kevin band wrote:
Hi,
I'm hoping somebody can help me here, because I'm at a loss about what
to do next.
Basically we have squid running as a proxy server to restrict access
to just those sites which we've included in our ACL's
I have noticed recently that it isn't handling HTTPS reqests properly
if the URL contains an IP address instead of a domain name.
The reason this is a particular problem is that although the users can
connect to the page using the domain name, something within that
domain is then forwarding requests to the same web-server using its IP
address.
I'm sure I have my ACL's setup correctly because squid will forward
the request using either URL if I send the requests using HTTP. It
then times out on the web-server because it only allows https, but at
least the request is being forwarded to the web-server rather than
being denied in squid
The remote web server(s) is rejecting the connections. Probably because
the SSL certificates require a domain name as part of their
authentication validation.
It's probably a broken client browser or maybe the website itself
sending funky page URLs with the raw-IP inside. If you care you need to
find out which and complain to whoever made the broken bits. Squid is
just an innocent middleman here.
Here's an extract from the logs that might explain it better :-
158.41.4.44 - - [04/Dec/2009:15:56:47 +0000] "GET
http://stpaccess.marksandspencer.com/ HTTP/1.1" 504 1024 TCP_MISS:NONE
158.41.4.44 - - [04/Dec/2009:15:57:02 +0000] "CONNECT
stpaccess.marksandspencer.com:443 HTTP/1.0" 200 7783 TCP_MISS:DIRECT
158.41.4.44 - - [04/Dec/2009:16:01:53 +0000] "GET
http://63.130.82.113/Citrix/MetaFrameXP/default/login.asp HTTP/1.1"
504 1064 TCP_MISS:NONE
158.41.4.44 - - [04/Dec/2009:16:03:13 +0000] "CONNECT
63.130.82.113:443 HTTP/1.0" 403 980 TCP_DENIED:NONE
And config extracts:
acl SSL_ports port 443 563 444
acl Safe_ports port 80 8002 23142 5481 5181 5281 5381 5481 5581
5400 5500 # http
acl Safe_ports port 23142 # OPEL project
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 444 563 # https, snew#s
acl CONNECT method CONNECT
acl regex_ms dstdom_regex -i "/home/security/regex_marksandspencer.txt"
acl urlregex_mands url_regex -i
"/home/security/regex_marksandspencer_ip.txt"
acl mands_allowed_nets src "/home/security/mands_allowed_nets.txt"
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow regex_ms mands_allowed_nets
http_access allow urlregex_mands mands_allowed_nets
http_access deny all
There are actually a lot more ACL's than this, but these are the only
ones I think are relevant
relevant extracts from files linked to ACLs:
regex_marksandspencer.txt
.*marksandspencer.*com
regex_marksandspencer_ip.txt
.*.63.130.82.113
Thanks for any help.
Kevin,
Kevin, meet dstdomain:
acl markandspencer dstdomain .marksandspencer.com 63.130.82.113
http_access allow markandspencer mands_allowed_nets
10x or more faster than regex. Matching marksandspencer.com, all
sub-domains and the raw-IP address form.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
Current Beta Squid 3.1.0.15
