[squid-users] Squid 4.x: Intermediate certificates downloader

Alex Rousskov rousskov at measurement-factory.com
Tue Jan 24 18:27:46 UTC 2017


On 01/24/2017 11:19 AM, Yuri Voinov wrote:

> It is downloads directly via proxy from localhost:

> As I understand, downloader also access via localhost, right? 

This is incorrect. Downloader does not have a concept of an HTTP client
which sends the request to Squid so "via localhost" or "via any client
source address" does not apply to Downloader transactions. In other
words, there is no client [source address] for Downloader requests.

Unfortunately, I do not know exactly what effect that lack of info has
on what ACLs (in part because there are too many of them and because
lack of info is often treated inconsistently by various ACLs). Thus, I
continue to recommend finding out which directive/ACL denied Downloader
access as the first step.

Alex.


> 25.01.2017 0:16, Alex Rousskov пишет:
>> On 01/24/2017 10:48 AM, Yuri Voinov wrote:
>>
>>> It seems 4.0.17 tries to download certs but gives deny somewhere.
>>> However, same URL with wget via same proxy works
>>> Why?
>> Most likely, your http_access or similar rules deny internal download
>> transactions but allow external ones. This is possible, for example, if
>> your access rules use client information. Internal transactions (ESI,
>> missing certificate fetching, Cache Digests, etc.) do not have an
>> associated client.
>>
>> The standard denial troubleshooting procedure applies here: Start with
>> finding out which directive/ACL denies access. I am _not_ implying that
>> this is easy to do.



More information about the squid-users mailing list