EDIT It was some interne rules on FW, sorry for the inconvenience and thanks for your advices
I have a server with Squid (2.7.STABLE9) on a Debian (Wheezy 7.1) and I add an Apache2 (2.2.22) for send PAC file to all my user.
Both are setup and works but I can't get the pac file if I'm not already connect to the Squid server (only if I use a local PAC file with FoxyProxy).
In fact, I can download the pac file if I request the IP address of the server in my browser when I setup FoxyProxy for my proxy with a local copy of the pac file. But if i didn't setuo the orixy on my browser, I have an error (ERR_CONNECTION_REFUSED on Chrome for example).
there is my /etc/squid/squid.conf
#################### SQUID CONF FILE
#################### Version 2.7.STABLE9
########################################
# AUTHENTICATE
#See http://wiki.squid-cache.org/ConfigExamples/Authenticate/
## NTLM Authentification
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on
# See http://www.odrakir.com/blog/2009/11/19/integrating-squid-with-active-directory/
external_acl_type ADS %LOGIN /usr/lib/squid/wbinfo_group.pl
########################################
# SECURITY
forwarded_for off # Hide self.IP
httpd_suppress_version_string on # Hide squid version
#chroot on # Chroot squid deamon
debug_options ALL,1
########################################
# Acces List
#Global:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 # HTTPS
acl Safe_ports port 80 8080 # HTTP(s)
acl purge method PURGE
acl CONNECT method CONNECT
acl my_lab src 172.30.24.0/24
# authentification
acl ntlm proxy_auth REQUIRED
acl user_group external ADS my_user
########################################
# HTTP_ACCES
# Default HTTP Access
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow localnet
http_access allow localhost
# Hack for no popups (See: http://wiki.squid-cache.org/Features/Authentication#How_do_I_prevent_Login_Popups.3F )
http_access deny !ntlm all
# Check user come from right OU from AD
http_access deny !user_group all
# Allow subnet acces with HTTP ports
http_access allow my_lab Safe_ports all
# No Connect method on other port than 443
http_access deny CONNECT !SSL_ports
# At last but not the least !
http_access deny all
########################################
# HEADER_ACCESS
# http_anonymizer paranoid, see http://www.foo.be/scripts/anonymizer/squid.conf
via off # RFC2616 HTTP header Via
forwarded_for off
# return fail on some website
#header_access Allow allow all
#header_access Authorization allow all
#header_access WWW-Authenticate allow all
#header_access Proxy-Authorization allow all
#header_access Proxy-Authenticate allow all
#header_access Cache-Control allow all
#header_access Content-Encoding allow all
#header_access Content-Length allow all
#header_access Content-Type allow all
#header_access Date allow all
#header_access Expires allow all
#header_access Host allow all
#header_access If-Modified-Since allow all
#header_access Last-Modified allow all
#header_access Location allow all
#header_access Pragma allow all
#header_access Accept allow all
#header_access Accept-Charset allow all
#header_access Accept-Encoding allow all
#header_access Accept-Language allow all
#header_access Content-Language allow all
#header_access Mime-Version allow all
#header_access Retry-After allow all
#header_access Title allow all
#header_access Connection allow all
#header_access Proxy-Connection allow all
#header_access Referer allow all
#header_access All deny all
########################################
# ICP_ACCES
icp_access allow localnet
icp_access deny all
########################################
# GLOBAL SQUID CONF (port, cache, ...)
http_port 3128
icp_port 0 # 0 for diseable
htcp_port 0 # Same...
cache_mem 80 MB
cache_effective_group winbindd_priv
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid
cache_dir ufs /var/spool/squid 500 16 256
and /etc/apache2/sites-available/proxy
NameVirtualHost *:80
<VirtualHost 172.30.10.113:80 127.0.0.1:80>
ServerAdmin titi@tata.fr
DocumentRoot /var/www/pac
DirectoryIndex proxy.pac
<Directory /var/www/pac/>
ForceType application/x-ns-proxy-autoconfig
Options -Indexes -FollowSymLinks -MultiViews -ExecCGI
Order allow,deny
Allow from all
RedirectMatch ^/$ /proxy.pac
</Directory>
# <LimitExcept GET>
# Require ip 10.0.0.0 172.16.0.0 192.168.0.0
# </LimitExcept>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
and the /var/www/pac/proxy.pac
function FindProxyForURL(url, host)
{
// Let them go home !!
if (shExpMatch (url, "localhost*") || isInNet(host, "127.0.0.1", "255.255.255.255"))
return "DIRECT";
// See https://support.mozilla.org/sv/questions/804868#answer-166476
else if (!dnsResolve('my.domain.fr'))
return "DIRECT";
else
return "PROXY 172.30.10.113:3128";
}
I have already see this but he use Squid3 option in configuration file.
EDIT
And there is no iptables on the server Maybe I only need an iptables redirection on ip:3128 to ip:80 ?
Thanks for your help or any advice.
Best Answer
not sure if it is just a cut&paste mistake but i read:
that should be:
another thing i see missing is the exclusion of your subnet in the pac file; i would add that to the first check:
as a step to simplify your setup you may implement the proxy auto discovery: that is a simple configuration and should eliminate the need to make any client side configuration and hopefully all your issues.
regardless of the above i would remove any rewriting from your pac site (default page &
RedirectMatch
): the access to the pac file is an automated process (there are no users browsing for that file) and any rewrite or redirect is not required but adds a layer of uncertainty to any debug activity and this is not a good thing.maybe removing the redirects the actual issue/error could finally get written into some log file.