Re: Squid 4.x: Intermediate certificates downloader

Yuri Voinov <yvoinov@xxxxxxxxx> · Wed, 25 Jan 2017 00:19:24 +0600

Mmmmmm, hardly.

It is downloads directly via proxy from localhost:

root @ khorne /patch # http_proxy=localhost:3128 curl
http://repository.certum.pl/ca.cer
0
0>1     *H
   0    UPL1U
270611104639Z0>1o.10U   Certum CA0
                0       UPL1U
0       *H. z o.o.10U   Certum CA0"0
AK°jk̘󽢟gŭ&_O𣕨Ώ¸솶n줝ªn9¾䑯؇ r캦[¯ɓ?㆖͡Vn𨦩S    ^Ucը𐳱.0h³¼جnZN4ڶP·mB      𗕃
ºO)¥B^¶
¸ϯ唺Ю°Dl´9>¢n¸!wӔw䟁·cϗ7¾v֫$L齪go-Սþe1pÂ
{mXIþc2
       kỀ¬«;°鑠   QĴძ󾚶`'l2w¼²rЍʿ¹ƤB՗񃧝倐̃T(>򀔸M
:;#c?ч'y䋑ၭ];±Գ¤Բ¼nd𙖐¨ƌt.q;爴io𐞃|R®𒧙gۼpݛ±i큎@Hj5ȩf!,瞪J@򫈤ꄖ,s

root @ khorne /patch #

root @ khorne /patch # wget -S http://repository.certum.pl/ca.cer
--2017-01-24 23:59:54--  http://repository.certum.pl/ca.cer
Connecting to 127.0.0.1:3128... connected.
Proxy request sent, awaiting response...
  HTTP/1.1 200 OK
  Content-Type: text/plain; charset=UTF-8
  Content-Length: 784
  Last-Modified: Fri, 07 Mar 2014 10:05:14 GMT
  ETag: "34231-310-63d6aa80"
  X-Cached: MISS
  Server: NetDNA-cache/2.2
  X-Cache: HIT
  Accept-Ranges: bytes
  X-Origin-Date: Mon, 23 Jan 2017 06:12:38 GMT
  Date: Tue, 24 Jan 2017 17:59:54 GMT
  X-Cache-Age: 128836
  X-Cache: HIT from khorne
  X-Cache-Lookup: HIT from khorne:3128
  Connection: keep-alive
Length: 784 [text/plain]
Saving to: 'ca.cer'

ca.cer              100%[==================>]     784  --.-KB/s    in
0s     

2017-01-24 23:59:54 (86.2 MB/s) - 'ca.cer' saved [784/784]

As I understand, downloader also access via localhost, right? So, it
should work.

Either from localnet, or from localhost download occurs.

25.01.2017 0:16, Alex Rousskov пишет:
> On 01/24/2017 10:48 AM, Yuri Voinov wrote:
>
>> It seems 4.0.17 tries to download certs but gives deny somewhere.
>> However, same URL with wget via same proxy works
>> Why?
> Most likely, your http_access or similar rules deny internal download
> transactions but allow external ones. This is possible, for example, if
> your access rules use client information. Internal transactions (ESI,
> missing certificate fetching, Cache Digests, etc.) do not have an
> associated client.
>
> The standard denial troubleshooting procedure applies here: Start with
> finding out which directive/ACL denies access. I am _not_ implying that
> this is easy to do.
>
>
> HTH,
>
> Alex.
>

Attachment:
0x613DEC46.asc

Description: application/pgp-keys
Attachment:
signature.asc

Description: OpenPGP digital signature
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users