Search squid archive

Re: squid 4.5, can't download certificate?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 1/21/19 10:52 PM, Dmitry Melekhov wrote:
> 21.01.2019 22:29, Alex Rousskov пишет:
>>>> Your Squid (or some helper) appears to be adding an
>>>> "-/ffff...GETmyip=-myport=0" suffix to the crt.sectigo.com URL,
>>>> resulting in a 404 response from that server.

>>> Is there any reasons squid sends ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
>>> to redirector?

>> What Squid logformat %code or url_rewrite_extras %code does that address
>> come from?

> default on my case

>> Should the corresponding request have that address? For
>> example, internally-generated requests do not have HTTP client addresses.

>> Will the redirector work if that address is sent as a "-" instead of
>> "ff...fff"?


> rejik redirector developer thinks its better to use 127.0.0.1 as squid
> address,

It sounds like you misunderstood my questions. I will detail them below.

I suspect that fff...fff comes from %>A (whether that %code comes from
the default url_rewrite_extras in your configuration is unimportant).

%>A is documented to to be a client FQDN. I am not sure, and this is not
documented, but perhaps when the client IP address does not point back
to a domain name, %>A should be a client IP address.

For intermediate certificate downloading transactions, Squid does not
have a client address because those transactions are not initiated by a
client connection to Squid. They are generated internally by Squid. In
such cases, Squid should be sending a dash (-), not 127.0.0.1, not
fff...fff, not localhost, and not anything else that might be
misinterpreted as a client IP address or domain name.

I have not investigated why Squid does not send a dash, or what it would
take to fix Squid, but it is likely that this will be eventually fixed
because lying about client address is a bug. To plan the deployment of
that future fix, it may be useful to know whether the redirector you use
handles a dash value for %>A correctly. You may be able to test that by
configuring url_rewrite_extras explicitly and replacing %>A with a dash.

Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux