[squid-users] transparent proxy splice using dstdomain issue
S.Kirschner
s.kirschner at afa-finanz.de
Tue Jul 7 13:54:16 UTC 2015
Amos Jeffries wrote
> On 7/07/2015 11:45 p.m., S.Kirschner wrote:
>> I think the issues exist because the reverse lookup dont got the anwser
>> "sparkasse.de", but why it does not use the hostname from the dns request
>> to
>> the dns-server ?
>
> Because Squid is not a DNS server.
>
> The HTTP message details including URL where dstdomain comes from are
> encrypted at the time you are trying to use the dstdomain ACL.
Yes but, in pfsense a dns server is installed, so on these host a dns server
is running. Also i tried to use the google DNS
Here now the entries from the cache.log
With sparkasse.de in /etc/hosts
#2015/06/19 14:03:03.907 kid1| DomainData.cc(108) match: aclMatchDomainList:
checking '212.34.69.3'
#2015/06/19 14:03:03.907 kid1| DomainData.cc(113) match: aclMatchDomainList:
'212.34.69.3' NOT found
#2015/06/19 14:03:03.908 kid1| DomainData.cc(108) match: aclMatchDomainList:
checking 'sparkasse.de'
#2015/06/19 14:03:03.908 kid1| DomainData.cc(113) match: aclMatchDomainList:
'sparkasse.de' found
#2015/06/19 14:03:03.908 kid1| Acl.cc(158) matches: checked: bypass = 1
#2015/06/19 14:03:03.908 kid1| Acl.cc(158) matches: checked: (ssl_bump rule)
= 1
#2015/06/19 14:03:03.908 kid1| Acl.cc(158) matches: checked: (ssl_bump
rules) = 1
Without sparkasse.de in /etc/hosts
#2015/06/19 14:05:19.842 kid1| DomainData.cc(108) match: aclMatchDomainList:
checking '212.34.69.3'
#2015/06/19 14:05:19.842 kid1| DomainData.cc(113) match: aclMatchDomainList:
'212.34.69.3' NOT found
#2015/06/19 14:05:19.842 kid1| DomainData.cc(108) match: aclMatchDomainList:
checking 'rev-212.34.69.3.rev.izb.net'
#2015/06/19 14:05:19.842 kid1| DomainData.cc(113) match: aclMatchDomainList:
'rev-212.34.69.3.rev.izb.net' NOT found
#2015/06/19 14:05:19.842 kid1| Acl.cc(158) matches: checked: bypass = 0
#2015/06/19 14:05:19.842 kid1| Acl.cc(158) matches: checked: (ssl_bump rule)
= 0
The ssl accept error in cache.log
#2015/06/19 14:05:19.825 kid1| Checklist.cc(61) markFinished: 0x8041b7798
answer ALLOWED for match
#2015/06/19 14:05:19.825 kid1| Checklist.cc(161) checkCallback:
ACLChecklist::checkCallback: 0x8041b7798 answer=ALLOWED
#2015/06/19 14:05:19.825 kid1| client_side_request.cc(1527) sslBumpNeed:
sslBump required: peek
#2015/06/19 14:05:19.825 kid1| client_side_request.cc(115)
~ClientRequestContext: 0x807468098 ClientRequestContext destructed
#2015/06/19 14:05:19.825 kid1| client_side_request.cc(1829) doCallouts:
calling processRequest()
#2015/06/19 14:05:19.825 kid1| store.cc(780) storeCreatePureEntry:
storeCreateEntry: '212.34.69.3:443'
#2015/06/19 14:05:19.825 kid1| MemObject.cc(97) MemObject: new MemObject
0x807567f40
#2015/06/19 14:05:19.825 kid1| store.cc(485) lock: storeCreateEntry locked
key [null_store_key] e:=V/0x80755ada0*1
#2015/06/19 14:05:19.825 kid1| store_key_md5.cc(89) storeKeyPrivate:
storeKeyPrivate: CONNECT 212.34.69.3:443
#2015/06/19 14:05:19.825 kid1| store.cc(449) hashInsert:
StoreEntry::hashInsert: Inserting Entry e:=IV/0x80755ada0*1 key
'04808DEC55BF24579C431922F1A83DE0'
#2015/06/19 14:05:19.840 kid1| client_side.cc(4245) clientPeekAndSpliceSSL:
SSL_accept failed.
#2015/06/19 14:05:19.840 kid1| client_side.cc(4245) clientPeekAndSpliceSSL:
SSL_accept failed.
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/transparent-proxy-splice-using-dstdomain-issue-tp4672088p4672095.html
Sent from the Squid - Users mailing list archive at Nabble.com.
More information about the squid-users
mailing list