squid3 can't access google.com or bing.com [closed] - squid

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 years ago.
Improve this question
I've a strange problem with squid3. It is normally working and I can access most web sites through the proxy. However some sites like
google.com
bing.com
just seem to get blocked but not always. Restarting squid3 doesn't seem to help or either clearing the /var/spool/squid3 ( cache ) directory.
If I login to the machine that squid3 is running on and
wget --no-proxy google.com
then there is no problem however if I wget through the proxy it never responds. Most other websites are accessible including stackoverflow.com which I am using through the proxy right at this moment. Any idea what might be special about google.com and bing.com so that squid3 is treating them differently and is there any setting in the squid3 conf file that might be related to such behaviour.

I had the same problem. I figure out my problem was caused by the IPv6 connectivity issue.
Squid3 supports both IPv6 and IPv4 protocols. If your server can't connect over IPv6 and the remote server prefers IPv6 then squid also chose the IPv6 protocol but since you network does not operate with IPv6 Squid can not retrieve data like access logs.
First, to make sure the issue is the same, try ipv6 connectivity with ping.
ping6 ivp6.google.com
If ping does not respond, let's configure squid3 for prefer IPv4 by following the below actions.
Search the line below in squid.conf
TAG: dns_v4_first
After the line below;
#Default:
#dns_v4_first off
Add this flag below;
dns_v4_first on
Then restart the Squid3 server
service squid3 restart
Here is my access log before the fix.
1352760882.854 796 88.my.ip.108 TCP_MISS/000 0 GET http://connect.facebook.net/en_US/all.js [squiduser] DIRECT/connect.facebook.net -
1352760885.717 69 88.my.ip.108 TCP_MISS/000 0 GET http://www.google.com.tr/complete/search? [squiduser] DIRECT/www.google.com.tr -
1352760886.250 13 88.my.ip.108 TCP_MISS/000 0 GET http://www.google.com.tr/complete/search? [squiduser] DIRECT/www.google.com.tr -
1352760887.011 369 88.my.ip.108 TCP_MISS/000 0 GET http://www.google.com.tr/complete/search? [squiduser] DIRECT/www.google.com.tr -
1352760887.989 42 88.my.ip.108 TCP_MISS/000 0 GET http://www.google.com.tr/complete/search? [squiduser] DIRECT/www.google.com.tr -
1352760888.984 75 88.my.ip.108 TCP_MISS/000 0 GET http://www.google.com.tr/complete/search? [squiduser] DIRECT/www.google.com.tr -
1352760897.351 8165 88.my.ip.108 TCP_MISS/000 0 GET http://www.google.com.tr/search? [squiduser] DIRECT/www.google.com.tr -
1352761072.531 10970 88.my.ip.108 TCP_MISS/000 0 GET http://www.google-analytics.com/__utm.gif? [squiduser] DIRECT/www.google-analytics.com -
1352761072.533 10272 88.my.ip.108 TCP_MISS/000 0 GET http://apis.google.com/js/plusone.js [squiduser] DIRECT/apis.google.com -
1352761072.535 10262 88.my.ip.108 TCP_MISS/000 0 GET http://connect.facebook.net/en_US/all.js [squiduser] DIRECT/connect.facebook.net -
Here is my full squid configuration. I use squid as an anonymous proxy server.
2012/11/14 00:09:02| Processing Configuration File: /etc/squid3/squid.conf (depth 0)
2012/11/14 00:09:02| Processing: auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/squid.passwd
2012/11/14 00:09:02| Processing: auth_param basic children 5
2012/11/14 00:09:02| Processing: auth_param basic realm Squid proxy-caching web server
2012/11/14 00:09:02| Processing: auth_param basic credentialsttl 2 hours
2012/11/14 00:09:02| Processing: acl manager proto cache_object
2012/11/14 00:09:02| Processing: acl localhost src 127.0.0.1/32 ::1
2012/11/14 00:09:02| Processing: acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
2012/11/14 00:09:02| Processing: acl CONNECT method CONNECT
2012/11/14 00:09:02| Processing: http_access allow manager localhost
2012/11/14 00:09:02| Processing: http_access deny manager
2012/11/14 00:09:02| Processing: http_access allow localhost
2012/11/14 00:09:02| Processing: acl ncsaauth proxy_auth REQUIRED
2012/11/14 00:09:02| Processing: http_access allow ncsaauth
2012/11/14 00:09:02| Processing: http_access deny all
2012/11/14 00:09:02| Processing: http_port 8880
2012/11/14 00:09:02| Processing: coredump_dir /var/spool/squid3
2012/11/14 00:09:02| Processing: refresh_pattern ^ftp: 1440 20% 10080
2012/11/14 00:09:02| Processing: refresh_pattern ^gopher: 1440 0% 1440
2012/11/14 00:09:02| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2012/11/14 00:09:02| Processing: refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
2012/11/14 00:09:02| Processing: refresh_pattern . 0 20% 4320
2012/11/14 00:09:02| Processing: dns_v4_first on
2012/11/14 00:09:02| Processing: forwarded_for delete
2012/11/14 00:09:02| Processing: request_header_access Allow allow all
2012/11/14 00:09:02| Processing: request_header_access Authorization allow all
2012/11/14 00:09:02| Processing: request_header_access WWW-Authenticate allow all
2012/11/14 00:09:02| Processing: request_header_access Proxy-Authorization allow all
2012/11/14 00:09:02| Processing: request_header_access Proxy-Authenticate allow all
2012/11/14 00:09:02| Processing: request_header_access Cache-Control allow all
2012/11/14 00:09:02| Processing: request_header_access Content-Encoding allow all
2012/11/14 00:09:02| Processing: request_header_access Content-Length allow all
2012/11/14 00:09:02| Processing: request_header_access Content-Type allow all
2012/11/14 00:09:02| Processing: request_header_access Date allow all
2012/11/14 00:09:02| Processing: request_header_access Expires allow all
2012/11/14 00:09:02| Processing: request_header_access Host allow all
2012/11/14 00:09:02| Processing: request_header_access If-Modified-Since allow all
2012/11/14 00:09:02| Processing: request_header_access Last-Modified allow all
2012/11/14 00:09:02| Processing: request_header_access Location allow all
2012/11/14 00:09:02| Processing: request_header_access Pragma allow all
2012/11/14 00:09:02| Processing: request_header_access Accept allow all
2012/11/14 00:09:02| Processing: request_header_access Accept-Charset allow all
2012/11/14 00:09:02| Processing: request_header_access Accept-Encoding allow all
2012/11/14 00:09:02| Processing: request_header_access Accept-Language allow all
2012/11/14 00:09:02| Processing: request_header_access Content-Language allow all
2012/11/14 00:09:02| Processing: request_header_access Mime-Version allow all
2012/11/14 00:09:02| Processing: request_header_access Retry-After allow all
2012/11/14 00:09:02| Processing: request_header_access Title allow all
2012/11/14 00:09:02| Processing: request_header_access Connection allow all
2012/11/14 00:09:02| Processing: request_header_access Proxy-Connection allow all
2012/11/14 00:09:02| Processing: request_header_access User-Agent allow all
2012/11/14 00:09:02| Processing: request_header_access Cookie allow all
2012/11/14 00:09:02| Processing: request_header_access All deny all

