Fix Squid Proxy Access Denied

What's Actually Happening

Squid proxy server denies client access to requested URLs. Clients receive 403 Forbidden or TCP_DENIED errors.

The Error You'll See

```bash $ curl -x http://proxy:3128 http://example.com

HTTP/1.1 403 Forbidden X-Squid-Error: ERR_ACCESS_DENIED 0 ```

Browser error:

bash

Access Denied
The following error was encountered while trying to retrieve the URL: http://example.com
Access Denied.
Access control configuration prevents your request from being allowed at this time.

Authentication error:

bash

HTTP/1.1 407 Proxy Authentication Required
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0

Why This Happens

1.ACL not configured - No rule allows client access
2.Wrong ACL order - Deny rules before allow rules
3.Authentication required - Client not authenticated
4.Wrong client IP - IP not in allowed range
5.URL blocked - Destination URL denied by ACL
6.Proxy authentication failed - Invalid credentials

Step 1: Check Squid Status

```bash # Check Squid process: ps aux | grep squid

# Check Squid status: systemctl status squid

# Check Squid logs: tail -f /var/log/squid/access.log tail -f /var/log/squid/cache.log

# Check configuration: squid -k parse # Parse config for errors

# Check current configuration: cat /etc/squid/squid.conf | grep -E "acl|http_access"

# Test configuration: squid -k check

# Debug mode: squid -X -d 9

# Check listening ports: netstat -tlnp | grep 3128

# Check Squid version: squid -v ```

Step 2: Check ACL Configuration

```bash # View ACL definitions: grep "^acl" /etc/squid/squid.conf

# Common ACL types: # acl localnet src 10.0.0.0/8 # RFC1918 internal # acl localnet src 192.168.0.0/16 # RFC1918 internal # acl localnet src 172.16.0.0/12 # RFC1918 internal # acl localnet src 127.0.0.1/32 # localhost # acl SSL_ports port 443 # acl Safe_ports port 80 # http # acl Safe_ports port 21 # ftp

# View http_access rules: grep "^http_access" /etc/squid/squid.conf

# Important: Order matters! # First matching rule wins

# Correct order example: http_access allow localnet http_access allow localhost http_access deny all

# Check for deny before allow: grep "http_access deny" /etc/squid/squid.conf | head -5

# Check client IP in ACL: # If client IP is 192.168.1.100 grep "192.168" /etc/squid/squid.conf

# Add client to ACL: acl allowed_clients src 192.168.1.0/24 http_access allow allowed_clients

# Apply changes: squid -k reconfigure ```

Step 3: Fix Authentication Issues

```bash # Check if authentication required: grep "auth_param" /etc/squid/squid.conf

# Basic authentication config: auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd auth_param basic realm proxy auth_param basic credentialsttl 2 hours

# Check password file: ls -la /etc/squid/passwd

# Create password file: htpasswd -c /etc/squid/passwd user1 htpasswd /etc/squid/passwd user2

# Check password file format: cat /etc/squid/passwd

# ACL for authenticated users: acl authenticated proxy_auth REQUIRED http_access allow authenticated

# Test authentication: curl -x http://user:pass@proxy:3128 http://example.com

# LDAP authentication: auth_param basic program /usr/lib/squid/basic_ldap_auth \ -b "ou=users,dc=example,dc=com" \ -f "uid=%s" \ -h ldap://ldap-server

# Check LDAP connectivity: ldapsearch -x -H ldap://ldap-server -b "ou=users,dc=example,dc=com"

# Debug authentication: squid -X -d 9 | grep -i auth ```

Step 4: Fix URL Blocking

```bash # Check URL blocking ACLs: grep -E "url_regex|dstdom_regex|dstdomain" /etc/squid/squid.conf

# Block specific domains: acl blocked_domains dstdomain .facebook.com .twitter.com http_access deny blocked_domains

# Block URL patterns: acl blocked_urls url_regex -i .*games.* .*social.* http_access deny blocked_urls

# Block file types: acl blocked_files urlpath_regex -i \.exe$ \.zip$ \.mp3$ http_access deny blocked_files

# Allow specific URLs: acl allowed_sites dstdomain .example.com .company.com http_access allow allowed_sites

# Check for whitelist: acl whitelist dstdomain .allowed-site.com http_access allow whitelist http_access deny all

# Remove blocking if needed: # Comment out deny rules: # http_access deny blocked_domains

# Check deny_info pages: grep "deny_info" /etc/squid/squid.conf

# Custom error page: deny_info ERR_CUSTOM_BLOCK blocked_domains ```

Step 5: Fix Client IP Restrictions

