<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Maybe my squid.conf will help to solve this.<br>
I checked this configuration with "squid -k check".<br>
<br>
squid.conf (external_ip, /opt/some_program and /etc/squid/file.list
must be corrected):<br>
<br>
#### AUTHENTICATION ####<br>
external_acl_type ext_name_a %LOGIN /opt/some_program ext_name_a_arg<br>
external_acl_type ext_name_c %LOGIN %SRC /opt/some_program
ext_name_c_arg<br>
auth_param digest program /opt/some_program digestauth<br>
auth_param digest realm Hello<br>
auth_param digest children 1 startup=1 idle=1 concurrency=500<br>
auth_param digest nonce_garbage_interval 5 minutes<br>
auth_param digest nonce_max_duration 30 minutes<br>
auth_param digest nonce_max_count 5000<br>
auth_param digest check_nonce_count off<br>
<br>
<br>
#### ACL ####<br>
acl localnet src 192.168.0.0/24<br>
acl to_localnet dst 192.168.0.0/24<br>
<br>
acl CONNECT_allowexceptions dstdom_regex -i some_domain$<br>
acl CONNECT_Safe_ports port 443<br>
acl CONNECT method CONNECT<br>
<br>
acl snmppublic snmp_community public<br>
<br>
acl auth_passed proxy_auth REQUIRED<br>
acl ext_name_c_passed external ext_name_c<br>
acl ext_name_a_passed external ext_name_a<br>
<br>
# special exceptions<br>
acl special_url url_regex some_regex<br>
http_access deny special_url<br>
deny_info 200:ERR_PAGE_NAME special_url<br>
<br>
# special rules<br>
acl some_rule dstdom_regex -i some_regex<br>
acl ext_list dstdom_regex -i "/etc/squid/file.list"<br>
<br>
<br>
#### ACCESS ####<br>
http_access allow manager localnet<br>
http_access deny manager<br>
<br>
http_access allow CONNECT CONNECT_allowexceptions<br>
http_access deny CONNECT !CONNECT_Safe_ports<br>
http_access deny to_localhost<br>
http_access deny to_localnet<br>
http_access deny special_url<br>
http_access deny ext_list<br>
<br>
http_access allow localnet<br>
http_access allow localhost<br>
<br>
http_access allow some_rule<br>
<br>
# activate additional external acls<br>
http_access allow ext_name_a_passed !all<br>
<br>
http_access deny !ext_name_c_passed<br>
<br>
http_access allow auth_passed<br>
<br>
http_access deny all<br>
<br>
deny_info 403:ERR_ACCESS_DENIED ext_name_c_passed<br>
<br>
<br>
#### LOGS ####<br>
cache_log /var/log/squid/cache.log<br>
coredump_dir /var/log/squid<br>
strip_query_terms off<br>
error_log_languages off<br>
<br>
<br>
#### BANDWIDTH LIMITS ####<br>
delay_pools 2<br>
delay_class 1 4<br>
delay_class 2 4<br>
<br>
delay_parameters 1 -1/-1 -1/-1 -1/-1 102400/102400<br>
delay_access 1 allow !ext_name_a_passed<br>
delay_parameters 2 -1/-1 -1/-1 -1/-1 2097152/10500000<br>
delay_access 2 allow ext_name_a_passed<br>
<br>
<br>
#### CACHE ####<br>
refresh_pattern ^ftp: 1440 20% 10080<br>
refresh_pattern . 0 20% 4320<br>
<br>
<br>
#### ANONYMITY FILTER ####<br>
request_header_access Via deny all<br>
request_header_access X-Forwarded-For deny all<br>
<br>
#### VARIOUS ####<br>
ftp_user some_ftp_user<br>
<br>
request_header_max_size 128 KB<br>
reply_header_max_size 128 KB<br>
<br>
snmp_port 6789<br>
snmp_access allow snmppublic localnet<br>
snmp_access deny all<br>
<br>
shutdown_lifetime 2 seconds<br>
<br>
dns_v4_first on<br>
client_db off<br>
<br>
#### IP PORT CONFIG ####<br>
http_port 192.168.0.1:3456<br>
<br>
acl port80 localport 80<br>
acl port443 localport 443<br>
<br>
http_port external_ip:80<br>
<br>
acl ext_ip localip external_ip<br>
<br>
tcp_outgoing_address external_ip ext_ip port80<br>
tcp_outgoing_address external_ip ext_ip port443<br>
<br>
cache_mem 250 MB<br>
<br>
<br>
<div class="moz-cite-prefix">On 04.02.2016 16:27, Stefan Hölzle
wrote:<br>
</div>
<blockquote cite="mid:56B36DF4.3050003@hoelzle.work" type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
Thanks for the hint.<br>
<br>
I switched client_db off. As expected, I don't get any report for
