Squid Transparent issue

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I am facing the issue with transparent squid where I am unable to browse to any HTTP site yahoomail.com is not working while https://mail.yahoo.com is working.



Please see my squid config



# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed

acl localnet src 172.16.0.0/22 # RFC1918 possible internal network
acl localnet src 192.168.133.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

#acl SSL_ports port 443 563 1863 5190 5222 5050 6667
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports


# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 8080

http_port 8080 transparent

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320






share|improve this question

























    up vote
    1
    down vote

    favorite












    I am facing the issue with transparent squid where I am unable to browse to any HTTP site yahoomail.com is not working while https://mail.yahoo.com is working.



    Please see my squid config



    # Recommended minimum configuration:
    #

    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed

    acl localnet src 172.16.0.0/22 # RFC1918 possible internal network
    acl localnet src 192.168.133.0/24 # RFC1918 possible internal network
    acl localnet src fc00::/7 # RFC 4193 local private network range
    acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

    #acl SSL_ports port 443 563 1863 5190 5222 5050 6667
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT

    #
    # Recommended minimum Access Permission configuration:
    #
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports


    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports

    # Only allow cachemgr access from localhost
    http_access allow localhost manager
    http_access deny manager

    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    #http_access deny to_localhost

    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #

    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    http_access allow localnet
    http_access allow localhost

    # And finally deny all other access to this proxy
    http_access deny all

    # Squid normally listens to port 8080

    http_port 8080 transparent

    # Uncomment and adjust the following to add a disk cache directory.
    cache_dir ufs /var/spool/squid 100 16 256

    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid

    #
    # Add any of your own refresh_pattern entries above these.
    #
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|?) 0 0% 0
    refresh_pattern . 0 20% 4320






    share|improve this question























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I am facing the issue with transparent squid where I am unable to browse to any HTTP site yahoomail.com is not working while https://mail.yahoo.com is working.



      Please see my squid config



      # Recommended minimum configuration:
      #

      # Example rule allowing access from your local networks.
      # Adapt to list your (internal) IP networks from where browsing
      # should be allowed

      acl localnet src 172.16.0.0/22 # RFC1918 possible internal network
      acl localnet src 192.168.133.0/24 # RFC1918 possible internal network
      acl localnet src fc00::/7 # RFC 4193 local private network range
      acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

      #acl SSL_ports port 443 563 1863 5190 5222 5050 6667
      acl SSL_ports port 443
      acl Safe_ports port 80 # http
      acl Safe_ports port 21 # ftp
      acl Safe_ports port 443 # https
      acl Safe_ports port 70 # gopher
      acl Safe_ports port 210 # wais
      acl Safe_ports port 1025-65535 # unregistered ports
      acl Safe_ports port 280 # http-mgmt
      acl Safe_ports port 488 # gss-http
      acl Safe_ports port 591 # filemaker
      acl Safe_ports port 777 # multiling http
      acl CONNECT method CONNECT

      #
      # Recommended minimum Access Permission configuration:
      #
      # Deny requests to certain unsafe ports
      http_access deny !Safe_ports


      # Deny CONNECT to other than secure SSL ports
      http_access deny CONNECT !SSL_ports

      # Only allow cachemgr access from localhost
      http_access allow localhost manager
      http_access deny manager

      # We strongly recommend the following be uncommented to protect innocent
      # web applications running on the proxy server who think the only
      # one who can access services on "localhost" is a local user
      #http_access deny to_localhost

      #
      # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
      #

      # Example rule allowing access from your local networks.
      # Adapt localnet in the ACL section to list your (internal) IP networks
      # from where browsing should be allowed
      http_access allow localnet
      http_access allow localhost

      # And finally deny all other access to this proxy
      http_access deny all

      # Squid normally listens to port 8080

      http_port 8080 transparent

      # Uncomment and adjust the following to add a disk cache directory.
      cache_dir ufs /var/spool/squid 100 16 256

      # Leave coredumps in the first cache dir
      coredump_dir /var/spool/squid

      #
      # Add any of your own refresh_pattern entries above these.
      #
      refresh_pattern ^ftp: 1440 20% 10080
      refresh_pattern ^gopher: 1440 0% 1440
      refresh_pattern -i (/cgi-bin/|?) 0 0% 0
      refresh_pattern . 0 20% 4320






      share|improve this question













      I am facing the issue with transparent squid where I am unable to browse to any HTTP site yahoomail.com is not working while https://mail.yahoo.com is working.



      Please see my squid config



      # Recommended minimum configuration:
      #

      # Example rule allowing access from your local networks.
      # Adapt to list your (internal) IP networks from where browsing
      # should be allowed

      acl localnet src 172.16.0.0/22 # RFC1918 possible internal network
      acl localnet src 192.168.133.0/24 # RFC1918 possible internal network
      acl localnet src fc00::/7 # RFC 4193 local private network range
      acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

      #acl SSL_ports port 443 563 1863 5190 5222 5050 6667
      acl SSL_ports port 443
      acl Safe_ports port 80 # http
      acl Safe_ports port 21 # ftp
      acl Safe_ports port 443 # https
      acl Safe_ports port 70 # gopher
      acl Safe_ports port 210 # wais
      acl Safe_ports port 1025-65535 # unregistered ports
      acl Safe_ports port 280 # http-mgmt
      acl Safe_ports port 488 # gss-http
      acl Safe_ports port 591 # filemaker
      acl Safe_ports port 777 # multiling http
      acl CONNECT method CONNECT

      #
      # Recommended minimum Access Permission configuration:
      #
      # Deny requests to certain unsafe ports
      http_access deny !Safe_ports


      # Deny CONNECT to other than secure SSL ports
      http_access deny CONNECT !SSL_ports

      # Only allow cachemgr access from localhost
      http_access allow localhost manager
      http_access deny manager

      # We strongly recommend the following be uncommented to protect innocent
      # web applications running on the proxy server who think the only
      # one who can access services on "localhost" is a local user
      #http_access deny to_localhost

      #
      # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
      #

      # Example rule allowing access from your local networks.
      # Adapt localnet in the ACL section to list your (internal) IP networks
      # from where browsing should be allowed
      http_access allow localnet
      http_access allow localhost

      # And finally deny all other access to this proxy
      http_access deny all

      # Squid normally listens to port 8080

      http_port 8080 transparent

      # Uncomment and adjust the following to add a disk cache directory.
      cache_dir ufs /var/spool/squid 100 16 256

      # Leave coredumps in the first cache dir
      coredump_dir /var/spool/squid

      #
      # Add any of your own refresh_pattern entries above these.
      #
      refresh_pattern ^ftp: 1440 20% 10080
      refresh_pattern ^gopher: 1440 0% 1440
      refresh_pattern -i (/cgi-bin/|?) 0 0% 0
      refresh_pattern . 0 20% 4320








      share|improve this question












      share|improve this question




      share|improve this question








      edited Jun 7 at 9:57









      Thomas

      3,38741023




      3,38741023









      asked Jun 7 at 9:42









      Hasan

      61




      61




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          I think the reason port 443 is allowed, but port 80 isn't is do to the deny on CONNECT connections to anyport that's not in the SSL_ports acl:



          # Deny CONNECT to other than secure SSL ports
          http_access deny CONNECT !SSL_ports


          Connecting through the proxy is doing a CCONNECT. But you're only allowing CONNECT to ports in the SSL_ports acl. In which you have only 443.



          Try changing it to



          # Deny CONNECT to other than identified Safe ports
          http_access deny CONNECT !Safe_ports


          And see if that makes a difference.






          share|improve this answer





















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );








             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f448377%2fsquid-transparent-issue%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            I think the reason port 443 is allowed, but port 80 isn't is do to the deny on CONNECT connections to anyport that's not in the SSL_ports acl:



            # Deny CONNECT to other than secure SSL ports
            http_access deny CONNECT !SSL_ports


            Connecting through the proxy is doing a CCONNECT. But you're only allowing CONNECT to ports in the SSL_ports acl. In which you have only 443.



            Try changing it to



            # Deny CONNECT to other than identified Safe ports
            http_access deny CONNECT !Safe_ports


            And see if that makes a difference.






            share|improve this answer

























              up vote
              0
              down vote













              I think the reason port 443 is allowed, but port 80 isn't is do to the deny on CONNECT connections to anyport that's not in the SSL_ports acl:



              # Deny CONNECT to other than secure SSL ports
              http_access deny CONNECT !SSL_ports


              Connecting through the proxy is doing a CCONNECT. But you're only allowing CONNECT to ports in the SSL_ports acl. In which you have only 443.



              Try changing it to



              # Deny CONNECT to other than identified Safe ports
              http_access deny CONNECT !Safe_ports


              And see if that makes a difference.






              share|improve this answer























                up vote
                0
                down vote










                up vote
                0
                down vote









                I think the reason port 443 is allowed, but port 80 isn't is do to the deny on CONNECT connections to anyport that's not in the SSL_ports acl:



                # Deny CONNECT to other than secure SSL ports
                http_access deny CONNECT !SSL_ports


                Connecting through the proxy is doing a CCONNECT. But you're only allowing CONNECT to ports in the SSL_ports acl. In which you have only 443.



                Try changing it to



                # Deny CONNECT to other than identified Safe ports
                http_access deny CONNECT !Safe_ports


                And see if that makes a difference.






                share|improve this answer













                I think the reason port 443 is allowed, but port 80 isn't is do to the deny on CONNECT connections to anyport that's not in the SSL_ports acl:



                # Deny CONNECT to other than secure SSL ports
                http_access deny CONNECT !SSL_ports


                Connecting through the proxy is doing a CCONNECT. But you're only allowing CONNECT to ports in the SSL_ports acl. In which you have only 443.



                Try changing it to



                # Deny CONNECT to other than identified Safe ports
                http_access deny CONNECT !Safe_ports


                And see if that makes a difference.







                share|improve this answer













                share|improve this answer



                share|improve this answer











                answered Jun 7 at 15:44









                Tim Kennedy

                13.3k22949




                13.3k22949






















                     

                    draft saved


                    draft discarded


























                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f448377%2fsquid-transparent-issue%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?