Amos Jeffries wrote > On 7/07/2015 11:45 p.m., S.Kirschner wrote: >> I think the issues exist because the reverse lookup dont got the anwser >> "sparkasse.de", but why it does not use the hostname from the dns request >> to >> the dns-server ? > > Because Squid is not a DNS server. > > The HTTP message details including URL where dstdomain comes from are > encrypted at the time you are trying to use the dstdomain ACL. Yes but, in pfsense a dns server is installed, so on these host a dns server is running. Also i tried to use the google DNS Here now the entries from the cache.log With sparkasse.de in /etc/hosts #2015/06/19 14:03:03.907 kid1| DomainData.cc(108) match: aclMatchDomainList: checking '212.34.69.3' #2015/06/19 14:03:03.907 kid1| DomainData.cc(113) match: aclMatchDomainList: '212.34.69.3' NOT found #2015/06/19 14:03:03.908 kid1| DomainData.cc(108) match: aclMatchDomainList: checking 'sparkasse.de' #2015/06/19 14:03:03.908 kid1| DomainData.cc(113) match: aclMatchDomainList: 'sparkasse.de' found #2015/06/19 14:03:03.908 kid1| Acl.cc(158) matches: checked: bypass = 1 #2015/06/19 14:03:03.908 kid1| Acl.cc(158) matches: checked: (ssl_bump rule) = 1 #2015/06/19 14:03:03.908 kid1| Acl.cc(158) matches: checked: (ssl_bump rules) = 1 Without sparkasse.de in /etc/hosts #2015/06/19 14:05:19.842 kid1| DomainData.cc(108) match: aclMatchDomainList: checking '212.34.69.3' #2015/06/19 14:05:19.842 kid1| DomainData.cc(113) match: aclMatchDomainList: '212.34.69.3' NOT found #2015/06/19 14:05:19.842 kid1| DomainData.cc(108) match: aclMatchDomainList: checking 'rev-212.34.69.3.rev.izb.net' #2015/06/19 14:05:19.842 kid1| DomainData.cc(113) match: aclMatchDomainList: 'rev-212.34.69.3.rev.izb.net' NOT found #2015/06/19 14:05:19.842 kid1| Acl.cc(158) matches: checked: bypass = 0 #2015/06/19 14:05:19.842 kid1| Acl.cc(158) matches: checked: (ssl_bump rule) = 0 The ssl accept error in cache.log #2015/06/19 14:05:19.825 kid1| Checklist.cc(61) markFinished: 0x8041b7798 answer ALLOWED for match #2015/06/19 14:05:19.825 kid1| Checklist.cc(161) checkCallback: ACLChecklist::checkCallback: 0x8041b7798 answer=ALLOWED #2015/06/19 14:05:19.825 kid1| client_side_request.cc(1527) sslBumpNeed: sslBump required: peek #2015/06/19 14:05:19.825 kid1| client_side_request.cc(115) ~ClientRequestContext: 0x807468098 ClientRequestContext destructed #2015/06/19 14:05:19.825 kid1| client_side_request.cc(1829) doCallouts: calling processRequest() #2015/06/19 14:05:19.825 kid1| store.cc(780) storeCreatePureEntry: storeCreateEntry: '212.34.69.3:443' #2015/06/19 14:05:19.825 kid1| MemObject.cc(97) MemObject: new MemObject 0x807567f40 #2015/06/19 14:05:19.825 kid1| store.cc(485) lock: storeCreateEntry locked key [null_store_key] e:=V/0x80755ada0*1 #2015/06/19 14:05:19.825 kid1| store_key_md5.cc(89) storeKeyPrivate: storeKeyPrivate: CONNECT 212.34.69.3:443 #2015/06/19 14:05:19.825 kid1| store.cc(449) hashInsert: StoreEntry::hashInsert: Inserting Entry e:=IV/0x80755ada0*1 key '04808DEC55BF24579C431922F1A83DE0' #2015/06/19 14:05:19.840 kid1| client_side.cc(4245) clientPeekAndSpliceSSL: SSL_accept failed. #2015/06/19 14:05:19.840 kid1| client_side.cc(4245) clientPeekAndSpliceSSL: SSL_accept failed. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/transparent-proxy-splice-using-dstdomain-issue-tp4672088p4672095.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
