For the most part Squid is set up fine on my company's LAN, but a number of users are getting a Permission denied error message when trying to access an internal machines's html content. It is not being blocked based on any acls, but because of a file/dir permissions failure. here is the error message:
While trying to retrieve the URL: http://192.168.3.7:7200/options/html_os_server?
The following error was encountered:
Connection Failed
The system returned:
(13) Permission denied The remote host or network may be down. Please try the request again.
Here is the corresponding entry in /var/squid/access.log:
1131375384.070 165 192.10.30.243 TCP_MISS/503 1453 GET http://192.168.3.7:7200/options/html_os_server? - NONE/- text/html
I know already that 7200 isn't in the Safe_ports acl by default, so I added 7200, and it still fails. Though opening 7200 is irrelavent because it isn't an Access Control issue. I've also added the subnet 192.168.3.0 to the list of networks allowed to access squid.
I've tried googling a combination of both the failure url for the user and the access.log entry, and came up with zilch. So my question is, What on earth is causing a permissions error when a user wants to open a webpage on an internal server?
Below are my acl configs:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255 172.16.3.30/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 7200 # NF http
acl CONNECT method CONNECT
acl Allowed_Networks src 172.16.3.0/255.255.255.0 192.10.30.0/255.255.255.0 192.168.218.0/255.255.255.0 192.168.3.0/255.255.255.0
acl Email dstdomain "/usr/local/squid/acls/email"
acl Exceptions src 172.16.3.66/255.255.255.255
# Only allow cachemgr access from localhost
#http_access allow Safe_Port
http_access allow Exceptions
#http_access allow manager localhost
#http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny Email
http_access allow Allowed_Networks
http_access deny all
miss_access allow all
# Deny requests to unknown ports
# Deny CONNECT to other than SSL ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost
