Hi all I have configured Squid 4.0.18 (CentOS) with sslbump and clamav as ecap_service. This works well. One thing I've noticed though, are constant log entries like this in access.log: 2017-03-21 10:35:08.338 +0100 000137 - TCP_DENIED/403 3607 GET http://apps.identrust.com/roots/dstrootcax3.p7c - HIER_NONE/- text/html;charset=utf-8 - 2017-03-21 10:35:08.345 +0100 000161 10.254.254.2 NONE/200 0 CONNECT letsencrypt.org:443 - HIER_DIRECT/letsencrypt.org - - It appears that this is the OCSP URI for Letsencrypt certificates. And in fact every time this is logged, a CONNECT to a https uri is logged that is using a Letsencrypt certificate (like eg. https://letsencrypt.org). Given that there is no client IP logged, I assume that squid is blocking its own outgoing OCSP request here (the browser is configured to NOT use OCSP). The same seems to happen when there's no OCSP URI, but a regular AIA URI in the certificate: 2017-03-21 10:36:19.773 +0100 000000 - TCP_DENIED/403 3734 GET http://swisssign.net/cgi-bin/authority/download/5B257B96A465517EB839F3C078665EE83AE7F0EE - HIER_NONE/- text/html;charset=utf-8 - 2017-03-21 10:36:19.782 +0100 000038 10.254.254.2 NONE/200 0 CONNECT swisssign.net:443 - HIER_DIRECT/swisssign.net - - I do have "http_access allow localhost" in squid.conf, but since there's no IP associated with the request, this does not seem to help. Is there a way to allow these outgoing internal requests? I've looked through the FAQ and wiki, but couldn't find anything on the topic. Thanks & best /markus _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
