This one just seems to keep coming up and I'm wondering how other people are dealing with it:
When you peek and splice a transparently proxied connection, the SNI goes through the host validation phase. Squid does a DNS lookup for the SNI, and if it doesn't resolve to the IP address that the client is connecting to, Squid drops the connection.
When accessing one of the increasingly common websites that use DNS load balancing, since the DNS results change on each lookup, Squid and the client may not get the same DNS results, so Squid drops perfectly good connections.
Most of this problem goes away if you ensure all the clients use the same DNS server as squid, but not quite. Because the TTL on DNS records only has a resolution of 1 second, there is a period of up to 1 second when the DNS records Squid knows about doesn't match the ones that the client knows about. The client and squid may expire the records up to 1 second apart.
So what's the solution? (Notably the validation check can't be disabled without hacking the code).
-- - Steve Hill Technical Director Opendium Online Safety / Web Filtering http://www.opendium.com Enquiries Support --------- ------- sales@xxxxxxxxxxxx support@xxxxxxxxxxxx +44-1792-824568 +44-1792-825748 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
