Squid 403 after upgrade from Debian 8 to Debian 9
by tiuz from LinuxQuestions.org on (#5656D)
Hello,
After upgrading from Debian 8 to Debian 9 i keep getting the following errors (taken from squid access.log)
1595683676.360 0 127.0.0.1 TCP_MISS/403 4311 GET http://linuxquestions.org/favicon.ico - HIER_NONE/- text/html
1595683676.360 1 127.0.0.1 TCP_MISS/403 4410 GET http://linuxquestions.org/favicon.ico - ORIGINAL_DST/127.0.0.1 text/htm
I checked with squid -k parse there are some warnings which i already tried while these commented out with the same result. Here is the output from squid -k parse:
2020/07/25 15:46:42| Startup: Initializing Authentication Schemes ...
2020/07/25 15:46:42| Startup: Initialized Authentication Scheme 'basic'
2020/07/25 15:46:42| Startup: Initialized Authentication Scheme 'digest'
2020/07/25 15:46:42| Startup: Initialized Authentication Scheme 'negotiate'
2020/07/25 15:46:42| Startup: Initialized Authentication Scheme 'ntlm'
2020/07/25 15:46:42| Startup: Initialized Authentication.
2020/07/25 15:46:42| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2020/07/25 15:46:42| Processing: acl all src all
2020/07/25 15:46:42| WARNING: (B) '::/0' is a subnetwork of (A) '::/0'
2020/07/25 15:46:42| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
2020/07/25 15:46:42| WARNING: You should probably remove '::/0' from the ACL named 'all'
2020/07/25 15:46:42| Processing: acl manager proto cache_object
2020/07/25 15:46:42| UPGRADE: ACL 'manager' is now a built-in ACL. Remove it from your config file.
2020/07/25 15:46:42| Processing: acl localhost src 127.0.0.1/32
2020/07/25 15:46:42| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'
2020/07/25 15:46:42| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable
2020/07/25 15:46:42| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'
2020/07/25 15:46:42| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'
2020/07/25 15:46:42| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable
2020/07/25 15:46:42| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'
2020/07/25 15:46:42| Processing: acl to_localhost dst 127.0.0.0/8
2020/07/25 15:46:42| WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) '127.0.0.0/8'
2020/07/25 15:46:42| WARNING: because of this '127.0.0.0/8' is ignored to keep splay tree searching predictable
2020/07/25 15:46:42| WARNING: You should probably remove '127.0.0.0/8' from the ACL named 'to_localhost'
2020/07/25 15:46:42| Processing: acl borsti src 192.168.0.0/24
2020/07/25 15:46:42| Processing: acl localnet src 192.168.0.0/24 # RFC1918 possible internal network
2020/07/25 15:46:42| Processing: acl SSL_ports port 443# https
2020/07/25 15:46:42| Processing: acl SSL_ports port 563# snews
2020/07/25 15:46:42| Processing: acl SSL_ports port 873# rsync
2020/07/25 15:46:42| Processing: acl Safe_ports port 80# http
2020/07/25 15:46:42| Processing: acl Safe_ports port 21# ftp
2020/07/25 15:46:42| Processing: acl Safe_ports port 443# https
2020/07/25 15:46:42| Processing: acl Safe_ports port 70# gopher
2020/07/25 15:46:42| Processing: acl Safe_ports port 210# wais
2020/07/25 15:46:42| Processing: acl Safe_ports port 1025-65535# unregistered ports
2020/07/25 15:46:42| Processing: acl Safe_ports port 280# http-mgmt
2020/07/25 15:46:42| Processing: acl Safe_ports port 488# gss-http
2020/07/25 15:46:42| Processing: acl Safe_ports port 591# filemaker
2020/07/25 15:46:42| Processing: acl Safe_ports port 777# multiling http
2020/07/25 15:46:42| Processing: acl Safe_ports port 631# cups
