web-dev-qa-db-fra.com

Squid TCP_DENIED / 403 4037 Récupère http://detectportal.firefox.com/success.txt - HIER_NONE / - text / html

Je viens d'installer Squid 3.5.27 sur Ubuntu Server 18.04

user@ubuntu:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04 LTS
Release:        18.04
Codename:       bionic
user@ubuntu:~$ 


user@ubuntu:~$ dpkg -l | grep squid
ii  squid                                 3.5.27-1ubuntu1                    AMD64        Full featured Web Proxy cache (HTTP proxy)
ii  squid-common                          3.5.27-1ubuntu1                    all          Full featured Web Proxy cache (HTTP proxy) - common files
ii  squid-langpack                        20170901-1                         all          Localized error pages for Squid
user@ubuntu:~$ 


user@ubuntu:~$ squid -v
Squid Cache: Version 3.5.27
Service Name: squid
Ubuntu linux
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid3-28YJxG/squid3-3.5.27=. -fstack-protector-strong -Wformat -Werror=format-security -Wno-error=deprecated -Wno-error=format-truncation -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-Arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-build-info=Ubuntu linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/squid3-28YJxG/squid3-3.5.27=. -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid3-28YJxG/squid3-3.5.27=. -fstack-protector-strong -Wformat -Werror=format-security -Wno-error=deprecated -Wno-error=format-truncation'
user@ubuntu:~$

Malheureusement, ça ne marche pas. C'est le /var/log/squid/access.log

user@ubuntu:~$ Sudo tail -F /var/log/squid/access.log
1530545854.655      1 192.168.0.254 TCP_DENIED/403 4037 GET http://detectportal.firefox.com/success.txt - HIER_NONE/- text/html
1530545857.667      1 192.168.0.254 TCP_DENIED/403 4037 GET http://detectportal.firefox.com/success.txt - HIER_NONE/- text/html
1530545860.673      0 192.168.0.254 TCP_DENIED/403 4037 GET http://detectportal.firefox.com/success.txt - HIER_NONE/- text/html

C'est /etc/squid/squid.conf config

user@ubuntu:~$ egrep -nv '^#|^$' /etc/squid/squid.conf  
980:acl localnet src 192.168.0.0/24
982:acl SSL_ports port 443
983:acl Safe_ports port 80              # http
984:acl Safe_ports port 21              # ftp
985:acl Safe_ports port 443             # https
986:acl Safe_ports port 70              # Gopher
987:acl Safe_ports port 210             # wais
988:acl Safe_ports port 1025-65535      # unregistered ports
989:acl Safe_ports port 280             # http-mgmt
990:acl Safe_ports port 488             # gss-http
991:acl Safe_ports port 591             # filemaker
992:acl Safe_ports port 777             # multiling http
993:acl CONNECT method CONNECT
1170:http_access deny !Safe_ports
1173:http_access deny CONNECT !SSL_ports
1176:http_access allow localhost manager
1177:http_access deny manager
1192:http_access allow localhost
1195:http_access deny all
1613:http_port 3128
4256:coredump_dir /var/spool/squid
4887:refresh_pattern ^ftp:              1440    20%     10080
4888:refresh_pattern ^Gopher:   1440    0%      1440
4889:refresh_pattern -i (/cgi-bin/|\?) 0        0%      0
4890:refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
4893:refresh_pattern .          0       20%     4320
user@ubuntu:~$

Quelle est la cause du problème? Était-ce ACL?

Comment le réparer?

squid
2
Sabrina

ligne 1195 - http_access nier tout

C'est une règle fourre-tout qui va bloquer le trafic qui n'a pas été spécifiquement autorisé dans la configuration. Ce qui, s’il s’agit de l’ensemble de votre configuration, n’est rien. On dirait que vous avez une configuration de stock qui nécessitera certaines règles d'autorisation. Vous pouvez également modifier http_access refuser tout et modifier le refus pour autoriser

Si vous avez l'intention de configurer l'authentification, vous pouvez procéder comme suit:

### enforce authentication
http_access deny !auth    # deny anyone that isn't authenticated
http_access allow auth    # allow authenticated users
http_access deny all      # final catch-all that should never actually be met.

Si vous n'avez pas encore configuré l'authentification, vous avez simplement besoin de ceci:

http_access allow all
3
Joey