Re: HELP! Ssl_bump - acl , dstdomain , denied by fqdn need ip

Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> · Fri, 25 Jan 2019 08:16:52 -0700

On 1/25/19 1:15 AM, Александр Александрович Березин wrote:

> 0 192.168.50.10 TCP_DENIED/200 0 CONNECT 208.64.202.87:443 - HIER_NONE/- -

Looks like your http_access rules deny some (or all) CONNECT requests,
probably during SslBump step1. This is not related to your ssl_bump
rules. Examine those rules and adjust them to allow CONNECT requests you
want to allow (and deny all other CONNECT requests).

> acl test dstdomain partner.steam-api.com

I doubt this causes TCP_DENIED errors, but you may want to use an
ssl::server_name ACL instead of dstdomain.

HTH,

Alex.

> [Fri Jan 25 06:50:10 2019].516      0 192.168.50.10 TCP_DENIED/200 0
> CONNECT 208.64.202.87:443 - HIER_NONE/- -
> [Fri Jan 25 06:50:10 2019].530      0 192.168.50.10 TCP_DENIED/200 0
> CONNECT 208.64.202.87:443 - HIER_NONE/- -
> [Fri Jan 25 06:50:10 2019].537      0 192.168.50.10 TAG_NONE/403 3806
> GET https://partner.steam-api.com/ - HIER_NONE/- text/html
> [Fri Jan 25 06:50:10 2019].568      0 192.168.50.10 TCP_DENIED/200 0
> CONNECT 208.64.202.87:443 - HIER_NONE/- -
> [Fri Jan 25 06:50:10 2019].576      0 192.168.50.10 TCP_DENIED/200 0
> CONNECT 208.64.202.87:443 - HIER_NONE/- -
> [Fri Jan 25 06:50:10 2019].583      0 192.168.50.10 TAG_NONE/403 3806
> GET http://berezin:0/squid-internal-static/icons/SN.png - HIER_NONE/-
> text/html
>  
> in browser i have are error
>  
> squid error the requested url could not be retrieved
> the following error was encountered while trying to retrieve the url
> https://208.64.202.87 <https://208.64.202.87/>
>  
> if i add 208.64.202.87 <https://208.64.202.87/> in acl test dstdomain
> everything is good and I connect to partner.steam-api.com
>  
>  
> but the address at the end partner.steam-api.com  can be dynamic and
> constantly changing, so I need a connection by name
> tell me what is my mistake?
>  
> -- 
> С Уважением,
> Александр Александрович Березин
>  
> With respect,
> Alexander Alexandrovich Berezin
>  
>  
> 
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
> 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users