Search squid archive

Re: destination ip to splice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 05/15/2017 06:40 PM, Eliezer  Croitoru wrote:
> I tried this with splice but it just doesn't work the requests are still being bumped.

Do you know exactly why they are being bumped? Check the debugging logs
if you do not.


> From the docs I understand that it should work on the URL destination hostname
> and not the ip of the destination hostname.

The dst ACL works on IPs (including, when necessary and allowed, on IPs
obtained from resolved domain names). In a forward-proxy configuration,
those IPs or domains are extracted from the URL. In an ssl_bump context,
that URL comes from the CONNECT request target.


> So my assumption is that it's not in the tcp socket level but the
> http hostname url-hostname level.

What is the exact CONNECT request URL when your dst ACL is being
evaluated in your ssl_bump test case? Does the ACL match? Attach the
corresponding debugging log snippet.

Alex.


> -----Original Message-----
> From: Alex Rousskov [mailto:rousskov@xxxxxxxxxxxxxxxxxxxxxxx] 
> Sent: Tuesday, May 16, 2017 3:31 AM
> To: Eliezer Croitoru <eliezer@xxxxxxxxxxxx>; squid-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re:  destination ip to splice
> 
> On 05/15/2017 06:11 PM, Eliezer  Croitoru wrote:
>> I want to [match] all localnet(10.0.0.0/8, 192.168.0.0/16...)
> 
> How about something like this, adapted from the existing localnet ACL
> definition in squid.conf.documented?
> 
>>   acl to_localnet dst 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
>>   acl to_localnet dst 10.0.0.0/8         # RFC 1918 local private network (LAN)
>>   acl to_localnet dst 100.64.0.0/10      # RFC 6598 shared address space (CGN)
>>   acl to_localnet dst 169.254.0.0/16     # RFC 3927 link-local (directly plugged)
>>   acl to_localnet dst 172.16.0.0/12      # RFC 1918 local private network (LAN)
>>   acl to_localnet dst 192.168.0.0/16     # RFC 1918 local private network (LAN)
>>   acl to_localnet dst fc00::/7           # RFC 4193 local private network range
>>   acl to_localnet dst fe80::/10          # RFC 4291 link-local (directly plugged) 
> 
> Alex.
> 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux