[squid-users] Reverse DNS Lookup for client IPs
Amos Jeffries
squid3 at treenet.co.nz
Fri Feb 12 03:40:46 UTC 2016
On 12/02/2016 3:31 a.m., Stefan Hölzle wrote:
> Maybe my squid.conf will help to solve this.
Even more helpful would be your "squid -v" output.
> I checked this configuration with "squid -k check".
>
> squid.conf (external_ip, /opt/some_program and /etc/squid/file.list must
> be corrected):
>
> #### AUTHENTICATION ####
> external_acl_type ext_name_a %LOGIN /opt/some_program ext_name_a_arg
> external_acl_type ext_name_c %LOGIN %SRC /opt/some_program ext_name_c_arg
> auth_param digest program /opt/some_program digestauth
> auth_param digest realm Hello
> auth_param digest children 1 startup=1 idle=1 concurrency=500
> auth_param digest nonce_garbage_interval 5 minutes
> auth_param digest nonce_max_duration 30 minutes
> auth_param digest nonce_max_count 5000
> auth_param digest check_nonce_count off
>
>
> #### ACL ####
> acl localnet src 192.168.0.0/24
> acl to_localnet dst 192.168.0.0/24
Performs DNS A/AAAA resolve of the URL domain to find the set of
possible dst-IP.
>
> acl CONNECT_allowexceptions dstdom_regex -i some_domain$
Performs PTR lookup of any raw-IP URL hostnames that fail to match the
regex pattern as-is.
> acl CONNECT_Safe_ports port 443
> acl CONNECT method CONNECT
>
> acl snmppublic snmp_community public
>
> acl auth_passed proxy_auth REQUIRED
> acl ext_name_c_passed external ext_name_c
> acl ext_name_a_passed external ext_name_a
>
> # special exceptions
> acl special_url url_regex some_regex
> http_access deny special_url
> deny_info 200:ERR_PAGE_NAME special_url
>
> # special rules
> acl some_rule dstdom_regex -i some_regex
> acl ext_list dstdom_regex -i "/etc/squid/file.list"
Both perform PTR lookup of any raw-IP URL hostnames that fail to match
the regex pattern as-is.
>
> #### ACCESS ####
> http_access allow manager localnet
> http_access deny manager
>
> http_access allow CONNECT CONNECT_allowexceptions
--> Potential PTR lookup.
> http_access deny CONNECT !CONNECT_Safe_ports
> http_access deny to_localhost
> http_access deny to_localnet
--> definite A/AAAA lookup.
> http_access deny special_url
> http_access deny ext_list
--> Potential PTR lookup.
>
> http_access allow localnet
> http_access allow localhost
>
> http_access allow some_rule
--> Potential PTR lookup.
>
> # activate additional external acls
> http_access allow ext_name_a_passed !all
>
> http_access deny !ext_name_c_passed
>
> http_access allow auth_passed
>
> http_access deny all
>
> deny_info 403:ERR_ACCESS_DENIED ext_name_c_passed
>
<snip>
> dns_v4_first on
> client_db off
>
> #### IP PORT CONFIG ####
> http_port 192.168.0.1:3456
>
> acl port80 localport 80
> acl port443 localport 443
Squid is not listening on port 443, nor do you have any "https_port
...intercept" that might receive that ports traffic.
>
> http_port external_ip:80
>
> acl ext_ip localip external_ip
>
> tcp_outgoing_address external_ip ext_ip port80
> tcp_outgoing_address external_ip ext_ip port443
>
> cache_mem 250 MB
>
Amos
More information about the squid-users
mailing list