May be, this feature is mutually exclusive with sslproxy_foreign_intermediate_certs option? 25.01.2017 0:19, Yuri Voinov пишет: > Mmmmmm, hardly. > > It is downloads directly via proxy from localhost: > > root @ khorne /patch # http_proxy=localhost:3128 curl > http://repository.certum.pl/ca.cer > 0 > 0>1 *H > 0 UPL1U > 270611104639Z0>1o.10U Certum CA0 > 0 UPL1U > 0 *H. z o.o.10U Certum CA0"0 > AK°jk̘gŭ&_O𣕨Ώ¸솶n줝ªn9¾䑯؇ r캦[¯ɓ?㆖͡Vn𨦩S ^Ucը𐳱.0h³¼جnZN4ڶP·mB 𗕃 > ºO)¥B^¶ > ¸ϯ唺Ю°Dl´9>¢n¸!wӔw䟁·cϗ7¾v֫$L齪go-Սþe1p > {mXIþc2 > kỀ¬«;°鑠 QĴძ`'l2w¼²rЍʿ¹ƤB倐̃T(>M > :;#c?ч'y䋑ၭ];±Գ¤Բ¼nd¨ƌt.q;爴io𐞃|R®gۼpݛ±i큎@Hj5ȩf!,瞪J@ꄖ,s > > root @ khorne /patch # > > root @ khorne /patch # wget -S http://repository.certum.pl/ca.cer > --2017-01-24 23:59:54-- http://repository.certum.pl/ca.cer > Connecting to 127.0.0.1:3128... connected. > Proxy request sent, awaiting response... > HTTP/1.1 200 OK > Content-Type: text/plain; charset=UTF-8 > Content-Length: 784 > Last-Modified: Fri, 07 Mar 2014 10:05:14 GMT > ETag: "34231-310-63d6aa80" > X-Cached: MISS > Server: NetDNA-cache/2.2 > X-Cache: HIT > Accept-Ranges: bytes > X-Origin-Date: Mon, 23 Jan 2017 06:12:38 GMT > Date: Tue, 24 Jan 2017 17:59:54 GMT > X-Cache-Age: 128836 > X-Cache: HIT from khorne > X-Cache-Lookup: HIT from khorne:3128 > Connection: keep-alive > Length: 784 [text/plain] > Saving to: 'ca.cer' > > ca.cer 100%[==================>] 784 --.-KB/s in > 0s > > 2017-01-24 23:59:54 (86.2 MB/s) - 'ca.cer' saved [784/784] > > As I understand, downloader also access via localhost, right? So, it > should work. > > Either from localnet, or from localhost download occurs. > > > 25.01.2017 0:16, Alex Rousskov пишет: >> On 01/24/2017 10:48 AM, Yuri Voinov wrote: >> >>> It seems 4.0.17 tries to download certs but gives deny somewhere. >>> However, same URL with wget via same proxy works >>> Why? >> Most likely, your http_access or similar rules deny internal download >> transactions but allow external ones. This is possible, for example, if >> your access rules use client information. Internal transactions (ESI, >> missing certificate fetching, Cache Digests, etc.) do not have an >> associated client. >> >> The standard denial troubleshooting procedure applies here: Start with >> finding out which directive/ACL denies access. I am _not_ implying that >> this is easy to do. >> >> >> HTH, >> >> Alex. >>
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
