[squid-users] Squid 4.9 Client IP PTR lookup on connect
Alex Rousskov
rousskov at measurement-factory.com
Sat Nov 30 17:31:50 UTC 2019
On 11/29/19 11:43 AM, Amos Jeffries wrote:
> The PTR should only need to be looked up at all if something needs to
> use the client FQDN. Usually that is logging. I suspect your build
> auto-enabled ICAP features which uses the FQDN for icap_log.
... but icap_log is disabled by default, even in Squid builds that have
ICAP support enabled, right? If a disabled icap_log triggers DNS
lookups, there is a Squid bug we should fix.
FWIW, the easiest way to figure out what triggered the lookup could be
to start Squid in a debugger, and then, before starting the test
transaction, add a breakpoint for fqdncache_nbgethostbyaddr. Post a
stack trace from that function (when it is triggered after the
httpAccept line is logged as shown in your cache.log).
Alex.
>> -------- 8< --------
>> Log:
>>
>> 2019/11/29 14:02:15.765 kid1| 5,2| TcpAcceptor.cc(224) doAccept: New
>> connection on FD 8
>> 2019/11/29 14:02:15.765 kid1| 5,2| TcpAcceptor.cc(312) acceptNext:
>> connection on local=0.0.0.0:3130 remote=[::] FD 8 flags=9
>> 2019/11/29 14:02:15.770 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 9
>> HTTP Request
>> 2019/11/29 14:02:15.770 kid1| 33,4| client_side.cc(2520) httpAccept:
>> local=10.254.236.19:3130 remote=10.229.200.152:56040 FD 9 flags=1: accepted
>> 2019/11/29 14:02:15.770 kid1| 35,4| fqdncache.cc(420)
>> fqdncache_nbgethostbyaddr: fqdncache_nbgethostbyaddr: Name '10.229.200.152'.
>> 2019/11/29 14:02:15.771 kid1| 78,3| dns_internal.cc(1831) idnsPTRLookup:
>> idnsPTRLookup: buf is 45 bytes for 10.229.200.152, id = 0x5eb3
>>
>> -------- 8< --------
>> [root at sls squid-4.9]# squid -v
>> Squid Cache: Version 4.9
>> Service Name: squid
>> configure options: --enable-ltdl-convenience
>>
>> -------- 8< --------
>> [root at sls sls]# squid -u0 -f /etc/squid/sites/sls/sls.conf -k parse
>> 2019/11/29 14:49:21| Startup: Initializing Authentication Schemes ...
>> 2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'basic'
>> 2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'digest'
>> 2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'negotiate'
>> 2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'ntlm'
>> 2019/11/29 14:49:21| Startup: Initialized Authentication.
>> 2019/11/29 14:49:21| aclIpParseIpData: IPv6 has not been enabled.
>> 2019/11/29 14:49:21| aclIpParseIpData: IPv6 has not been enabled.
>> 2019/11/29 14:49:21| Processing Configuration File:
>> /etc/squid/sites/sls/sls.conf (depth 0)
>> 2019/11/29 14:49:21| Processing: visible_hostname sls
>
>> 2019/11/29 14:49:21| Processing: acl from-all src all
>
> That is pretty pointless. "src all" is the definition of the built-in
> "all" ACL. Might as well use that instead of these 'from-all' and make
> it more clear that you have no restrictions on what clients can do with
> your proxy.
>
>> 2019/11/29 14:49:21| Processing: http_access deny !safe-ports
>> 2019/11/29 14:49:21| Processing: http_access deny CONNECT !ssl-ports
>> 2019/11/29 14:49:21| Processing: http_access allow from-all
>> 2019/11/29 14:49:21| Processing: cache_log
>> stdio:/proxy/logs/squid/sls/cache-sls.log
More information about the squid-users
mailing list