On 25/08/20 1:09 pm, Mathew Brown wrote: > Thanks but even with the --no-check-certificate option and using a bump > instead of splicing, it still fails as shown above unless I add the > localnet rule. The question is: why does the same ACL line: > > http_access allow whitelist > > suddenly work when I add an unrelated ACL line after it (http_access > allow localnet)? Why does it correctly determine the domain httpbin.org > in the later case as shown by cache.log? > The email from Alex Alex you are replying to already answers both those questions completely. > *From:* Alex Rousskov ... > > The rules above only allow CONNECT requests to .httpbin.org domains. > > During step1, when Squid intercepts a TLS connection to an IP address of > an .httpbin.org domain, Squid http_access rules are applied to a (fake) > CONNECT request to the destination IP address. There are no domain names > at that TCP-level bumping stage. Thus, you place your Squid at the mercy > of reverse DSN lookups. > > In my environment, reverse DNS does not work for httpbin.org the way you > may expect: > >> $ host 54.236.246.173 >> 173.246.236.54.in-addr.arpa domain name pointer ec2-54-236-246-173.compute-1.amazonaws.com. > > The above AWS domain name does not match your whitelist ACLs, of course, > and, hence, the fake CONNECT request is denied. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
