Here's the requested "squid -v" output: Squid Cache: Version 3.5.10 Service Name: squid configure options: '--host=x86_64-suse-linux-gnu' '--build=x86_64-suse-linux-gnu' '--program-prefix=' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/lib' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-dependency-tracking' '--disable-arch-native' '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--libdir=/usr/lib' '--with-dl' '--enable-storeio=aufs' '--enable-disk-io=AIO,Blocking,DiskDaemon,DiskThreads' '--enable-removal-policies=heap,lru' '--enable-delay-pools' '--enable-kill-parent-hack' '--with-large-files' '--enable-auth' '--disable-auth-basic' '--disable-auth-negotiate' '--disable-auth-ntlm' '--disable-htcp' '--enable-log-daemon-helpers=file' '--with-default-user=squid' 'build_alias=x86_64-suse-linux-gnu' 'host_alias=x86_64-suse-linux-gnu' 'CFLAGS=-fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -fPIE -fPIC -DOPENSSL_LOAD_CONF' 'LDFLAGS=-Wl,-z,relro,-z,now -pie' 'CXXFLAGS=-fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -fPIE -fPIC -DOPENSSL_LOAD_CONF' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' As I understand, all (potential) PTR lookups only lookup hostnames of destination IPs. I don't see any directive that triggers a PTR lookup for client (source) IPs. That's the problem I have: squid is doing PTR lookups for client (source) IPs with the given configuration. On 12.02.2016 04:40, Amos Jeffries wrote: > On 12/02/2016 3:31 a.m., Stefan Hölzle wrote: >> Maybe my squid.conf will help to solve this. > Even more helpful would be your "squid -v" output. > > >> I checked this configuration with "squid -k check". >> >> squid.conf (external_ip, /opt/some_program and /etc/squid/file.list must >> be corrected): >> >> #### AUTHENTICATION #### >> external_acl_type ext_name_a %LOGIN /opt/some_program ext_name_a_arg >> external_acl_type ext_name_c %LOGIN %SRC /opt/some_program ext_name_c_arg >> auth_param digest program /opt/some_program digestauth >> auth_param digest realm Hello >> auth_param digest children 1 startup=1 idle=1 concurrency=500 >> auth_param digest nonce_garbage_interval 5 minutes >> auth_param digest nonce_max_duration 30 minutes >> auth_param digest nonce_max_count 5000 >> auth_param digest check_nonce_count off >> >> >> #### ACL #### >> acl localnet src 192.168.0.0/24 >> acl to_localnet dst 192.168.0.0/24 > Performs DNS A/AAAA resolve of the URL domain to find the set of > possible dst-IP. > >> acl CONNECT_allowexceptions dstdom_regex -i some_domain$ > Performs PTR lookup of any raw-IP URL hostnames that fail to match the > regex pattern as-is. > >> acl CONNECT_Safe_ports port 443 >> acl CONNECT method CONNECT >> >> acl snmppublic snmp_community public >> >> acl auth_passed proxy_auth REQUIRED >> acl ext_name_c_passed external ext_name_c >> acl ext_name_a_passed external ext_name_a >> >> # special exceptions >> acl special_url url_regex some_regex >> http_access deny special_url >> deny_info 200:ERR_PAGE_NAME special_url >> >> # special rules >> acl some_rule dstdom_regex -i some_regex >> acl ext_list dstdom_regex -i "/etc/squid/file.list" > Both perform PTR lookup of any raw-IP URL hostnames that fail to match > the regex pattern as-is. > >> #### ACCESS #### >> http_access allow manager localnet >> http_access deny manager >> >> http_access allow CONNECT CONNECT_allowexceptions > --> Potential PTR lookup. > >> http_access deny CONNECT !CONNECT_Safe_ports >> http_access deny to_localhost >> http_access deny to_localnet > --> definite A/AAAA lookup. > >> http_access deny special_url >> http_access deny ext_list > --> Potential PTR lookup. > >> http_access allow localnet >> http_access allow localhost >> >> http_access allow some_rule > --> Potential PTR lookup. > >> # activate additional external acls >> http_access allow ext_name_a_passed !all >> >> http_access deny !ext_name_c_passed >> >> http_access allow auth_passed >> >> http_access deny all >> >> deny_info 403:ERR_ACCESS_DENIED ext_name_c_passed >> > <snip> > >> dns_v4_first on >> client_db off >> >> #### IP PORT CONFIG #### >> http_port 192.168.0.1:3456 >> >> acl port80 localport 80 >> acl port443 localport 443 > Squid is not listening on port 443, nor do you have any "https_port > ...intercept" that might receive that ports traffic. > >> http_port external_ip:80 >> >> acl ext_ip localip external_ip >> >> tcp_outgoing_address external_ip ext_ip port80 >> tcp_outgoing_address external_ip ext_ip port443 >> >> cache_mem 250 MB >> > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