2020/07/25 15:46:42| Processing: acl Safe_ports port 873# rsync
2020/07/25 15:46:42| Processing: acl Safe_ports port 901# SWAT
2020/07/25 15:46:42| Processing: acl purge method PURGE
2020/07/25 15:46:42| Processing: acl CONNECT method CONNECT
2020/07/25 15:46:42| Processing: http_access allow borsti
2020/07/25 15:46:42| Processing: http_access allow manager localhost
2020/07/25 15:46:42| Processing: http_access deny manager
2020/07/25 15:46:42| Processing: http_access allow purge localhost
2020/07/25 15:46:42| Processing: http_access deny purge
2020/07/25 15:46:42| Processing: http_access deny !Safe_ports
2020/07/25 15:46:42| Processing: http_access deny CONNECT !SSL_ports
2020/07/25 15:46:42| Processing: http_access allow localhost
2020/07/25 15:46:42| Processing: http_access deny all
2020/07/25 15:46:42| Processing: icp_access allow localnet
2020/07/25 15:46:42| Processing: icp_access deny all
2020/07/25 15:46:42| Processing: http_port 127.0.0.1:3128 transparent
2020/07/25 15:46:42| Starting Authentication on port 127.0.0.1:3128
2020/07/25 15:46:42| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2020/07/25 15:46:42| Processing: access_log /var/log/squid/access.log squid
2020/07/25 15:46:42| Processing: refresh_pattern ^ftp:144020%10080
2020/07/25 15:46:42| Processing: refresh_pattern ^gopher:14400%1440
2020/07/25 15:46:42| Processing: refresh_pattern -i (/cgi-bin/|\?) 00%0
2020/07/25 15:46:42| Processing: refresh_pattern (Release|Package(.gz)*)$020%2880
2020/07/25 15:46:42| Processing: refresh_pattern .020%4320
2020/07/25 15:46:42| Processing: acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
2020/07/25 15:46:42| Processing: acl apache rep_header Server ^Apache
2020/07/25 15:46:42| Processing: hosts_file /etc/hosts
2020/07/25 15:46:42| Processing: coredump_dir /var/spool/squid
An iptables Rule for Dansguardian is present
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
Squid is up and running listening on default port 3128
Dansguardian is up and running
I can't figure out why after the upgrade vom Debian 8 to 9 i keep getting 403 on squid, thanks for any hint / help.
After upgrading from Debian 8 to Debian 9 i keep getting the following errors (taken from squid access.log)
1595683676.360 0 127.0.0.1 TCP_MISS/403 4311 GET http://linuxquestions.org/favicon.ico - HIER_NONE/- text/html
1595683676.360 1 127.0.0.1 TCP_MISS/403 4410 GET http://linuxquestions.org/favicon.ico - ORIGINAL_DST/127.0.0.1 text/htm
I checked with squid -k parse there are some warnings which i already tried while these commented out with the same result. Here is the output from squid -k parse:
2020/07/25 15:46:42| Startup: Initializing Authentication Schemes ...
2020/07/25 15:46:42| Startup: Initialized Authentication Scheme 'basic'
2020/07/25 15:46:42| Startup: Initialized Authentication Scheme 'digest'
2020/07/25 15:46:42| Startup: Initialized Authentication Scheme 'negotiate'
2020/07/25 15:46:42| Startup: Initialized Authentication Scheme 'ntlm'
2020/07/25 15:46:42| Startup: Initialized Authentication.
2020/07/25 15:46:42| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2020/07/25 15:46:42| Processing: acl all src all
2020/07/25 15:46:42| WARNING: (B) '::/0' is a subnetwork of (A) '::/0'
2020/07/25 15:46:42| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
2020/07/25 15:46:42| WARNING: You should probably remove '::/0' from the ACL named 'all'
2020/07/25 15:46:42| Processing: acl manager proto cache_object
2020/07/25 15:46:42| UPGRADE: ACL 'manager' is now a built-in ACL. Remove it from your config file.
