[squid-users] Squid blocking own OCSP/AIA requests
Alex Rousskov
rousskov at measurement-factory.com
Tue Mar 21 14:51:04 UTC 2017
On 03/21/2017 04:35 AM, Markus Wernig wrote:
>
> 2017-03-21 10:35:08.338 +0100 000137 - TCP_DENIED/403 3607 GET http://apps.identrust.com/roots/dstrootcax3.p7c - HIER_NONE/- text/html;charset=utf-8 -
> 2017-03-21 10:35:08.345 +0100 000161 10.254.254.2 NONE/200 0 CONNECT letsencrypt.org:443 - HIER_DIRECT/letsencrypt.org - -
>
> It appears that this is the OCSP URI for Letsencrypt certificates.
>
> And in fact every time this is logged, a CONNECT to a https uri is
> logged that is using a Letsencrypt certificate (like eg.
> https://letsencrypt.org).
>
> Given that there is no client IP logged, I assume that squid is blocking
> its own outgoing OCSP request here
You are correct, but I would rephrase that to sound less masochistic:
Your http_access rules block Squid-generated requests, including
certificate download requests.
> The same seems to happen when there's no OCSP URI, but a regular AIA URI
> in the certificate:
>
> 2017-03-21 10:36:19.773 +0100 000000 - TCP_DENIED/403 3734 GET http://swisssign.net/cgi-bin/authority/download/5B257B96A465517EB839F3C078665EE83AE7F0EE - HIER_NONE/- text/html;charset=utf-8 -
> 2017-03-21 10:36:19.782 +0100 000038 10.254.254.2 NONE/200 0 CONNECT swisssign.net:443 - HIER_DIRECT/swisssign.net - -
I do not remember whether the new certificate downloader feature
supports both OCSP and AIA, but your triage implies that it does. Same
access rules apply to all downloader requests.
> I do have "http_access allow localhost" in squid.conf, but since there's
> no IP associated with the request, this does not seem to help.
Correct. Regular "src" ACLs and their equivalents do not match internal
requests because they have no client [IP addresses].
> Is there a way to allow these outgoing internal requests? I've looked
> through the FAQ and wiki, but couldn't find anything on the topic.
This has been discussed on squid-users, and Factory is working on a
long-term solution. Meanwhile, there is a short-term workaround that may
work for you. Search for generatedBySquid at the following URL but do
read the follow up emails for possible problems you might face:
http://lists.squid-cache.org/pipermail/squid-users/2017-January/014224.html
HTH,
Alex.
More information about the squid-users
mailing list