Search squid archive

Re: Unable to access internal resources via hostname

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2024-08-28 14:18, Alex Rousskov wrote:
On 2024-08-28 11:24, Piana, Josh wrote:

Here's the log and (I think) relevant ACL's?

According to your access.log, Squid denies problematic CONNECT requests with HTTP 407 errors responses. Usually, that means those requests match an "http_access deny" rule. Clearly, you expect an "allow" outcome instead, but it is difficult (for me) to figure out where your expectations mismatch reality; there are no rules that explicitly mention hexcelssp domain, for example: Which "http_access allow" rule do you expect those denied requests to match?

Sorry, I probably misinterpreted those access.log records: It looks like the denied (TCP_DENIED/407) access is something you actually expect because you want that test request to be authenticated. The client supplies the necessary credentials in the second request, and then that second request fails with a (rather generic) HTTP 500 error code, without contacting the origin server.

I am guessing that you are concerned about that second request/transaction rather than the first one.

Squid generates HTTP 500 errors for a variety of different reasons. Are there any messages in cache.log (at default debugging level) that correspond to these failing test transactions? If there are none, please add %err_code/%err_detail to your access_log logformat so that Squid logs more information about the problem to access.log (see logformat and access_log directives in squid.conf.documented for details).


Thank you,

Alex.



Also, does mgr:ipcache cache manager query confirm that Squid has read your /etc/hosts file and cached the record you expect it to use?

Alex.


-----------------------------------------------------------------------------------------------------------
# /var/log/squid/access.log results for internal conflicts

28/Aug/2024:10:57:17 -0400.234 10.46.49.190 TCP_DENIED/407 4132 CONNECT hexcelssp:443 - HIER_NONE/- text/html 28/Aug/2024:10:57:17 -0400.253 10.46.49.190 NONE_NONE/500 0 CONNECT hexcelssp:443 JPIANA@AD.<DOMAIN>.COM HIER_NONE/- - 28/Aug/2024:10:57:17 -0400.380 10.46.49.190 TCP_DENIED/407 4132 CONNECT hexcelssp:443 - HIER_NONE/- text/html 28/Aug/2024:10:57:17 -0400.399 10.46.49.190 NONE_NONE/500 0 CONNECT hexcelssp:443 JPIANA@AD.<DOMAIN>.COM HIER_NONE/- -
-----------------------------------------------------------------------------------------------------------

# acl all src all

acl src_self src 127.0.0.0/8
acl src_self src 10.46.11.69

acl dst_self dst 127.0.0.0/8
acl dst_self dst 10.46.11.69

acl from_arc src 10.46.0.0/15

acl local_dst_addr dst 10.0.0.0/8
acl local_dst_addr dst 172.0.0.0/8
acl local_dst_addr dst bldg3.<domain>.com
acl local_dst_addr dst bldg5.<domain>.com

# these keep URLs of popular local servers from being forwarded
acl local_dst_dom dstdomain arcgate

# allow connects to local destinations without authentication
# by domain name from URL
http_access       allow local_dst_dom
http_reply_access allow local_dst_dom

# by IP address name resolves to
http_access       allow local_dst_addr
http_reply_access allow local_dst_addr

# allow trusted hosts without authentication
# these are just ip's on the 10.46.11.x network
acl authless_src src "/etc/squid/authless_src"
http_access       allow authless_src
http_reply_access allow authless_src
-----------------------------------------------------------------------------------------------------------

-----Original Message-----
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Matus UHLAR - fantomas
Sent: Wednesday, August 28, 2024 10:47 AM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Unable to access internal resources via hostname

Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.


On 28.08.24 14:20, Piana, Josh wrote:
Hello Squid Support,

This squid user forum FYI

We are unable to get to internal resources via hostname but using the
IP address works fine.  Immediately, I thought this was DNS but when I
checked the /etc/resolv.conf/ file it was pointing correctly to our
Windows DNS server and we can ping all devices using their hostname,
just not when browsing to it.  This leads me to believe something may
be wrong with our squid config.

hard to guess without seeing logs or ACL's.


--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux