[squid-users] HELP! Ssl_bump - acl , dstdomain , denied by fqdn need ip

Alex Rousskov rousskov at measurement-factory.com
Fri Jan 25 15:16:52 UTC 2019 

On 1/25/19 1:15 AM, Александр Александрович Березин wrote:

> 0 192.168.50.10 TCP_DENIED/200 0 CONNECT 208.64.202.87:443 - HIER_NONE/- -

Looks like your http_access rules deny some (or all) CONNECT requests,
probably during SslBump step1. This is not related to your ssl_bump
rules. Examine those rules and adjust them to allow CONNECT requests you
want to allow (and deny all other CONNECT requests).


> acl test dstdomain partner.steam-api.com

I doubt this causes TCP_DENIED errors, but you may want to use an
ssl::server_name ACL instead of dstdomain.


HTH,

Alex.


> [Fri Jan 25 06:50:10 2019].516      0 192.168.50.10 TCP_DENIED/200 0
> CONNECT 208.64.202.87:443 - HIER_NONE/- -
> [Fri Jan 25 06:50:10 2019].530      0 192.168.50.10 TCP_DENIED/200 0
> CONNECT 208.64.202.87:443 - HIER_NONE/- -
> [Fri Jan 25 06:50:10 2019].537      0 192.168.50.10 TAG_NONE/403 3806
> GET https://partner.steam-api.com/ - HIER_NONE/- text/html
> [Fri Jan 25 06:50:10 2019].568      0 192.168.50.10 TCP_DENIED/200 0
> CONNECT 208.64.202.87:443 - HIER_NONE/- -
> [Fri Jan 25 06:50:10 2019].576      0 192.168.50.10 TCP_DENIED/200 0
> CONNECT 208.64.202.87:443 - HIER_NONE/- -
> [Fri Jan 25 06:50:10 2019].583      0 192.168.50.10 TAG_NONE/403 3806
> GET http://berezin:0/squid-internal-static/icons/SN.png - HIER_NONE/-
> text/html
>  
> in browser i have are error
>  
> squid error the requested url could not be retrieved
> the following error was encountered while trying to retrieve the url
> https://208.64.202.87 <https://208.64.202.87/>
>  
> if i add 208.64.202.87 <https://208.64.202.87/> in acl test dstdomain
> everything is good and I connect to partner.steam-api.com
>  
>  
> but the address at the end partner.steam-api.com  can be dynamic and
> constantly changing, so I need a connection by name
> tell me what is my mistake?
>  
> -- 
> С Уважением,
> Александр Александрович Березин
>  
> With respect,
> Alexander Alexandrovich Berezin
>  
>  
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list