[squid-users] Unable to access internal resources via hostname

Matus UHLAR - fantomas uhlar at fantomas.sk
Wed Aug 28 19:35:50 UTC 2024 

>> We are unable to get to internal resources via hostname but using the
>> IP address works fine.  Immediately, I thought this was DNS but when I
>> checked the /etc/resolv.conf/ file it was pointing correctly to our
>> Windows DNS server and we can ping all devices using their hostname,
>> just not when browsing to it.  This leads me to believe something may
>> be wrong with our squid config.
>
>hard to guess without seeing logs or ACL's.

On 28.08.24 15:24, Piana, Josh wrote:
>Here's the log and (I think) relevant ACL's?
>-----------------------------------------------------------------------------------------------------------
># /var/log/squid/access.log results for internal conflicts
>
>28/Aug/2024:10:57:17 -0400.234 10.46.49.190 TCP_DENIED/407 4132 CONNECT hexcelssp:443 - HIER_NONE/- text/html
>28/Aug/2024:10:57:17 -0400.253 10.46.49.190 NONE_NONE/500 0 CONNECT hexcelssp:443 JPIANA at AD.<DOMAIN>.COM HIER_NONE/- -
>28/Aug/2024:10:57:17 -0400.380 10.46.49.190 TCP_DENIED/407 4132 CONNECT hexcelssp:443 - HIER_NONE/- text/html
>28/Aug/2024:10:57:17 -0400.399 10.46.49.190 NONE_NONE/500 0 CONNECT hexcelssp:443 JPIANA at AD.<DOMAIN>.COM HIER_NONE/- -
>-----------------------------------------------------------------------------------------------------------

[...]
>acl from_arc src 10.46.0.0/15
[...]
>acl local_dst_addr dst bldg3.<domain>.com
>acl local_dst_addr dst bldg5.<domain>.com

Are you aware that these get translated to IP addresses? 
If you want to use domain names as provided by client, use "dstdomain".

># these keep URLs of popular local servers from being forwarded
>acl local_dst_dom dstdomain arcgate

...just like this.

># allow connects to local destinations without authentication
># by domain name from URL
>http_access       allow local_dst_dom
>http_reply_access allow local_dst_dom

http_reply_access is usually not needed, unless you want control what 
clients get only after the content is known to squid, which generally 
applies to e.g.  mime types.

If you don't do that, better comment out "http_reply_access" lines.

># allow trusted hosts without authentication
># these are just ip's on the 10.46.11.x network
>acl authless_src src "/etc/squid/authless_src"
>http_access       allow authless_src
>http_reply_access allow authless_src

I don't see any http_access "deny" line.
Also, I don't see any "http_access allow from_arc"
or any other line that should allow CONNECT from 10.46.49.190  to "hexcelssp"


-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors

More information about the squid-users mailing list