[squid-users] HELP! Ssl_bump - acl , dstdomain , denied by fqdn need ip
Alex Rousskov
rousskov at measurement-factory.com
Fri Jan 25 15:16:52 UTC 2019
On 1/25/19 1:15 AM, Александр Александрович Березин wrote:
> 0 192.168.50.10 TCP_DENIED/200 0 CONNECT 208.64.202.87:443 - HIER_NONE/- -
Looks like your http_access rules deny some (or all) CONNECT requests,
probably during SslBump step1. This is not related to your ssl_bump
rules. Examine those rules and adjust them to allow CONNECT requests you
want to allow (and deny all other CONNECT requests).
> acl test dstdomain partner.steam-api.com
I doubt this causes TCP_DENIED errors, but you may want to use an
ssl::server_name ACL instead of dstdomain.
HTH,
Alex.
> [Fri Jan 25 06:50:10 2019].516 0 192.168.50.10 TCP_DENIED/200 0
> CONNECT 208.64.202.87:443 - HIER_NONE/- -
> [Fri Jan 25 06:50:10 2019].530 0 192.168.50.10 TCP_DENIED/200 0
> CONNECT 208.64.202.87:443 - HIER_NONE/- -
> [Fri Jan 25 06:50:10 2019].537 0 192.168.50.10 TAG_NONE/403 3806
> GET https://partner.steam-api.com/ - HIER_NONE/- text/html
> [Fri Jan 25 06:50:10 2019].568 0 192.168.50.10 TCP_DENIED/200 0
> CONNECT 208.64.202.87:443 - HIER_NONE/- -
> [Fri Jan 25 06:50:10 2019].576 0 192.168.50.10 TCP_DENIED/200 0
> CONNECT 208.64.202.87:443 - HIER_NONE/- -
> [Fri Jan 25 06:50:10 2019].583 0 192.168.50.10 TAG_NONE/403 3806
> GET http://berezin:0/squid-internal-static/icons/SN.png - HIER_NONE/-
> text/html
>
> in browser i have are error
>
> squid error the requested url could not be retrieved
> the following error was encountered while trying to retrieve the url
> https://208.64.202.87 <https://208.64.202.87/>
>
> if i add 208.64.202.87 <https://208.64.202.87/> in acl test dstdomain
> everything is good and I connect to partner.steam-api.com
>
>
> but the address at the end partner.steam-api.com can be dynamic and
> constantly changing, so I need a connection by name
> tell me what is my mistake?
>
> --
> С Уважением,
> Александр Александрович Березин
>
> With respect,
> Alexander Alexandrovich Berezin
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list