Squid Access Rules


I have two chained SSH tunnels ending with Squid. PC > (SSH) > Server1 > (SSH) > Squid Server
When I establish the SSH connection from PC to Squid directly it works fine, but when I attempt the above setup I get the Access Denied from Squid. In squid.conf there are only the standard ACLs defined. (For the record, if I delete "http_access deny all" it works fine)

Any ideas?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The connection from server1 ssh tunnel to squid server, the request is seen as coming from localhost and opens up your squid server to remote management.
Is there a specific requirement for this type of setup?
your ssh runnel is 3128 on the local pc translates to server1:3128 which translates to server2:3128?
How is the server1 <=> server2 tunnel defined, i.e. is it open for use by all?
on the pc you have
ssh -L 3128:server1:3128 user@server1
and you have your local proxy configured to use localhost:3128

on server1
ssh -L server1:3128:server2:3128 user@server2

jiiins2Author Commented:
Hi arnold,

Thanks for your help. There is no specific requirement for such setup. I'm a newbie and just following the guides I find around for SSH tunneling. The final objective is to let users browse the internet with more privacy... If you have any ideas to improve this I'm all ears!

As for the current configuration is as follows:
on the PC: ssh -L 2000:server1:2000 user@server1, proxy configured to port 2000.
on server1: ssh -L 2000:server2:3128 user@server2

I wanted to check Squid's access.log but I'm embarrassed to say I can't find it...
usually it should be in /var/log/squid/access.log
check /etc/squid/squid.conf or /etc/init.d/squid to see whether it is altered there.
strings /usr/bin/squid | more
might also be a way to check
it all depends on whether you installed the package or you compiled it yourself from source?

lsof -p <pid_for_squid> it should tell you what and where all the open files the process has are.
You may need to use -D 2000 on server1 to share the port with all users.
Is the ssh on the server1 ran by a  script??
/etc/rc.local that establishes this as soon as the system boots??

Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

jiiins2Author Commented:
I installed the standard package but I'm using a modified squid.conf, where there is no mention of access.log. /etc/init.d/squid is standard and no mention there either...
Also by using lsof I can find only cache.log and store.log.

The ssh on server1 is launched manually with the command ssh -L 2000:server2:3128 user@server2.

Look for logformat and access_log in /etc/squid/squid.conf
logformat defines  the format of the log entries
access_log defines where the log is.

The other issue you are  running into is that your tunnel is bound to localhost
ssh -L user@server2 on server1.
On the PC you have  to use localhost:2000 as the proxy configuration.
jiiins2Author Commented:
Here is what I get in the access.log:

1302837901.361      0 188.XXX.XXX.138 TCP_DENIED/403 1330 GET http://www.google.com.sg/search? - NONE/- text/html

The IP belongs to Server2, where Squid runs. I added it to the localhost ACL and now it works fine. But why is Squid seeing the external IP instead of
Are you connecting over the ssh tunnel?  What IP is configured within the proxy settings of your browser?  If you are using the public IP of the squid proxy, it will see the request as coming from the public IP reflected on that system when going to http://whatismyip.com.
You do not want those who will be using your proxy to appear as though they are coming from as that will bypass most of the restrictions.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jiiins2Author Commented:
Makes sense, thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.