Lightning/5.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: NID=102=Cs1oYjfIaZZAKFp-aAR2I4U_keKjeuTSD5u7Vxstw9NRtxmZ2eKuq9ZkY_2O4MGKRMyfklXbwDfMyULWczULOabbmSWqsIw0J-izCgt24ZvaYsZ0Qor1PTIyf8K9oCb5
Upgrade-Insecure-Requests: 1
Via: 1.1 "rtr" (squid/3.5.26)
X-Forwarded-For: 192.168.50.3
Cache-Control: max-age=259200
Connection: keep-alive
Host: google.com
```

and access.log


```
1503672814.611      0 127.0.0.1 TCP_MISS/403 4319 GET http://google.com/favicon.ico - HIER_NONE/- text/html
1503672814.612     13 192.168.50.3 TCP_MISS/403 4409 GET http://google.com/favicon.ico - ORIGINAL_DST/127.0.0.1 text/html
1503672817.467      0 127.0.0.1 TCP_MISS/403 4398 GET http://google.com/ - HIER_NONE/- text/html
1503672817.467      1 192.168.50.3 TCP_MISS/403 4488 GET http://google.com/ - ORIGINAL_DST/127.0.0.1 text/html
```


----------



## PacketMan (Aug 25, 2017)

I got my squid up and running fairly easy I must say. I'm using it home, which is probably more of a waste of disk space than anything, but the goal was to learn from it.

If by access you mean trying to access its 'manager report' pages then I did this:

```
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access allow localnet manager
http_access deny manager
```

I also did not change this default:

```
# And finally deny all other access to this proxy
http_access deny all
```

If by 'access' you mean not seeing content HITs in the access log, then three points; (a) not all content is cacheable, certainly not most content delivered by https, which google uses, (b) I'm pretty sure google has set their content to "do not cache". And (c) cacheable content needs to load in, before you will see HITs for that content.

I also set the cache store to something larger than the default 100MB. I used 5GB:

```
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /nasdisk1/squid_cache/ 5000 16 256
```


----------



## wolffnx (Aug 25, 2017)

PacketMan said:


> I got my squid up and running fairly easy I must say. I'm using it home, which is probably more of a waste of disk space than anything, but the goal was to learn from it.
> 
> If by access you mean trying to access its 'manager report' pages then I did this:
> 
> ...



no,i mean access to internet...i got "access denied" message in client pc


----------



## PacketMan (Aug 25, 2017)

Oh sorry.  My guess is PF is sending the http requests from squid back to squid, thus the forwarding loop warning you see.  I'm don't know PF so I can't comment much further.  My guess is the http requests from the squid are using the outside interface address, and your PF rules are allowing/causing those requests to go back to squid.


----------



## wolffnx (Aug 25, 2017)

PacketMan said:


> Oh sorry.  My guess is PF is sending the http requests from squid back to squid, thus the forwarding loop warning you see.  I'm don't know PF so I can't comment much further.  My guess is the http requests from the squid are using the outside interface address, and your PF rules are allowing/causing those requests to go back to squid.



no worry..im a newbie to PF so my head is exploting  i dont find the solution


----------



## SirDice (Aug 28, 2017)

Looking at the configuration it looks like you're trying to set up a transparent Squid. Try with a 'traditional' non-transparent setup first. Once you get that working move to making it transparent.


----------



## wolffnx (Aug 28, 2017)

SirDice said:


> Looking at the configuration it looks like you're trying to set up a transparent Squid. Try with a 'traditional' non-transparent setup first. Once you get that working move to making it transparent.



exactly, i made that and it works,and it works in tranparent mode too, i dont know how but now works


----------

