I have some new insight: The following line triggers the unwanted client ip ptr lookup: ./src/client_side.cc:3590: fqdncache_gethostbyaddr(clientConnection->remote, FQDN_LOOKUP_IF_MISS); Source package: http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.10.tar.gz This line should only be called if Config.onoff.log_fqdn is 1. Unfortunately Config.onoff.log_fqdn is set to 1: squid-3.5.10 :) $ grep -rni Config.onoff.log_fqdn . ./src/format/Token.cc:507: Config.onoff.log_fqdn = 1; ./src/client_side.cc:3081: if (Config.onoff.log_fqdn) ./src/client_side.cc:3184: if (Config.onoff.log_fqdn) ./src/client_side.cc:3589: if (Config.onoff.log_fqdn) ./src/log/FormatSquidIcap.cc:34: if (Config.onoff.log_fqdn) Config.onoff.log_fqdn is only set to 1 if ">A" is contained in a logformat. We only use default logformats. There is only two configuration directives with a default logformat %macro containing the string ">A": url_rewrite_extras and store_id_extras We don't use these directives. On 2016-02-12 11:29, Stefan Hölzle wrote: > Here's the requested "squid -v" output: > > Squid Cache: Version 3.5.10 > Service Name: squid > configure options: '--host=x86_64-suse-linux-gnu' > '--build=x86_64-suse-linux-gnu' '--program-prefix=' '--exec-prefix=/usr' > '--bindir=/usr/bin' '--sysconfdir=/etc' '--datadir=/usr/share' > '--includedir=/usr/include' '--libdir=/usr/lib64' > '--libexecdir=/usr/lib' '--sharedstatedir=/usr/com' > '--mandir=/usr/share/man' '--infodir=/usr/share/info' > '--disable-dependency-tracking' '--disable-arch-native' '--prefix=/usr' > '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' > '--localstatedir=/var' '--libexecdir=/usr/sbin' > '--datadir=/usr/share/squid' '--libdir=/usr/lib' '--with-dl' > '--enable-storeio=aufs' > '--enable-disk-io=AIO,Blocking,DiskDaemon,DiskThreads' > '--enable-removal-policies=heap,lru' '--enable-delay-pools' > '--enable-kill-parent-hack' '--with-large-files' '--enable-auth' > '--disable-auth-basic' '--disable-auth-negotiate' '--disable-auth-ntlm' > '--disable-htcp' '--enable-log-daemon-helpers=file' > '--with-default-user=squid' 'build_alias=x86_64-suse-linux-gnu' > 'host_alias=x86_64-suse-linux-gnu' 'CFLAGS=-fmessage-length=0 -O2 -Wall > -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables > -fasynchronous-unwind-tables -fPIE -fPIC -DOPENSSL_LOAD_CONF' > 'LDFLAGS=-Wl,-z,relro,-z,now -pie' 'CXXFLAGS=-fmessage-length=0 -O2 > -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables > -fasynchronous-unwind-tables -fPIE -fPIC -DOPENSSL_LOAD_CONF' > 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' > > As I understand, all (potential) PTR lookups only lookup hostnames of > destination IPs. > I don't see any directive that triggers a PTR lookup for client (source) > IPs. > That's the problem I have: squid is doing PTR lookups for client > (source) IPs with the given configuration. > > > On 12.02.2016 04:40, Amos Jeffries wrote: >> On 12/02/2016 3:31 a.m., Stefan Hölzle wrote: >>> Maybe my squid.conf will help to solve this. >> Even more helpful would be your "squid -v" output. >> >> >>> I checked this configuration with "squid -k check". >>> >>> squid.conf (external_ip, /opt/some_program and /etc/squid/file.list must >>> be corrected): >>> >>> #### AUTHENTICATION #### >>> external_acl_type ext_name_a %LOGIN /opt/some_program ext_name_a_arg >>> external_acl_type ext_name_c %LOGIN %SRC /opt/some_program ext_name_c_arg >>> auth_param digest program /opt/some_program digestauth >>> auth_param digest realm Hello >>> auth_param digest children 1 startup=1 idle=1 concurrency=500 >>> auth_param digest nonce_garbage_interval 5 minutes >>> auth_param digest nonce_max_duration 30 minutes >>> auth_param digest nonce_max_count 5000 >>> auth_param digest check_nonce_count off >>> >>> >>> #### ACL #### >>> acl localnet src 192.168.0.0/24 >>> acl to_localnet dst 192.168.0.0/24 >> Performs DNS A/AAAA resolve of the URL domain to find the set of >> possible dst-IP. >> >>> acl CONNECT_allowexceptions dstdom_regex -i some_domain$ >> Performs PTR lookup of any raw-IP URL hostnames that fail to match the >> regex pattern as-is. >> >>> acl CONNECT_Safe_ports port 443 >>> acl CONNECT method CONNECT >>> >>> acl snmppublic snmp_community public >>> >>> acl auth_passed proxy_auth REQUIRED >>> acl ext_name_c_passed external ext_name_c >>> acl ext_name_a_passed external ext_name_a >>> >>> # special exceptions >>> acl special_url url_regex some_regex >>> http_access deny special_url >>> deny_info 200:ERR_PAGE_NAME special_url >>> >>> # special rules >>> acl some_rule dstdom_regex -i some_regex >>> acl ext_list dstdom_regex -i "/etc/squid/file.list" >> Both perform PTR lookup of any raw-IP URL hostnames that fail to match >> the regex pattern as-is. >> >>> #### ACCESS #### >>> http_access allow manager localnet >>> http_access deny manager >>> >>> http_access allow CONNECT CONNECT_allowexceptions >> --> Potential PTR lookup. >> >>> http_access deny CONNECT !CONNECT_Safe_ports >>> http_access deny to_localhost >>> http_access deny to_localnet >> --> definite A/AAAA lookup. >> >>> http_access deny special_url >>> http_access deny ext_list >> --> Potential PTR lookup. >> >>> http_access allow localnet >>> http_access allow localhost >>> >>> http_access allow some_rule >> --> Potential PTR lookup. >> >>> # activate additional external acls >>> http_access allow ext_name_a_passed !all >>> >>> http_access deny !ext_name_c_passed >>> >>> http_access allow auth_passed >>> >>> http_access deny all >>> >>> deny_info 403:ERR_ACCESS_DENIED ext_name_c_passed >>> >> <snip> >> >>> dns_v4_first on >>> client_db off >>> >>> #### IP PORT CONFIG #### >>> http_port 192.168.0.1:3456 >>> >>> acl port80 localport 80 >>> acl port443 localport 443 >> Squid is not listening on port 443, nor do you have any "https_port >> ...intercept" that might receive that ports traffic. >> >>> http_port external_ip:80 >>> >>> acl ext_ip localip external_ip >>> >>> tcp_outgoing_address external_ip ext_ip port80 >>> tcp_outgoing_address external_ip ext_ip port443 >>> >>> cache_mem 250 MB >>> >> Amos >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