```bash # Check source IP ACLs: grep "src" /etc/squid/squid.conf

# Current client IP: # Get from logs or client machine

# Add client subnet: acl allowed_clients src 192.168.100.0/24 http_access allow allowed_clients

# Add individual IP: acl specific_client src 192.168.100.50 http_access allow specific_client

# Remove IP restrictions: # Edit to allow broader range

# Check for IP spoofing: # Ensure client uses correct proxy IP

# Check proxy IP configuration: grep "tcp_outgoing_address" /etc/squid/squid.conf

# Specific outgoing address: tcp_outgoing_address 192.168.1.1 allowed_clients

# Check for reverse DNS issues: # ACL using srcdomain requires reverse DNS

# Use src instead of srcdomain: # acl allowed src 192.168.0.0/16 # instead of srcdomain

# Apply changes: squid -k reconfigure ```

Step 6: Check Port Restrictions

```bash # Check port ACLs: grep -E "port|Safe_ports|SSL_ports" /etc/squid/squid.conf

# Standard port configuration: acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports

# Access rules for ports: http_access deny !Safe_ports http_access deny CONNECT !SSL_ports

# Add custom port: acl Safe_ports port 8080 acl Safe_ports port 8443

# Or allow specific port: acl custom_port port 9000 http_access allow custom_port

# Check CONNECT method restrictions: grep "CONNECT" /etc/squid/squid.conf

# Allow CONNECT to custom SSL port: acl custom_ssl port 8443 http_access allow CONNECT custom_ssl

# Apply changes: squid -k reconfigure ```

Step 7: Check Time-Based ACLs

```bash # Check time-based ACLs: grep -E "time|ACL_time" /etc/squid/squid.conf

# Time ACL format: # acl work_hours time MTWHF 09:00-17:00 # M=Monday, T=Tuesday, W=Wednesday, H=Thursday, F=Friday # S=Saturday, A=Sunday

# Time-based access: acl work_hours time MTWHF 09:00-17:00 http_access allow localnet work_hours http_access deny localnet

# Check current time: date

# Disable time restrictions if needed: # Comment out time-based rules

# Allow all times: acl all_time time SMTWHFA 00:00-24:00 http_access allow localnet all_time

# Apply changes: squid -k reconfigure ```

Step 8: Debug Access Denied

```bash # Enable debug logging: # In squid.conf: debug_options ALL,1 28,9 33,9

# Or in config file: # ACL debug section 28 # HTTP debug section 33

# Check access log for denied requests: grep "TCP_DENIED" /var/log/squid/access.log | tail -20

# Check specific client: grep "192.168.1.100" /var/log/squid/access.log | grep "DENIED"

# Check specific URL: grep "example.com" /var/log/squid/access.log | grep "DENIED"

# Real-time monitoring: tail -f /var/log/squid/access.log | grep --line-buffered "DENIED"

# Check cache.log for ACL decisions: grep "ACL" /var/log/squid/cache.log

# Test ACL match: squid -k parse -X

# Trace ACL matching: # Add debug_options and restart squid -k reconfigure

# Check error pages: ls -la /usr/share/squid/errors/

# Custom error template: # Edit ERR_ACCESS_DENIED template ```

Step 9: Configure Proxy Properly

```bash # Complete basic configuration:

# Define ACLs: acl localnet src 10.0.0.0/8 acl localnet src 192.168.0.0/16 acl localnet src 172.16.0.0/12 acl SSL_ports port 443 acl Safe_ports port 80 21 443 70 210 1025-65535 acl CONNECT method CONNECT