2020/07/25 15:46:42| Processing: acl localhost src 127.0.0.1/32
2020/07/25 15:46:42| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'
2020/07/25 15:46:42| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable
2020/07/25 15:46:42| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'
2020/07/25 15:46:42| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'
2020/07/25 15:46:42| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable
2020/07/25 15:46:42| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'
2020/07/25 15:46:42| Processing: acl to_localhost dst 127.0.0.0/8
2020/07/25 15:46:42| WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) '127.0.0.0/8'
2020/07/25 15:46:42| WARNING: because of this '127.0.0.0/8' is ignored to keep splay tree searching predictable
2020/07/25 15:46:42| WARNING: You should probably remove '127.0.0.0/8' from the ACL named 'to_localhost'
2020/07/25 15:46:42| Processing: acl borsti src 192.168.0.0/24
2020/07/25 15:46:42| Processing: acl localnet src 192.168.0.0/24 # RFC1918 possible internal network
2020/07/25 15:46:42| Processing: acl SSL_ports port 443# https
2020/07/25 15:46:42| Processing: acl SSL_ports port 563# snews
2020/07/25 15:46:42| Processing: acl SSL_ports port 873# rsync
2020/07/25 15:46:42| Processing: acl Safe_ports port 80# http
2020/07/25 15:46:42| Processing: acl Safe_ports port 21# ftp
2020/07/25 15:46:42| Processing: acl Safe_ports port 443# https
2020/07/25 15:46:42| Processing: acl Safe_ports port 70# gopher
2020/07/25 15:46:42| Processing: acl Safe_ports port 210# wais
2020/07/25 15:46:42| Processing: acl Safe_ports port 1025-65535# unregistered ports
2020/07/25 15:46:42| Processing: acl Safe_ports port 280# http-mgmt
2020/07/25 15:46:42| Processing: acl Safe_ports port 488# gss-http
2020/07/25 15:46:42| Processing: acl Safe_ports port 591# filemaker
2020/07/25 15:46:42| Processing: acl Safe_ports port 777# multiling http
2020/07/25 15:46:42| Processing: acl Safe_ports port 631# cups
2020/07/25 15:46:42| Processing: acl Safe_ports port 873# rsync
2020/07/25 15:46:42| Processing: acl Safe_ports port 901# SWAT
2020/07/25 15:46:42| Processing: acl purge method PURGE
2020/07/25 15:46:42| Processing: acl CONNECT method CONNECT
2020/07/25 15:46:42| Processing: http_access allow borsti
2020/07/25 15:46:42| Processing: http_access allow manager localhost
2020/07/25 15:46:42| Processing: http_access deny manager
2020/07/25 15:46:42| Processing: http_access allow purge localhost
2020/07/25 15:46:42| Processing: http_access deny purge
2020/07/25 15:46:42| Processing: http_access deny !Safe_ports
2020/07/25 15:46:42| Processing: http_access deny CONNECT !SSL_ports
2020/07/25 15:46:42| Processing: http_access allow localhost
2020/07/25 15:46:42| Processing: http_access deny all
2020/07/25 15:46:42| Processing: icp_access allow localnet
2020/07/25 15:46:42| Processing: icp_access deny all
2020/07/25 15:46:42| Processing: http_port 127.0.0.1:3128 transparent
2020/07/25 15:46:42| Starting Authentication on port 127.0.0.1:3128
2020/07/25 15:46:42| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2020/07/25 15:46:42| Processing: access_log /var/log/squid/access.log squid
2020/07/25 15:46:42| Processing: refresh_pattern ^ftp:144020%10080
2020/07/25 15:46:42| Processing: refresh_pattern ^gopher:14400%1440
2020/07/25 15:46:42| Processing: refresh_pattern -i (/cgi-bin/|\?) 00%0
2020/07/25 15:46:42| Processing: refresh_pattern (Release|Package(.gz)*)$020%2880
2020/07/25 15:46:42| Processing: refresh_pattern .020%4320
2020/07/25 15:46:42| Processing: acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
2020/07/25 15:46:42| Processing: acl apache rep_header Server ^Apache
2020/07/25 15:46:42| Processing: hosts_file /etc/hosts
2020/07/25 15:46:42| Processing: coredump_dir /var/spool/squid
An iptables Rule for Dansguardian is present
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
Squid is up and running listening on default port 3128
Dansguardian is up and running
I can't figure out why after the upgrade vom Debian 8 to 9 i keep getting 403 on squid, thanks for any hint / help.