Squid running in intercept mode on same machine as browser keeps giving access denied
5,148
You will need to add local host to the localnet definition.
acl localnet src 127.0.0.1 # localhost
acl localnet src ::1 # IPv6 localhost
Using a firewall to force transparent proxy access on localhost will require some additional parameters to ignore traffic from squid.
Related videos on Youtube
Author by
Flint
Updated on September 18, 2022Comments
-
Flint over 1 year
It's been a while since I last touched squid and I've been sitting here figuring out this problem since the last few hours why my squid setup on this standalone server machine (behind router nat) failed to process any outgoing http requests from the machine itself and threw access denied messages on all the requests. I think I might have overlooked something obvious here but I can't spot it. Any idea what's wrong here?
% egrep -v "^\s*(#|$)" /etc/squid3/squid.conf acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all http_port 3128 intercept coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 % sudo iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 113 packets, 7598 bytes) pkts bytes target prot opt in out source destination 25 1500 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128 Chain POSTROUTING (policy ACCEPT 138 packets, 9098 bytes) pkts bytes target prot opt in out source destination % sudo sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1 % sudo tail -f /var/log/squid3/access.log 1427233173.711 1 192.168.0.3 TCP_MISS/403 4050 GET http://serverfault.com/favicon.ico - HIER_NONE/- text/html 1427233173.713 4 192.168.0.3 TCP_MISS/403 4130 GET http://serverfault.com/favicon.ico - HIER_DIRECT/190.93.247.183 text/html 1427233173.998 1 192.168.0.3 TCP_MISS/403 4082 GET http://serverfault.com/favicon.ico - HIER_NONE/- text/html 1427233174.000 5 192.168.0.3 TCP_MISS/403 4162 GET http://serverfault.com/favicon.ico - HIER_DIRECT/190.93.247.183 text/html 1427233189.293 1 192.168.0.3 TCP_MISS/403 4132 GET http://serverfault.com/ - HIER_NONE/- text/html 1427233189.295 5 192.168.0.3 TCP_MISS/403 4212 GET http://serverfault.com/ - HIER_DIRECT/190.93.246.183 text/html