[squid-users] Squid 4.9 Client IP PTR lookup on connect

Amos Jeffries squid3 at treenet.co.nz
Fri Nov 29 16:43:08 UTC 2019 

On 30/11/19 4:49 am, Romanov Vonamor wrote:
> Hello.
>  
> I'm trying to configure Squid 4.9 in such a way that it does not perform
> a reverse IP lookup of the client at approximately every HTTP request.
> The PTR lookup happens immediately after the connection, before the HTTP
> request is even parsed.
> Any insight would be greatly appreciated.
>  

The PTR should only need to be looked up at all if something needs to
use the client FQDN. Usually that is logging. I suspect your build
auto-enabled ICAP features which uses the FQDN for icap_log.

If you do not need or plan to use ICAP features you can rebuild with
--disable-icap which should resolve this.


> Romanov
>  
> -------- 8< --------
> Log:
>  
> 2019/11/29 14:02:15.765 kid1| 5,2| TcpAcceptor.cc(224) doAccept: New
> connection on FD 8
> 2019/11/29 14:02:15.765 kid1| 5,2| TcpAcceptor.cc(312) acceptNext:
> connection on local=0.0.0.0:3130 remote=[::] FD 8 flags=9
> 2019/11/29 14:02:15.770 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 9
> HTTP Request
> 2019/11/29 14:02:15.770 kid1| 33,4| client_side.cc(2520) httpAccept:
> local=10.254.236.19:3130 remote=10.229.200.152:56040 FD 9 flags=1: accepted
> 2019/11/29 14:02:15.770 kid1| 35,4| fqdncache.cc(420)
> fqdncache_nbgethostbyaddr: fqdncache_nbgethostbyaddr: Name '10.229.200.152'.
> 2019/11/29 14:02:15.771 kid1| 78,3| dns_internal.cc(1831) idnsPTRLookup:
> idnsPTRLookup: buf is 45 bytes for 10.229.200.152, id = 0x5eb3
>  
> -------- 8< --------
> [root at sls squid-4.9]# squid -v
> Squid Cache: Version 4.9
> Service Name: squid
> configure options: --enable-ltdl-convenience
>  
> -------- 8< --------
> [root at sls sls]# squid -u0 -f /etc/squid/sites/sls/sls.conf -k parse
> 2019/11/29 14:49:21| Startup: Initializing Authentication Schemes ...
> 2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'basic'
> 2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'digest'
> 2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'negotiate'
> 2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'ntlm'
> 2019/11/29 14:49:21| Startup: Initialized Authentication.
> 2019/11/29 14:49:21| aclIpParseIpData: IPv6 has not been enabled.
> 2019/11/29 14:49:21| aclIpParseIpData: IPv6 has not been enabled.
> 2019/11/29 14:49:21| Processing Configuration File:
> /etc/squid/sites/sls/sls.conf (depth 0)
> 2019/11/29 14:49:21| Processing: visible_hostname sls

> 2019/11/29 14:49:21| Processing: acl from-all src all

That is pretty pointless. "src all" is the definition of the built-in
"all" ACL. Might as well use that instead of these 'from-all' and make
it more clear that you have no restrictions on what clients can do with
your proxy.

> 2019/11/29 14:49:21| Processing: http_access deny !safe-ports
> 2019/11/29 14:49:21| Processing: http_access deny CONNECT !ssl-ports
> 2019/11/29 14:49:21| Processing: http_access allow from-all
> 2019/11/29 14:49:21| Processing: cache_log
> stdio:/proxy/logs/squid/sls/cache-sls.log
>  
>  
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list