[squid-users] Reverse DNS Lookup for client IPs

Stefan Hölzle stefan at hoelzle.work
Fri Feb 12 10:29:00 UTC 2016 

Here's the requested "squid -v" output:

Squid Cache: Version 3.5.10
Service Name: squid
configure options:  '--host=x86_64-suse-linux-gnu'
'--build=x86_64-suse-linux-gnu' '--program-prefix=' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sysconfdir=/etc' '--datadir=/usr/share'
'--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/lib' '--sharedstatedir=/usr/com'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--disable-dependency-tracking' '--disable-arch-native' '--prefix=/usr'
'--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin'
'--localstatedir=/var' '--libexecdir=/usr/sbin'
'--datadir=/usr/share/squid' '--libdir=/usr/lib' '--with-dl'
'--enable-storeio=aufs'
'--enable-disk-io=AIO,Blocking,DiskDaemon,DiskThreads'
'--enable-removal-policies=heap,lru' '--enable-delay-pools'
'--enable-kill-parent-hack' '--with-large-files' '--enable-auth'
'--disable-auth-basic' '--disable-auth-negotiate' '--disable-auth-ntlm'
'--disable-htcp' '--enable-log-daemon-helpers=file'
'--with-default-user=squid' 'build_alias=x86_64-suse-linux-gnu'
'host_alias=x86_64-suse-linux-gnu' 'CFLAGS=-fmessage-length=0 -O2 -Wall
-D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables
-fasynchronous-unwind-tables -fPIE -fPIC -DOPENSSL_LOAD_CONF'
'LDFLAGS=-Wl,-z,relro,-z,now -pie' 'CXXFLAGS=-fmessage-length=0 -O2
-Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables
-fasynchronous-unwind-tables -fPIE -fPIC -DOPENSSL_LOAD_CONF'
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

As I understand, all (potential) PTR lookups only lookup hostnames of
destination IPs.
I don't see any directive that triggers a PTR lookup for client (source)
IPs.
That's the problem I have: squid is doing PTR lookups for client
(source) IPs with the given configuration.


On 12.02.2016 04:40, Amos Jeffries wrote:
> On 12/02/2016 3:31 a.m., Stefan Hölzle wrote:
>> Maybe my squid.conf will help to solve this.
> Even more helpful would be your "squid -v" output.
>
>
>> I checked this configuration with "squid -k check".
>>
>> squid.conf (external_ip, /opt/some_program and /etc/squid/file.list must
>> be corrected):
>>
>> #### AUTHENTICATION ####
>> external_acl_type ext_name_a %LOGIN /opt/some_program ext_name_a_arg
>> external_acl_type ext_name_c %LOGIN %SRC /opt/some_program ext_name_c_arg
>> auth_param digest program /opt/some_program digestauth
>> auth_param digest realm Hello
>> auth_param digest children 1 startup=1 idle=1 concurrency=500
>> auth_param digest nonce_garbage_interval 5 minutes
>> auth_param digest nonce_max_duration 30 minutes
>> auth_param digest nonce_max_count 5000
>> auth_param digest check_nonce_count off
>>
>>
>> #### ACL ####
>> acl localnet src 192.168.0.0/24
>> acl to_localnet dst 192.168.0.0/24
> Performs DNS A/AAAA resolve of the URL domain to find the set of
> possible dst-IP.
>
>> acl CONNECT_allowexceptions dstdom_regex -i some_domain$
> Performs PTR lookup of any raw-IP URL hostnames that fail to match the
> regex pattern as-is.
>
>> acl CONNECT_Safe_ports port 443
>> acl CONNECT method CONNECT
>>
>> acl snmppublic snmp_community public
>>
>> acl auth_passed proxy_auth REQUIRED
>> acl ext_name_c_passed external ext_name_c
>> acl ext_name_a_passed external ext_name_a
>>
>> # special exceptions
>> acl special_url url_regex some_regex
>> http_access deny special_url
>> deny_info 200:ERR_PAGE_NAME special_url
>>
>> # special rules
>> acl some_rule dstdom_regex -i some_regex
>> acl ext_list dstdom_regex -i "/etc/squid/file.list"
> Both perform PTR lookup of any raw-IP URL hostnames that fail to match
> the regex pattern as-is.
>
>> #### ACCESS ####
>> http_access allow manager localnet
>> http_access deny manager
>>
>> http_access allow CONNECT CONNECT_allowexceptions
>  --> Potential PTR lookup.
>
>> http_access deny CONNECT !CONNECT_Safe_ports
>> http_access deny to_localhost
>> http_access deny to_localnet
>  --> definite A/AAAA lookup.
>
>> http_access deny special_url
>> http_access deny ext_list
>  --> Potential PTR lookup.
>
>> http_access allow localnet
>> http_access allow localhost
>>
>> http_access allow some_rule
> --> Potential PTR lookup.
>
>> # activate additional external acls
>> http_access allow ext_name_a_passed !all
>>
>> http_access deny !ext_name_c_passed
>>
>> http_access allow auth_passed
>>
>> http_access deny all
>>
>> deny_info 403:ERR_ACCESS_DENIED ext_name_c_passed
>>
> <snip>
>
>> dns_v4_first on
>> client_db off
>>
>> #### IP PORT CONFIG ####
>> http_port 192.168.0.1:3456
>>
>> acl port80 localport 80
>> acl port443 localport 443
> Squid is not listening on port 443, nor do you have any "https_port
> ...intercept" that might receive that ports traffic.
>
>> http_port external_ip:80
>>
>> acl ext_ip localip external_ip
>>
>> tcp_outgoing_address external_ip ext_ip port80
>> tcp_outgoing_address external_ip ext_ip port443
>>
>> cache_mem 250 MB
>>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list