Hey Antony, all… The file is where is should be: /etc/squid/squid.conf
squid -k parse returns nothing strange. To make sure, I followed your instructions of writing deny wrong (in /etc/squid/squid.conf) and ran "squid -k parse” again, and it complained: 2016/12/14 14:45:15| Processing: http_access denyl !Safe_ports 2016/12/14 14:45:15| aclParseAccessLine: /etc/squid/squid.conf line 35: http_access denyl !Safe_ports 2016/12/14 14:45:15| aclParseAccessLine: expecting 'allow' or 'deny', got 'denyl'. 2016/12/14 14:45:15| Processing: http_access deny CONNECT !SSL_ports I also commented out the line allowing skype IPs and the access log continued showing said results. I should mention that this behavior started today, when it was not happening before. additionally: find / -name squid.conf /etc/fail2ban/filter.d/squid.conf /etc/squid.bk/squid.conf /etc/squid/squid.conf find: ‘/run/user/118/gvfs’: Permission denied I am sure it is not the squid.bk/squid.conf because that has no acls defined nor configured to use squid guard to redirect pages (which currently is functioning) Any other ideas? Thank you again! Sam [cid:2FD1C3AB-E45C-49F0-84AB-0F8AC658BD11@routerb408e2.com]Piensa en el medio ambiente antes de imprimir este email. On Dec 14, 2016, at 2:11 PM, Antony Stone <antony.st...@squid.open.source.it<mailto:antony.st...@squid.open.source.it>> wrote: On Wednesday 14 December 2016 at 17:26:34, Sameh Onaissi wrote: Thanks for your reply. Here’s the config file: http://pastebin.com/DNDacy6M eaWhere is this file located on your system? The answer to this question is needed further down my reply. I've skipped some bits to make my reply clearer... acl localnet src 10.0.0.0/24 # RFC1918 possible internal network http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all http_access allow CONNECT localnet numeric_IPs Skype_UA Maybe someone more knowledgeable can say if I'm wrong here, but I find it hard to accept that this really is the squid.conf file you're using: a) if it allows connections from IPs such as 118.89.21.244 b) if it allows *anything* to CONNECT. Please do one of the following: 1. Run "squid -k parse" and make sure it returns no errors, then introduce a deliberate error to your squid.conf file (such as mis-spelling "deny" or similar) and run "squid -k parse" again to make sure it reads the file you think it is using, and reports the error (then undo the mistake again). 2. Run "squid -f /path/to/your/squid.conf -k parse" substituting in the location on your system where your config file lives (as asked above). Assuming this returns no errors, again (as in suggestion 1) instroduce a deliberate error, re-run "squid -f /path/to/you/squid.conf -k parse" and make sure it picks up on the error. I find it hard to believe that the squid.conf you showed can produce the results you report. Please also post the output of "find / -name squid.conf" on your machine. Dovecot used its default ports: 110: pop 143: imap 995: pop3s 993: maps Postfix SMTP 587 Okay, so nothing to do with Squid, then. I just wondered whether it might have a web interface. Regards, Antony. On Dec 14, 2016, at 10:25 AM, Antony Stone wrote: On Wednesday 14 December 2016 at 16:16:17, Sameh Onaissi wrote: Looking at access.log, to find the Skype IPs, I noticed a LOT of unknown source IPs. All those IPs seem to be originated from China. In my config file I deny all but local net IPs 10.0.0.0/24. I suggest you show us your squid.conf (wiithout comments or blank lines) because you do not seem to have achieved restricting source IPs as intended. Here is a sample of the log: 118.89.21.244 TCP_MISS/200 445 POST http://online.huya.com/ - HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.461 595 123.207.123.80 TCP_MISS/200 419 POST http://online.huya.com/ - HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.993 749 74.222.20.124 TCP_MISS/502 3806 GET http://116.31.99.233:9636/ - HIER_DIRECT/116.31.99.233 text/html 1481728040.312 0 I am worried about spam… I would not call this spam - I would call it "people trying to abuse your proxy". is this normal? It is normal that they try. It is not normal that your access control rules allow them to get this far. if not, how can I know what is accessing squid and stop it. You don't care what is accessing it - you only care that it's coming from the outside, and that should not be allowed. Either or both of your Squid ACLs and your firewall rules need to be reviewed. NOTE: this server has a small iRedMail server installed on it. What port/s does that listen on? It is intended to be externally accessible? -- "The tofu battle I saw last weekend was quite brutal." - Marija Danute Brigita Kuncaitis Please reply to the list; please *don't* CC me. _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
