[squid-users] Using tcp_outgoing_address with ACL

Andrey K ankor2023 at gmail.com
Thu Jun 22 08:59:44 UTC 2023 

Hello, Eliezer,

I reproduced the issue in the test environment.
I configured my squid with the debug_options: ALL,1 28,9
and ran the test curl from the same proxy host:
   curl -m 4 -k --tlsv1.2 --proxy-user 'user:pass' -s -o /dev/null -w
"%{http_code}"  --proxy localhost:3131 https://archive.org

The client got the 200-response and it works fine.

In the access.log the corresponding records are:
   2023-06-22 10:59:58|    747 127.0.0.1 NONE_NONE/200/- 0 CONNECT
archive.org:443 - HIER_DIRECT/archive.org - - - -
   2023-06-22 10:59:58|    201 127.0.0.1 TCP_MISS/200/200 3833 GET
https://archive.org/ - HIER_DIRECT/archive.org text/html - - -

The cache.log is available at the link:
https://drive.google.com/file/d/12xQch5nHAzijAh4PxZV4mZzjviYX7l7B/view?usp=sharing
There are three warnings there:
   grep WARN /tmp/acl.log
   2023/06/22 10:59:57.875 kid6| WARNING: domdst_SIProxy ACL is used in
context without an HTTP request. Assuming mismatch.
   2023/06/22 10:59:57.884 kid6| WARNING: domdst_SIProxy ACL is used in
context without an HTTP request. Assuming mismatch.
   2023/06/22 10:59:58.536 kid6| WARNING: domdst_SIProxy ACL is used in
context without an HTTP request. Assuming mismatch.

The domdst_SIProxy ACL is used only to change the outgoing address for
specific domains:
   acl domdst_SIProxy  dstdomain
"/data/squid.user/etc/squid/categories/domdst_SIProxy"
   tcp_outgoing_address 10.72.235.184 domdst_SIProxy
The test URL https://archive.org is not in the domdst_SIProxy list.

Squid is configured with an SSL-Bump feature, if it matters.

I think we could ignore these warnings as squid works perfectly, but maybe
there is a workaround to suppress logs flooding?

Kind regards,
       Ankor.










пн, 12 июн. 2023 г. в 10:54, <ngtech1ltd at gmail.com>:

> Hey Ankor,
>
> There is some missing context so I would be able to reproduce this issue.
> Is this some kind of CONNECT request?
>
> If you can describe in more technical details the setup and what client
> are you using,
> Maybe couple sanitized log lines it would help to understand better the
> scenario.
>
> Eliezer
>
> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf
> Of Andrey K
> Sent: Friday, June 9, 2023 10:03
> To: Squid Users <squid-users at lists.squid-cache.org>; Amos Jeffries <
> squid3 at treenet.co.nz>
> Subject: [squid-users] Using tcp_outgoing_address with ACL
>
> Hello,
>
> We use the tcp_outgoing_address feature to access some hosts using a
> dedicated source IP address.
>
>    acl domdst_SIProxy  dstdomain
> "/data/squid.user/etc/squid/categories/domdst_SIProxy"
>    tcp_outgoing_address 10.72.235.129 domdst_SIProxy
>
> It works fine, but logs are flooded with warnings like this:
>    2023/06/09 08:30:07 kid2| WARNING: domdst_SIProxy ACL is used in
> context without an HTTP request. Assuming mismatch.
>
> I found a similar case:
> http://lists.squid-cache.org/pipermail/squid-users/2015-January/001629.html
> where Amos suggested using a patch as a solution.
> We have Squid Version 5.5. Is there a similar patch for our version, or
> can we just ignore these messages?
>
> Kind regards,
>        Ankor.
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230622/15868ae0/attachment-0001.htm>

More information about the squid-users mailing list