[squid-users] Unable to access internal resources via hostname

Alex Rousskov rousskov at measurement-factory.com
Wed Aug 28 18:18:57 UTC 2024 

On 2024-08-28 11:24, Piana, Josh wrote:

> Here's the log and (I think) relevant ACL's?

According to your access.log, Squid denies problematic CONNECT requests 
with HTTP 407 errors responses. Usually, that means those requests match 
an "http_access deny" rule. Clearly, you expect an "allow" outcome 
instead, but it is difficult (for me) to figure out where your 
expectations mismatch reality; there are no rules that explicitly 
mention hexcelssp domain, for example: Which "http_access allow" rule do 
you expect those denied requests to match?

Also, does mgr:ipcache cache manager query confirm that Squid has read 
your /etc/hosts file and cached the record you expect it to use?

Alex.


> -----------------------------------------------------------------------------------------------------------
> # /var/log/squid/access.log results for internal conflicts
> 
> 28/Aug/2024:10:57:17 -0400.234 10.46.49.190 TCP_DENIED/407 4132 CONNECT hexcelssp:443 - HIER_NONE/- text/html
> 28/Aug/2024:10:57:17 -0400.253 10.46.49.190 NONE_NONE/500 0 CONNECT hexcelssp:443 JPIANA at AD.<DOMAIN>.COM HIER_NONE/- -
> 28/Aug/2024:10:57:17 -0400.380 10.46.49.190 TCP_DENIED/407 4132 CONNECT hexcelssp:443 - HIER_NONE/- text/html
> 28/Aug/2024:10:57:17 -0400.399 10.46.49.190 NONE_NONE/500 0 CONNECT hexcelssp:443 JPIANA at AD.<DOMAIN>.COM HIER_NONE/- -
> -----------------------------------------------------------------------------------------------------------
> 
> # acl all src all
> 
> acl src_self src 127.0.0.0/8
> acl src_self src 10.46.11.69
> 
> acl dst_self dst 127.0.0.0/8
> acl dst_self dst 10.46.11.69
> 
> acl from_arc src 10.46.0.0/15
> 
> acl local_dst_addr dst 10.0.0.0/8
> acl local_dst_addr dst 172.0.0.0/8
> acl local_dst_addr dst bldg3.<domain>.com
> acl local_dst_addr dst bldg5.<domain>.com
> 
> # these keep URLs of popular local servers from being forwarded
> acl local_dst_dom dstdomain arcgate
> 
> # allow connects to local destinations without authentication
> # by domain name from URL
> http_access       allow local_dst_dom
> http_reply_access allow local_dst_dom
> 
> # by IP address name resolves to
> http_access       allow local_dst_addr
> http_reply_access allow local_dst_addr
> 
> # allow trusted hosts without authentication
> # these are just ip's on the 10.46.11.x network
> acl authless_src src "/etc/squid/authless_src"
> http_access       allow authless_src
> http_reply_access allow authless_src
> -----------------------------------------------------------------------------------------------------------
> 
> -----Original Message-----
> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Matus UHLAR - fantomas
> Sent: Wednesday, August 28, 2024 10:47 AM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Unable to access internal resources via hostname
> 
> Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
> 
> 
> On 28.08.24 14:20, Piana, Josh wrote:
>> Hello Squid Support,
> 
> This squid user forum FYI
> 
>> We are unable to get to internal resources via hostname but using the
>> IP address works fine.  Immediately, I thought this was DNS but when I
>> checked the /etc/resolv.conf/ file it was pointing correctly to our
>> Windows DNS server and we can ping all devices using their hostname,
>> just not when browsing to it.  This leads me to believe something may
>> be wrong with our squid config.
> 
> hard to guess without seeing logs or ACL's.
> 
> 
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> It's now safe to throw off your computer.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list