[squid-users] squid 4.5, can't download certificate?
Alex Rousskov
rousskov at measurement-factory.com
Tue Jan 22 15:51:07 UTC 2019
On 1/21/19 10:52 PM, Dmitry Melekhov wrote:
> 21.01.2019 22:29, Alex Rousskov пишет:
>>>> Your Squid (or some helper) appears to be adding an
>>>> "-/ffff...GETmyip=-myport=0" suffix to the crt.sectigo.com URL,
>>>> resulting in a 404 response from that server.
>>> Is there any reasons squid sends ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
>>> to redirector?
>> What Squid logformat %code or url_rewrite_extras %code does that address
>> come from?
> default on my case
>> Should the corresponding request have that address? For
>> example, internally-generated requests do not have HTTP client addresses.
>> Will the redirector work if that address is sent as a "-" instead of
>> "ff...fff"?
> rejik redirector developer thinks its better to use 127.0.0.1 as squid
> address,
It sounds like you misunderstood my questions. I will detail them below.
I suspect that fff...fff comes from %>A (whether that %code comes from
the default url_rewrite_extras in your configuration is unimportant).
%>A is documented to to be a client FQDN. I am not sure, and this is not
documented, but perhaps when the client IP address does not point back
to a domain name, %>A should be a client IP address.
For intermediate certificate downloading transactions, Squid does not
have a client address because those transactions are not initiated by a
client connection to Squid. They are generated internally by Squid. In
such cases, Squid should be sending a dash (-), not 127.0.0.1, not
fff...fff, not localhost, and not anything else that might be
misinterpreted as a client IP address or domain name.
I have not investigated why Squid does not send a dash, or what it would
take to fix Squid, but it is likely that this will be eventually fixed
because lying about client address is a bug. To plan the deployment of
that future fix, it may be useful to know whether the redirector you use
handles a dash value for %>A correctly. You may be able to test that by
configuring url_rewrite_extras explicitly and replacing %>A with a dash.
Alex.
More information about the squid-users
mailing list