# Access rules (order matters!): http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all

# Port configuration: http_port 3128

# Cache configuration: cache_dir ufs /var/spool/squid 100 16 256 cache_mem 256 MB

# Logging: access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log

# Apply configuration: squid -k reconfigure

# Verify configuration: squid -k parse squid -k check ```

Step 10: Squid Verification Script

```bash # Create verification script: cat << 'EOF' > /usr/local/bin/check-squid-access.sh #!/bin/bash

echo "=== Squid Process ===" ps aux | grep squid | grep -v grep

echo "" echo "=== Service Status ===" systemctl status squid 2>/dev/null || service squid status

echo "" echo "=== ACL Definitions ===" grep "^acl" /etc/squid/squid.conf | head -20

echo "" echo "=== HTTP Access Rules ===" grep "^http_access" /etc/squid/squid.conf

echo "" echo "=== Recent Denied Requests ===" grep "TCP_DENIED|ERR_ACCESS_DENIED" /var/log/squid/access.log 2>/dev/null | tail -10

echo "" echo "=== Authentication Config ===" grep "auth_param" /etc/squid/squid.conf

echo "" echo "=== Password File ===" ls -la /etc/squid/passwd 2>/dev/null || echo "No password file"

echo "" echo "=== Listening Ports ===" netstat -tlnp 2>/dev/null | grep squid || ss -tlnp | grep squid

echo "" echo "=== Configuration Valid ===" squid -k parse 2>&1 | tail -5

echo "" echo "=== Test Proxy ===" curl -x http://localhost:3128 -I http://example.com 2>&1 | head -5

echo "" echo "=== Recommendations ===" echo "1. Verify ACL order (allow before deny)" echo "2. Check client IP is in allowed ACL" echo "3. Configure authentication if required" echo "4. Check URL is not blocked" echo "5. Verify port is in Safe_ports" echo "6. Enable debug logging for troubleshooting" echo "7. Check squid.conf syntax with squid -k parse" EOF

chmod +x /usr/local/bin/check-squid-access.sh

# Usage: /usr/local/bin/check-squid-access.sh ```

Squid Access Denied Checklist

Check	Expected
ACL configuration	Client IP in allowed ACL
ACL order	Allow rules before deny
Authentication	Credentials valid if required
Port restrictions	Port in Safe_ports
URL blocking	URL not in blocked list
Squid running	Process active
Configuration valid	squid -k parse passes

Verify the Fix

```bash # After fixing Squid access denied

# 1. Parse configuration squid -k parse // No errors

# 2. Reconfigure Squid squid -k reconfigure // Configuration applied

# 3. Test proxy access curl -x http://proxy:3128 http://example.com // Returns 200 OK

# 4. Check access log grep "192.168.1.100" /var/log/squid/access.log | tail -5 // Shows TCP_MISS or TCP_HIT

# 5. Monitor for denials tail -f /var/log/squid/access.log | grep DENIED // No new denials

# 6. Verify ACL matching squid -X -d 9 | grep -i "acl match" // ACL matches correctly ```

[Fix HAProxy Backend Down](/articles/fix-haproxy-backend-down)
[Fix Nginx Permission Denied](/articles/fix-nginx-permission-denied)
[Fix Apache Forbidden](/articles/fix-apache-forbidden)

What's Actually Happening

The Error You'll See

Why This Happens

Step 1: Check Squid Status

Step 2: Check ACL Configuration

Step 3: Fix Authentication Issues

Step 4: Fix URL Blocking

Step 5: Fix Client IP Restrictions

Step 6: Check Port Restrictions

Step 7: Check Time-Based ACLs

Step 8: Debug Access Denied

Step 9: Configure Proxy Properly

Step 10: Squid Verification Script

Squid Access Denied Checklist

Verify the Fix

Related Issues

Share this guide

More Network Security Troubleshooting Guides

NTLM Relay Attack

Kerberos Ticket Forgery

SMB Relay Attack

ARP Poisoning Detected

DNS Amplification Attack Detected

SYN Flood Attack Detected