Bear in mind that dns_v4_first on only works in newer squid3 versions.
If you run for example a debian6 server, you have squid3-3.1.6 which does not have this config switch.
For those older versions you have to edit the config line
tcp_outgoing_address SERVERIP all
Where SERVERIP is the IP of your server.

Related

Proper way to specify port for tcp outgoing address Squid

I am trying to setup squid in order to route outgoing traffic randomly through different proxies. These are proxies I purchased from a provider, not part of my network. I need to specify a specific port for each IP address in order to connect but can't figure out the correct way to do this. I am on CentOS 8.
I've tried adding them in these ways:
tcp_outgoing_address 1.0.0.01:<port>
tcp_outgoing_address 1.0.0.01/<port>
tcp_outgoing_address 1.0.0.01 <port>
tcp_outgoing_address 1.0.0.01 ::<port>
Obviously, none of which work and actually prevent squid from starting. I can't seem to find any resources similar to my question online.
The only way I can get squid to start is by omitting the port entirely, like so:
tcp_outgoing_address 1.0.0.01
However, when I do this, and attempt to access any URL I receive the following squid error in the browser:
The following error was encountered while trying to retrieve the URL: http://xxxx.com/
Connection to XXX.XXX.XXX.XXX failed.
The system returned: [No Error]
Likely this is because I am not actually specifying the port that squid needs to connect to each proxy. To clarify, each proxy has a different open port i.e 1.0.0.01:8080, 1.0.0.02:5000 ...
ACL Random bit:
acl random1 random 1/10
acl random2 random 1/9
acl random3 random 1/8
acl random4 random 1/7
acl random5 random 1/6
acl random6 random 1/5
acl random7 random 1/4
acl random8 random 1/3
acl random9 random 1/2
tcp_outgoing_address xxx.xxx.xxx.xxx random1
tcp_outgoing_address xx.xx.xx.xxx random2
tcp_outgoing_address xx.xx.xx.xx random3
tcp_outgoing_address xx.xx.xx.xx random4
tcp_outgoing_address xx.xx.xx.xx random5
tcp_outgoing_address xx.xx.xx.xx random6
tcp_outgoing_address xx.xx.xx.xx random7
tcp_outgoing_address xx.xx.xx.xx random8
tcp_outgoing_address xx.xx.xx.xx random9
tcp_outgoing_address xx.xx.xx.xx
My config file is as follows:
# Recommended minimum configuration:
#
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src xx.xx.xx.xxx # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl client src xx.xx.xx.xxx # Home IP
http_access allow client
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
acl random1 random 1/10
acl random2 random 1/9
acl random3 random 1/8
acl random4 random 1/7
acl random5 random 1/6
acl random6 random 1/5
acl random7 random 1/4
acl random8 random 1/3
acl random9 random 1/2
tcp_outgoing_address xxx.xxx.xxx.xxx random1
tcp_outgoing_address xx.xx.xx.xxx random2
tcp_outgoing_address xx.xx.xx.xx random3
tcp_outgoing_address xx.xx.xx.xx random4
tcp_outgoing_address xx.xx.xx.xx random5
tcp_outgoing_address xx.xx.xx.xx random6
tcp_outgoing_address xx.xx.xx.xx random7
tcp_outgoing_address xx.xx.xx.xx random8
tcp_outgoing_address xx.xx.xx.xx random9
tcp_outgoing_address xx.xx.xx.xx
via off
forwarded_for off
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Essentially, my question is how do I specify the port each proxy needs to connect through, or perhaps is this somehow not necessary? If it is not, is there a reason anyone could identify why I am not able to connect to any websites with the port ommited?
You can make it like this
http_port 10000
acl port10000 localport 10000
tcp_outgoing_address xx.xx.xx.xx port10000

