J Beris wrote:
Hello list,
I'm seeing a very odd thing with one website, something which I can't
explain at all. It only happens with Squid, if I bypass Squid everything
works as normal.
We are trying to access a website: example.com.
This domain name is resolvable both on the Internet and on our
nationwide WAN. We have to go through our WAN, because only then can we
use the web application hosted there. This is not available to the
general public. So far, easy enough. Just route traffic the right way
and things should be okay. Only thing is: we have done so, but Squid
doesn't seem to understand. Let me clarify:
Example.com resolves as 123.123.123.123 for our WAN. It resolves as
200.200.200.200 on the Internet. The Squid machine queries two DNS
servers, both hosted internally. Both DNS servers have
example.com/123.123.123.123 in their forward lookup zone. Doing an
nslookup example.com on the Squid machine gives:
Server: x.x.x.x (ip address of internal DNS)
Address: x.x.x.x (same)
Name: example.com
Address: 123.123.123.123
So far so good. The Squid machine knows the right address for
example.com. Our firewall is configured to route all traffic to
123.123.123.123 to our WAN router instead of Internet router.
If I do a traceroute on the Squid machine to example.com, I first see
our firewall, then the next hop is the WAN router, so traffic gets
routed the right way.
If I bypass Squid and use Lynx on the Squid machine to go to
example.com, it shows me the login page of the web application.
But...if I use a client computer and connect through Squid to
http://example.com, I see the following request line in
/var/log/squid/access.log:
1195033488.299 179843 x.x.x.x TCP_MISS/504 1503 GET http://example.com/
<username> DIRECT/200.200.200.200 text/html
As you can see, Squid tries to grab the page from the Internet address,
not from the WAN address. This does not work, and results in a time-out.
But my question is: where does Squid get the Internet IP address?
From the NS listed in /etc/resolv.conf, or squid.conf:dns_nameservers
I have tried to purge all references to example.com using squidclient,
but it just tells me 404, not found. Which is normal, since it can't
connect to the site.
I have restarted the NSCD daemon, which should purge the DNS cache.
Any ideas where to look?
Which squid version?
tcp_outgoing_address - if one is set make sure the FW route for _that_
IPA to 123.123.123.123 is working correctly.
dns_nameservers - if set the NS listed _ALL_ resolve the IPA to
123.123.123.123
- if not set the /etc/resolv.conf NS _ALL_ do the same.
Any special routing for example.com or the WAN IP ranges in the
squid.conf file itself?
If present check it works. If not you may need to configure some (should
not if DNS is providing the right details).
To see what squid has you can check:
squidclient mgr:ipcache | grep "example.com"
squidclient mgr:fqdncache | grep "example.com"
Amos