client_list in the cachemanager anymore.<br>
<br>
However squid still does PTR lookups.<br>
<br>
On 04.02.2016 16:09, Yuri Voinov wrote:<br>
<span style="white-space: pre;">></span><br>
<blockquote type="cite"># TAG: client_db on|off<br>
# If you want to disable collecting per-client statistics,<br>
# turn off client_db here.<br>
#Default:<br>
# client_db on<br>
<br>
Feel free to read squid.conf.documented before.<br>
<br>
04.02.16 21:06, Stefan Hölzle пишет:<br>
> On 04.02.2016 14:22, Amos<br>
Jeffries wrote:<br>
<br>
>> On 5/02/2016 12:41 a.m., Stefan Hölzle wrote:<br>
<br>
>>> Hello,<br>
<br>
>>><br>
<br>
>>> I'm using a squid configured as proxy.<br>
<br>
>>> According to the cache log, squid is doing a
reverse<br>
dns lookup for<br>
<br>
>>> client ips:<br>
<br>
>>><br>
<br>
>>> 78,3| dns_internal.cc(1794) idnsPTRLookup:<br>
idnsPTRLookup: buf is 42<br>
<br>
>>> bytes for SOME_SOURCE_IP<br>
<br>
>>><br>
<br>
>>> I'm only using the following configuration
parameters<br>
that might be<br>
<br>
>>> relevant for this issue.<br>
<br>
>>> external_acl_type<br>
<br>
>>> acl aclname src<br>
<br>
>>> acl aclname dst<br>
<br>
>>> acl aclname dstdom_regex<br>
<br>
>>> acl aclname port<br>
<br>
>>> acl aclname proxy_auth<br>
<br>
>>> acl aclname external<br>
<br>
>>> acl aclname url_regex<br>
<br>
>>><br>
<br>
>>> Any ideas why squid is doing PTR lookups
anyway ?<br>
<br>
>> Because that list is incomplete.<br>
<br>
>><br>
<br>
>> The format parameters for external_acl_type, any
*_extras<br>
rules for<br>
<br>
>> helper formats, and logformat rules also may make
use of<br>
the client<br>
<br>
>> hostname (if any).<br>
<br>
>><br>
<br>
>> Also, anyone viewing the cachemanager clientdb
report<br>
will trigger some<br>
<br>
>> as the report is generated.<br>
<br>
>><br>
<br>
>> Amos<br>
<br>
>><br>
<br>
>> _______________________________________________<br>
<br>
>> squid-users mailing list<br>
<br>
>> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<br>
>> <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
> Thanks for the quick reply Amos.<br>
<br>
<br>
<br>
> * Used formats for external_acl_type are: %LOGIN,
%SRC<br>
<br>
> * There are no *_extras rules defined
(store_id_extras<br>
<br>
<br>
<a moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="http://www.squid-cache.org/Doc/config/store_id_extras/"><http://www.squid-cache.org/Doc/config/store_id_extras/></a>,<br>
<br>
> url_rewrite_extras<br>
<br>
<br>
<a moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="http://www.squid-cache.org/Doc/config/url_rewrite_extras/"><http://www.squid-cache.org/Doc/config/url_rewrite_extras/></a>)<br>
<br>
> * logformat defaults are used (there should be
nothing in<br>
there<br>
<br>
> responsible for a ptr lookup)<br>
<br>
<br>
<br>
> I guess its the cachemanager then.<br>
<br>
> There are actually PTR results listed in the
client_list of<br>
the<br>
<br>
> cachemanager.<br>
<br>
<br>
<br>
> I tried blocking access to the cachemanager by adding
the<br>
folling rule:<br>
<br>
> http_access deny manager<br>
<br>
<br>
<br>
> However, squid still does PTR lookups.<br>
<br>
> How can I prevent the clientdb reports to be
generated ?<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
> _______________________________________________<br>
<br>
> squid-users mailing list<br>
<br>
> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<br>
> <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
</blockquote>
<span style="white-space: pre;">>
>
>
> _______________________________________________
> squid-users mailing list
> <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
> <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a></span><br>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
<br>
</body>
</html>