[squid-users] Squid blocking own OCSP/AIA requests
Markus Wernig
listener at wernig.net
Tue Mar 21 10:35:02 UTC 2017
Hi all
I have configured Squid 4.0.18 (CentOS) with sslbump and clamav as
ecap_service. This works well.
One thing I've noticed though, are constant log entries like this in
access.log:
2017-03-21 10:35:08.338 +0100 000137 - TCP_DENIED/403 3607 GET
http://apps.identrust.com/roots/dstrootcax3.p7c - HIER_NONE/-
text/html;charset=utf-8 -
2017-03-21 10:35:08.345 +0100 000161 10.254.254.2 NONE/200 0 CONNECT
letsencrypt.org:443 - HIER_DIRECT/letsencrypt.org - -
It appears that this is the OCSP URI for Letsencrypt certificates.
And in fact every time this is logged, a CONNECT to a https uri is
logged that is using a Letsencrypt certificate (like eg.
https://letsencrypt.org).
Given that there is no client IP logged, I assume that squid is blocking
its own outgoing OCSP request here (the browser is configured to NOT use
OCSP).
The same seems to happen when there's no OCSP URI, but a regular AIA URI
in the certificate:
2017-03-21 10:36:19.773 +0100 000000 - TCP_DENIED/403 3734 GET
http://swisssign.net/cgi-bin/authority/download/5B257B96A465517EB839F3C078665EE83AE7F0EE
- HIER_NONE/- text/html;charset=utf-8 -
2017-03-21 10:36:19.782 +0100 000038 10.254.254.2 NONE/200 0 CONNECT
swisssign.net:443 - HIER_DIRECT/swisssign.net - -
I do have "http_access allow localhost" in squid.conf, but since there's
no IP associated with the request, this does not seem to help.
Is there a way to allow these outgoing internal requests? I've looked
through the FAQ and wiki, but couldn't find anything on the topic.
Thanks & best
/markus
More information about the squid-users
mailing list