[squid-users] squid 4.5, can't download certificate?

Alex Rousskov rousskov at measurement-factory.com
Tue Jan 22 15:51:07 UTC 2019

On 1/21/19 10:52 PM, Dmitry Melekhov wrote:
> 21.01.2019 22:29, Alex Rousskov пишет:
>>>> Your Squid (or some helper) appears to be adding an
>>>> "-/ffff...GETmyip=-myport=0" suffix to the crt.sectigo.com URL,
>>>> resulting in a 404 response from that server.

>>> Is there any reasons squid sends ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
>>> to redirector?

>> What Squid logformat %code or url_rewrite_extras %code does that address
>> come from?

> default on my case

>> Should the corresponding request have that address? For
>> example, internally-generated requests do not have HTTP client addresses.

>> Will the redirector work if that address is sent as a "-" instead of
>> "ff...fff"?

> rejik redirector developer thinks its better to use as squid
> address,

It sounds like you misunderstood my questions. I will detail them below.

I suspect that fff...fff comes from %>A (whether that %code comes from
the default url_rewrite_extras in your configuration is unimportant).

%>A is documented to to be a client FQDN. I am not sure, and this is not
documented, but perhaps when the client IP address does not point back
to a domain name, %>A should be a client IP address.

For intermediate certificate downloading transactions, Squid does not
have a client address because those transactions are not initiated by a
client connection to Squid. They are generated internally by Squid. In
such cases, Squid should be sending a dash (-), not, not
fff...fff, not localhost, and not anything else that might be
misinterpreted as a client IP address or domain name.

I have not investigated why Squid does not send a dash, or what it would
take to fix Squid, but it is likely that this will be eventually fixed
because lying about client address is a bug. To plan the deployment of
that future fix, it may be useful to know whether the redirector you use
handles a dash value for %>A correctly. You may be able to test that by
configuring url_rewrite_extras explicitly and replacing %>A with a dash.


More information about the squid-users mailing list