[squid-users] Reverse DNS Lookup for client IPs

Amos Jeffries squid3 at treenet.co.nz
Fri Feb 12 03:40:46 UTC 2016


On 12/02/2016 3:31 a.m., Stefan Hölzle wrote:
> Maybe my squid.conf will help to solve this.

Even more helpful would be your "squid -v" output.


> I checked this configuration with "squid -k check".
> 
> squid.conf (external_ip, /opt/some_program and /etc/squid/file.list must
> be corrected):
> 
> #### AUTHENTICATION ####
> external_acl_type ext_name_a %LOGIN /opt/some_program ext_name_a_arg
> external_acl_type ext_name_c %LOGIN %SRC /opt/some_program ext_name_c_arg
> auth_param digest program /opt/some_program digestauth
> auth_param digest realm Hello
> auth_param digest children 1 startup=1 idle=1 concurrency=500
> auth_param digest nonce_garbage_interval 5 minutes
> auth_param digest nonce_max_duration 30 minutes
> auth_param digest nonce_max_count 5000
> auth_param digest check_nonce_count off
> 
> 
> #### ACL ####
> acl localnet src 192.168.0.0/24
> acl to_localnet dst 192.168.0.0/24

Performs DNS A/AAAA resolve of the URL domain to find the set of
possible dst-IP.

> 
> acl CONNECT_allowexceptions dstdom_regex -i some_domain$

Performs PTR lookup of any raw-IP URL hostnames that fail to match the
regex pattern as-is.

> acl CONNECT_Safe_ports port 443
> acl CONNECT method CONNECT
> 
> acl snmppublic snmp_community public
> 
> acl auth_passed proxy_auth REQUIRED
> acl ext_name_c_passed external ext_name_c
> acl ext_name_a_passed external ext_name_a
> 
> # special exceptions
> acl special_url url_regex some_regex
> http_access deny special_url
> deny_info 200:ERR_PAGE_NAME special_url
> 
> # special rules
> acl some_rule dstdom_regex -i some_regex
> acl ext_list dstdom_regex -i "/etc/squid/file.list"

Both perform PTR lookup of any raw-IP URL hostnames that fail to match
the regex pattern as-is.

> 
> #### ACCESS ####
> http_access allow manager localnet
> http_access deny manager
> 
> http_access allow CONNECT CONNECT_allowexceptions

 --> Potential PTR lookup.

> http_access deny CONNECT !CONNECT_Safe_ports
> http_access deny to_localhost
> http_access deny to_localnet

 --> definite A/AAAA lookup.

> http_access deny special_url
> http_access deny ext_list

 --> Potential PTR lookup.

> 
> http_access allow localnet
> http_access allow localhost
> 
> http_access allow some_rule

--> Potential PTR lookup.

> 
> # activate additional external acls
> http_access allow ext_name_a_passed !all
> 
> http_access deny !ext_name_c_passed
> 
> http_access allow auth_passed
> 
> http_access deny all
> 
> deny_info 403:ERR_ACCESS_DENIED ext_name_c_passed
> 

<snip>

> dns_v4_first on
> client_db off
> 
> #### IP PORT CONFIG ####
> http_port 192.168.0.1:3456
> 
> acl port80 localport 80
> acl port443 localport 443

Squid is not listening on port 443, nor do you have any "https_port
...intercept" that might receive that ports traffic.

> 
> http_port external_ip:80
> 
> acl ext_ip localip external_ip
> 
> tcp_outgoing_address external_ip ext_ip port80
> tcp_outgoing_address external_ip ext_ip port443
> 
> cache_mem 250 MB
> 


Amos



More information about the squid-users mailing list