Squid Access Rules

Hello,

I have two chained SSH tunnels ending with Squid. PC > (SSH) > Server1 > (SSH) > Squid Server
When I establish the SSH connection from PC to Squid directly it works fine, but when I attempt the above setup I get the Access Denied from Squid. In squid.conf there are only the standard ACLs defined. (For the record, if I delete "http_access deny all" it works fine)

Any ideas?

Thanks
Jay
jiiins2Asked:
Who is Participating?
 
arnoldCommented:
Are you connecting over the ssh tunnel?  What IP is configured within the proxy settings of your browser?  If you are using the public IP of the squid proxy, it will see the request as coming from the public IP reflected on that system when going to http://whatismyip.com.
You do not want those who will be using your proxy to appear as though they are coming from 127.0.0.1 as that will bypass most of the restrictions.
0
 
arnoldCommented:
The connection from server1 ssh tunnel to squid server, the request is seen as coming from localhost 127.0.0.1 and opens up your squid server to remote management.
Is there a specific requirement for this type of setup?
your ssh runnel is 3128 on the local pc translates to server1:3128 which translates to server2:3128?
How is the server1 <=> server2 tunnel defined, i.e. is it open for use by all?
server1
on the pc you have
ssh -L 3128:server1:3128 user@server1
and you have your local proxy configured to use localhost:3128

on server1
ssh -L server1:3128:server2:3128 user@server2

0
 
jiiins2Author Commented:
Hi arnold,

Thanks for your help. There is no specific requirement for such setup. I'm a newbie and just following the guides I find around for SSH tunneling. The final objective is to let users browse the internet with more privacy... If you have any ideas to improve this I'm all ears!

As for the current configuration is as follows:
on the PC: ssh -L 2000:server1:2000 user@server1, proxy configured to port 2000.
on server1: ssh -L 2000:server2:3128 user@server2

I wanted to check Squid's access.log but I'm embarrassed to say I can't find it...
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
arnoldCommented:
usually it should be in /var/log/squid/access.log
check /etc/squid/squid.conf or /etc/init.d/squid to see whether it is altered there.
strings /usr/bin/squid | more
might also be a way to check
it all depends on whether you installed the package or you compiled it yourself from source?

lsof -p <pid_for_squid> it should tell you what and where all the open files the process has are.
You may need to use -D 2000 on server1 to share the port with all users.
Is the ssh on the server1 ran by a  script??
/etc/rc.local that establishes this as soon as the system boots??


0
 
jiiins2Author Commented:
I installed the standard package but I'm using a modified squid.conf, where there is no mention of access.log. /etc/init.d/squid is standard and no mention there either...
Also by using lsof I can find only cache.log and store.log.

The ssh on server1 is launched manually with the command ssh -L 2000:server2:3128 user@server2.

Thanks
Jay
0
 
arnoldCommented:
Look for logformat and access_log in /etc/squid/squid.conf
logformat defines  the format of the log entries
access_log defines where the log is.

The other issue you are  running into is that your tunnel is bound to localhost
try
ssh -L 0.0.0.0:2000:server2:3128 user@server2 on server1.
On the PC you have  to use localhost:2000 as the proxy configuration.
0
 
jiiins2Author Commented:
Here is what I get in the access.log:

1302837901.361      0 188.XXX.XXX.138 TCP_DENIED/403 1330 GET http://www.google.com.sg/search? - NONE/- text/html

The IP belongs to Server2, where Squid runs. I added it to the localhost ACL and now it works fine. But why is Squid seeing the external IP instead of 127.0.0.1?
0
 
jiiins2Author Commented:
Makes sense, thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.