On 2024-08-28 11:24, Piana, Josh wrote:
Here's the log and (I think) relevant ACL's?
According to your access.log, Squid denies problematic CONNECT requests
with HTTP 407 errors responses. Usually, that means those requests match
an "http_access deny" rule. Clearly, you expect an "allow" outcome
instead, but it is difficult (for me) to figure out where your
expectations mismatch reality; there are no rules that explicitly
mention hexcelssp domain, for example: Which "http_access allow" rule do
you expect those denied requests to match?
Also, does mgr:ipcache cache manager query confirm that Squid has read
your /etc/hosts file and cached the record you expect it to use?
Alex.
-----------------------------------------------------------------------------------------------------------
# /var/log/squid/access.log results for internal conflicts
28/Aug/2024:10:57:17 -0400.234 10.46.49.190 TCP_DENIED/407 4132 CONNECT hexcelssp:443 - HIER_NONE/- text/html
28/Aug/2024:10:57:17 -0400.253 10.46.49.190 NONE_NONE/500 0 CONNECT hexcelssp:443 JPIANA@AD.<DOMAIN>.COM HIER_NONE/- -
28/Aug/2024:10:57:17 -0400.380 10.46.49.190 TCP_DENIED/407 4132 CONNECT hexcelssp:443 - HIER_NONE/- text/html
28/Aug/2024:10:57:17 -0400.399 10.46.49.190 NONE_NONE/500 0 CONNECT hexcelssp:443 JPIANA@AD.<DOMAIN>.COM HIER_NONE/- -
-----------------------------------------------------------------------------------------------------------
# acl all src all
acl src_self src 127.0.0.0/8
acl src_self src 10.46.11.69
acl dst_self dst 127.0.0.0/8
acl dst_self dst 10.46.11.69
acl from_arc src 10.46.0.0/15
acl local_dst_addr dst 10.0.0.0/8
acl local_dst_addr dst 172.0.0.0/8
acl local_dst_addr dst bldg3.<domain>.com
acl local_dst_addr dst bldg5.<domain>.com
# these keep URLs of popular local servers from being forwarded
acl local_dst_dom dstdomain arcgate
# allow connects to local destinations without authentication
# by domain name from URL
http_access allow local_dst_dom
http_reply_access allow local_dst_dom
# by IP address name resolves to
http_access allow local_dst_addr
http_reply_access allow local_dst_addr
# allow trusted hosts without authentication
# these are just ip's on the 10.46.11.x network
acl authless_src src "/etc/squid/authless_src"
http_access allow authless_src
http_reply_access allow authless_src
-----------------------------------------------------------------------------------------------------------
-----Original Message-----
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Matus UHLAR - fantomas
Sent: Wednesday, August 28, 2024 10:47 AM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Unable to access internal resources via hostname
Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
On 28.08.24 14:20, Piana, Josh wrote:
Hello Squid Support,
This squid user forum FYI
We are unable to get to internal resources via hostname but using the
IP address works fine. Immediately, I thought this was DNS but when I
checked the /etc/resolv.conf/ file it was pointing correctly to our
Windows DNS server and we can ping all devices using their hostname,
just not when browsing to it. This leads me to believe something may
be wrong with our squid config.
hard to guess without seeing logs or ACL's.
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
