A lot of questions, but thanks a million for your help. I try to answer them all:
Are you using the proxy in transparent mode?
No. With transparent mode the web-proxy can’t be used for secure sessions (https://), but nearly all sessions to the web are secure. So the web-proxy is from my point of view only useful with manual configuration at the clients or using WPAD with DHCP. This is the reason why i am running the proxy not in transparent mode.
Are these systems on the same subnet, firewall group or is there anything different between them other than distro?
The anwser is yes for all points. The debian- and fedora-clients are running as virtual systems on the same client (i am using Qubes OS) and for the connection to IPFire they have all the same connection and therefore the same IP-address, the same subnet, the same route, the same firewall-entries.
Any differences in DNS settings between the Ubuntu and Fedora systems?
No, they are using the same DNS-server (IPFire).
Any locally installed VPN in use when experiencing this error?
No
I’m fairly sure update accelerator requires transparent proxy,
I took again a look at the documentation https://wiki.ipfire.org/configuration/network/proxy/update_accelerator. There is no information, if transparent proxy is required or not.
But i’ve tested it. There is no difference when setting the transparent mode at the web-proxy. I got the same error 403.
But i found another useful information in the documentation. Update-accelerator can’t be used for https-urls. So i’ve changed all addresses for fedora mirrors (in /etc/yum.repos.d/
) from https to http.
I tested it with transparent mode in the web-proxy on IPFire on
and off
and got in both cases again the error 403 on the client. On IPFire in the squid-access-log there is also the message with the 403 error:
/var/log/squid/access.log
TCP_DENIED/403 3870 GET http://mirrors.fedoraproject.org/metalink?repo=fedora-37&arch=x86_64 - HIER_NONE/- text/html
And also the same messages in squid-cache-log:
/var/log/squid/cache.log
Mar 26 10:28:34 squid-asnbl-helper[7505] WARN: Destination 'mirrors.fedoraproject.org' exceeds ASN diversity threshold (8 > 5), possibly Fast Flux: [3701, 15456, 16509, 21785, 22753, 36850, 54455, 61317]
Mar 26 10:28:34 squid-asnbl-helper[7505] INFO: Denying access to possible Fast Flux destination 'mirrors.fedoraproject.org'
At this point (i wrote this text parallel while doing the tests) i recognized, that the last message in the cache log says, squid is denying the access to the fedora mirrors. To be sure, that this isn’t done from url-filter i set squid-clamav and urlfilter in the web-proxy to off. After changing that, i had no more error 403. Then i activated first sqid-clamav, tested and next activated urlfilter and tested again.
Now, i can’t reproduce the error! And i can see in the squid-access-log, that the rpm-files are downloaded now.
But i am now in the same configuration as at the beginning:
- IPFire: Web-Proxy is started and not in transparent mode. Squid-clamav, urlfilter and update-accelerator are all active.
- Client: In the file
/etc/dnf/dnf.conf
the proxy is set. But dnf update
is working now on the fedora-client without error message.
strange