On 10/08/2013 01:35 AM, Jury Bogdanov wrote: > To isolate the IP's I need to know all of them. But I don't know all > IP's. Some domains have a lot of IP's. Squid can't resolve the IP's? Squid can (and does) perform a reverse DNS lookup when the request uses an IP address and your ACL is using a domain name. Whether that reverse DNS lookup is successful at all, or whether its result (the domain name) matches your domain-based ACL value is outside of Squid control. The former depends primarily on the authoritative DNS zone setup. The latter depends on that zone and on your ACL. You can try performing reverse lookups yourself using the logged IP address and command tools like dig. Squid results may differ, but often do not, especially if both Squid and your command line tool are configured to use the same DNS resolver. Many popular sites use dozens of IP addresses, some of which cannot be resolved back to the site name. IP:domain may also depend on the physical location of the DNS client (i.e., Squid). I know some admins that write complicated distributed scripts that try to maintain a IP:domain map for some special cases of very popular sites and use that in their bumping rules... Good luck, Alex. > 2013/10/8 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >> On 8/10/2013 8:07 a.m., Jury Bogdanov wrote: >>> >>> Yeah, you was right. When I replaced >>> ssl_bump server-fist vk >>> >>> With >>> ssl_bump server-first all >>> it works. But I can't understand how to fix that. I don't want bump >>> all connections. >> >> >> That change was just a test to verify Alex theory was correct. >> >> For the final config you need to find some ACL condition or test that >> matches the traffic you want to match. You can do so with mutiple ssl_bump >> lines and/or ACLs if necessary. >> >> The specifics are up to you, but it sounds like to need to isolate the IP's >> for that domain and permit bumping for them as well as for its domain name. >> >> Amos