[squid-users] destination ip to splice

Alex Rousskov rousskov at measurement-factory.com
Tue May 16 01:51:50 UTC 2017 

On 05/15/2017 06:40 PM, Eliezer  Croitoru wrote:
> I tried this with splice but it just doesn't work the requests are still being bumped.

Do you know exactly why they are being bumped? Check the debugging logs
if you do not.


> From the docs I understand that it should work on the URL destination hostname
> and not the ip of the destination hostname.

The dst ACL works on IPs (including, when necessary and allowed, on IPs
obtained from resolved domain names). In a forward-proxy configuration,
those IPs or domains are extracted from the URL. In an ssl_bump context,
that URL comes from the CONNECT request target.


> So my assumption is that it's not in the tcp socket level but the
> http hostname url-hostname level.

What is the exact CONNECT request URL when your dst ACL is being
evaluated in your ssl_bump test case? Does the ACL match? Attach the
corresponding debugging log snippet.

Alex.


> -----Original Message-----
> From: Alex Rousskov [mailto:rousskov at measurement-factory.com] 
> Sent: Tuesday, May 16, 2017 3:31 AM
> To: Eliezer Croitoru <eliezer at ngtech.co.il>; squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] destination ip to splice
> 
> On 05/15/2017 06:11 PM, Eliezer  Croitoru wrote:
>> I want to [match] all localnet(10.0.0.0/8, 192.168.0.0/16...)
> 
> How about something like this, adapted from the existing localnet ACL
> definition in squid.conf.documented?
> 
>>   acl to_localnet dst 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
>>   acl to_localnet dst 10.0.0.0/8         # RFC 1918 local private network (LAN)
>>   acl to_localnet dst 100.64.0.0/10      # RFC 6598 shared address space (CGN)
>>   acl to_localnet dst 169.254.0.0/16     # RFC 3927 link-local (directly plugged)
>>   acl to_localnet dst 172.16.0.0/12      # RFC 1918 local private network (LAN)
>>   acl to_localnet dst 192.168.0.0/16     # RFC 1918 local private network (LAN)
>>   acl to_localnet dst fc00::/7           # RFC 4193 local private network range
>>   acl to_localnet dst fe80::/10          # RFC 4291 link-local (directly plugged) 
> 
> Alex.
>

More information about the squid-users mailing list