Basic Authentication of Squid 4.5 - /usr/lib64/squid/basic_ncsa_auth file not found

I have centos 7.6 & installed squid 4.5 on it.
sudo yum -y install squid
I followed this link for Basic Authentication.
Without authentication squid works fine.
Here is squid.conf file after adding # Basic Authentication part :
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
# http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# Basic Authentication
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_users
# allow all requests
acl all src 0.0.0.0/0
http_access allow all
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Please see # Basic Authentication part.
The problem is :
/usr/lib64/squid/basic_ncsa_auth file not exist.
Where is that file?
How can i fix this problem & What is the correct configuration of squid 4.5?
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
for squid v4:
yum install squid-helpers
Change the path for basic_ncsa_auth library:
Basic Authentication
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
for:
Basic Authentication
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
this will work :)

Squid TCP_DENIED/403 with internal ERROR Page

I have a plain installation of new Squid and Apache2. Both are with default configuration. The Server (ubunut 18.04) is registered on internal DNS Server like: srv1.foo.bar.
If some one is not allowed to get access to the internet squid displays the internal Error Message Page but without die Squid logo. I get the following Error Message in Log File:
TCP_DENIED/403 4187 GET http://srv1.foo.bar:3128/squid-internal-static/icons/SN.png - HIER_NONE/- text/html
The only thing to display the logo was remark http_access deny all. my configuration: Squid Cache: Version 3.5.27
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 3128
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl localhost src 127.0.0.1/32
acl localnet src 192.168.168.0/24
http_access allow localhost
http_access allow localnet
http_access allow localhost manager
http_access deny manager
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
Hope someone can help me. wrbrgds AxelF

Squid is giving me 403 from time to time

I have a squid server that is used by a lots of collage.
This is the squid config:
dns_v4_first on
# ACL Squid
external_acl_type is_user ipv4 ttl=600 negative_ttl=10 children-max=2000 %SRC /opt/acl_squid.py
# ACL PROXY Access
acl is_real_user external is_user
#acl SSL method CONNECT
acl SSL_ports port 443
acl Safe_ports port 80 # http
#acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
#acl Safe_ports port 70 # gopher
#acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
#acl Safe_ports port 280 # http-mgmt
#acl Safe_ports port 488 # gss-http
#acl Safe_ports port 591 # filemaker
#acl Safe_ports port 777 # multiling http
acl SSL method CONNECT
acl CONNECT method CONNECT
acl to_ipv6 dst ipv6 # Enable IPv6
http_access deny !Safe_ports
# ACL Allow Host/Domain
http_access allow is_real_user
http_access deny !Safe_ports
http_access allow localhost
http_access deny all
# Enable IPv6
#tcp_outgoing_address ipv6_address to_ipv6
# Port
http_port 0.0.0.0:3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
# Chache Off
cache deny all
# Performance tuning
maximum_object_size 1 MB
maximum_object_size_in_memory 128 KB
cache_mem 64 MB
quick_abort_min 1024 KB
quick_abort_max 2048 KB
quick_abort_pct 90
pipeline_prefetch on
shutdown_lifetime 1 second
# Log
access_log syslog:local3.info squid
The external ACL is just checking the request IP to be sure that has access to that proxy (its checking via API to a DB to see if the IP exists there).
The issue is that from time to time (not only me, lots of collage) I'm receiving 403 (access denied) for no reason.
Could you please let me know what exactly I can do in order to have access all the time with no interruption?
What I do when I'm receiving 403 is to restart the squid server and the everything is back to normal.
Regards,
Ciprian

Config squid to show ISP external ip

I've setup a simple squid proxy to connect PCs from internal network to the internet with a 3G modem.
I can only find settings for showing internal client ip or not showing ip at all.
How can I configure squid to show the external ip of the 3G modem?
The squid.conf is no more that:
acl test src 192.168.1.3
tcp_outgoing_address 10.43.19.239 test
http_access allow all
http_port 3128
Try or adjust with this:
# anonymizer options
request_header_access From deny all
request_header_access Server deny all
request_header_access Link deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all

Resources