[squid-users] Reverse DNS Lookup for client IPs

Stefan Hölzle stefan at hoelzle.work
Fri Feb 12 21:15:24 UTC 2016 

I have some new insight:
The following line triggers the unwanted client ip ptr lookup:

./src/client_side.cc:3590:
fqdncache_gethostbyaddr(clientConnection->remote, FQDN_LOOKUP_IF_MISS);
Source package:
http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.10.tar.gz

This line should only be called if Config.onoff.log_fqdn is 1.

Unfortunately Config.onoff.log_fqdn is set to 1:
squid-3.5.10 :) $ grep -rni Config.onoff.log_fqdn .
./src/format/Token.cc:507:        Config.onoff.log_fqdn = 1;
./src/client_side.cc:3081:        if (Config.onoff.log_fqdn)
./src/client_side.cc:3184:    if (Config.onoff.log_fqdn)
./src/client_side.cc:3589:    if (Config.onoff.log_fqdn)
./src/log/FormatSquidIcap.cc:34:        if (Config.onoff.log_fqdn)

Config.onoff.log_fqdn is only set to 1 if ">A" is contained in a
logformat. We only use default logformats.

There is only two configuration directives with a default logformat
%macro containing the string ">A":
url_rewrite_extras and store_id_extras

We don't use these directives.


On 2016-02-12 11:29, Stefan Hölzle wrote:
> Here's the requested "squid -v" output:
>
> Squid Cache: Version 3.5.10
> Service Name: squid
> configure options:  '--host=x86_64-suse-linux-gnu'
> '--build=x86_64-suse-linux-gnu' '--program-prefix=' '--exec-prefix=/usr'
> '--bindir=/usr/bin' '--sysconfdir=/etc' '--datadir=/usr/share'
> '--includedir=/usr/include' '--libdir=/usr/lib64'
> '--libexecdir=/usr/lib' '--sharedstatedir=/usr/com'
> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
> '--disable-dependency-tracking' '--disable-arch-native' '--prefix=/usr'
> '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin'
> '--localstatedir=/var' '--libexecdir=/usr/sbin'
> '--datadir=/usr/share/squid' '--libdir=/usr/lib' '--with-dl'
> '--enable-storeio=aufs'
> '--enable-disk-io=AIO,Blocking,DiskDaemon,DiskThreads'
> '--enable-removal-policies=heap,lru' '--enable-delay-pools'
> '--enable-kill-parent-hack' '--with-large-files' '--enable-auth'
> '--disable-auth-basic' '--disable-auth-negotiate' '--disable-auth-ntlm'
> '--disable-htcp' '--enable-log-daemon-helpers=file'
> '--with-default-user=squid' 'build_alias=x86_64-suse-linux-gnu'
> 'host_alias=x86_64-suse-linux-gnu' 'CFLAGS=-fmessage-length=0 -O2 -Wall
> -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables
> -fasynchronous-unwind-tables -fPIE -fPIC -DOPENSSL_LOAD_CONF'
> 'LDFLAGS=-Wl,-z,relro,-z,now -pie' 'CXXFLAGS=-fmessage-length=0 -O2
> -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables
> -fasynchronous-unwind-tables -fPIE -fPIC -DOPENSSL_LOAD_CONF'
> 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
>
> As I understand, all (potential) PTR lookups only lookup hostnames of
> destination IPs.
> I don't see any directive that triggers a PTR lookup for client (source)
> IPs.
> That's the problem I have: squid is doing PTR lookups for client
> (source) IPs with the given configuration.
>
>
> On 12.02.2016 04:40, Amos Jeffries wrote:
>> On 12/02/2016 3:31 a.m., Stefan Hölzle wrote:
>>> Maybe my squid.conf will help to solve this.
>> Even more helpful would be your "squid -v" output.
>>
>>
>>> I checked this configuration with "squid -k check".
>>>
>>> squid.conf (external_ip, /opt/some_program and /etc/squid/file.list must
>>> be corrected):
>>>
>>> #### AUTHENTICATION ####
>>> external_acl_type ext_name_a %LOGIN /opt/some_program ext_name_a_arg
>>> external_acl_type ext_name_c %LOGIN %SRC /opt/some_program ext_name_c_arg
>>> auth_param digest program /opt/some_program digestauth
>>> auth_param digest realm Hello
>>> auth_param digest children 1 startup=1 idle=1 concurrency=500
>>> auth_param digest nonce_garbage_interval 5 minutes
>>> auth_param digest nonce_max_duration 30 minutes
>>> auth_param digest nonce_max_count 5000
>>> auth_param digest check_nonce_count off
>>>
>>>
>>> #### ACL ####
>>> acl localnet src 192.168.0.0/24
>>> acl to_localnet dst 192.168.0.0/24
>> Performs DNS A/AAAA resolve of the URL domain to find the set of
>> possible dst-IP.
>>
>>> acl CONNECT_allowexceptions dstdom_regex -i some_domain$
>> Performs PTR lookup of any raw-IP URL hostnames that fail to match the
>> regex pattern as-is.
>>
>>> acl CONNECT_Safe_ports port 443
>>> acl CONNECT method CONNECT
>>>
>>> acl snmppublic snmp_community public
>>>
>>> acl auth_passed proxy_auth REQUIRED
>>> acl ext_name_c_passed external ext_name_c
>>> acl ext_name_a_passed external ext_name_a
>>>
>>> # special exceptions
>>> acl special_url url_regex some_regex
>>> http_access deny special_url
>>> deny_info 200:ERR_PAGE_NAME special_url
>>>
>>> # special rules
>>> acl some_rule dstdom_regex -i some_regex
>>> acl ext_list dstdom_regex -i "/etc/squid/file.list"
>> Both perform PTR lookup of any raw-IP URL hostnames that fail to match
>> the regex pattern as-is.
>>
>>> #### ACCESS ####
>>> http_access allow manager localnet
>>> http_access deny manager
>>>
>>> http_access allow CONNECT CONNECT_allowexceptions
>>  --> Potential PTR lookup.
>>
>>> http_access deny CONNECT !CONNECT_Safe_ports
>>> http_access deny to_localhost
>>> http_access deny to_localnet
>>  --> definite A/AAAA lookup.
>>
>>> http_access deny special_url
>>> http_access deny ext_list
>>  --> Potential PTR lookup.
>>
>>> http_access allow localnet
>>> http_access allow localhost
>>>
>>> http_access allow some_rule
>> --> Potential PTR lookup.
>>
>>> # activate additional external acls
>>> http_access allow ext_name_a_passed !all
>>>
>>> http_access deny !ext_name_c_passed
>>>
>>> http_access allow auth_passed
>>>
>>> http_access deny all
>>>
>>> deny_info 403:ERR_ACCESS_DENIED ext_name_c_passed
>>>
>> <snip>
>>
>>> dns_v4_first on
>>> client_db off
>>>
>>> #### IP PORT CONFIG ####
>>> http_port 192.168.0.1:3456
>>>
>>> acl port80 localport 80
>>> acl port443 localport 443
>> Squid is not listening on port 443, nor do you have any "https_port
>> ...intercept" that might receive that ports traffic.
>>
>>> http_port external_ip:80
>>>
>>> acl ext_ip localip external_ip
>>>
>>> tcp_outgoing_address external_ip ext_ip port80
>>> tcp_outgoing_address external_ip ext_ip port443
>>>
>>> cache_mem 250 MB
>>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list