Re: Unable to access internal resources via hostname

[Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>]

On 2024-08-28 14:18, Alex Rousskov wrote:
> On 2024-08-28 11:24, Piana, Josh wrote:
>
> > Here's the log and (I think) relevant ACL's?
>
> According to your access.log, Squid denies problematic CONNECT requests 
> with HTTP 407 errors responses. Usually, that means those requests match 
> an "http_access deny" rule. Clearly, you expect an "allow" outcome 
> instead, but it is difficult (for me) to figure out where your 
> expectations mismatch reality; there are no rules that explicitly 
> mention hexcelssp domain, for example: Which "http_access allow" rule do 
> you expect those denied requests to match?

Sorry, I probably misinterpreted those access.log records: It looks like 
the denied (TCP_DENIED/407) access is something you actually expect 
because you want that test request to be authenticated. The client 
supplies the necessary credentials in the second request, and then that 
second request fails with a (rather generic) HTTP 500 error code, 
without contacting the origin server.

I am guessing that you are concerned about that second 
request/transaction rather than the first one.

Squid generates HTTP 500 errors for a variety of different reasons. Are 
there any messages in cache.log (at default debugging level) that 
correspond to these failing test transactions? If there are none, please 
add %err_code/%err_detail to your access_log logformat so that Squid 
logs more information about the problem to access.log (see logformat and 
access_log directives in squid.conf.documented for details).


Thank you,

Alex.



> Also, does mgr:ipcache cache manager query confirm that Squid has read 
> your /etc/hosts file and cached the record you expect it to use?
>
> Alex.
>
>
> > -----------------------------------------------------------------------------------------------------------
> > # /var/log/squid/access.log results for internal conflicts
> >
> > 28/Aug/2024:10:57:17 -0400.234 10.46.49.190 TCP_DENIED/407 4132 
> > CONNECT hexcelssp:443 - HIER_NONE/- text/html
> > 28/Aug/2024:10:57:17 -0400.253 10.46.49.190 NONE_NONE/500 0 CONNECT 
> > hexcelssp:443 JPIANA@AD.<DOMAIN>.COM HIER_NONE/- -
> > 28/Aug/2024:10:57:17 -0400.380 10.46.49.190 TCP_DENIED/407 4132 
> > CONNECT hexcelssp:443 - HIER_NONE/- text/html
> > 28/Aug/2024:10:57:17 -0400.399 10.46.49.190 NONE_NONE/500 0 CONNECT 
> > hexcelssp:443 JPIANA@AD.<DOMAIN>.COM HIER_NONE/- -
> > -----------------------------------------------------------------------------------------------------------
> >
> > # acl all src all
> >
> > acl src_self src 127.0.0.0/8
> > acl src_self src 10.46.11.69
> >
> > acl dst_self dst 127.0.0.0/8
> > acl dst_self dst 10.46.11.69
> >
> > acl from_arc src 10.46.0.0/15
> >
> > acl local_dst_addr dst 10.0.0.0/8
> > acl local_dst_addr dst 172.0.0.0/8
> > acl local_dst_addr dst bldg3.<domain>.com
> > acl local_dst_addr dst bldg5.<domain>.com
> >
> > # these keep URLs of popular local servers from being forwarded
> > acl local_dst_dom dstdomain arcgate
> >
> > # allow connects to local destinations without authentication
> > # by domain name from URL
> > http_access       allow local_dst_dom
> > http_reply_access allow local_dst_dom
> >
> > # by IP address name resolves to
> > http_access       allow local_dst_addr
> > http_reply_access allow local_dst_addr
> >
> > # allow trusted hosts without authentication
> > # these are just ip's on the 10.46.11.x network
> > acl authless_src src "/etc/squid/authless_src"
> > http_access       allow authless_src
> > http_reply_access allow authless_src
> > -----------------------------------------------------------------------------------------------------------
> >
> > -----Original Message-----
> > From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On 
> > Behalf Of Matus UHLAR - fantomas
> > Sent: Wednesday, August 28, 2024 10:47 AM
> > To: squid-users@xxxxxxxxxxxxxxxxxxxxx
> > Subject: Re:  Unable to access internal resources via 
> > hostname
> >
> > Caution: This email originated from outside of Hexcel. Do not click 
> > links or open attachments unless you recognize the sender and know the 
> > content is safe.
> >
> >
> > On 28.08.24 14:20, Piana, Josh wrote:
> > > Hello Squid Support,
> >
> > This squid user forum FYI
> >
> > > We are unable to get to internal resources via hostname but using the
> > > IP address works fine.  Immediately, I thought this was DNS but when I
> > > checked the /etc/resolv.conf/ file it was pointing correctly to our
> > > Windows DNS server and we can ping all devices using their hostname,
> > > just not when browsing to it.  This leads me to believe something may
> > > be wrong with our squid config.
> >
> > hard to guess without seeing logs or ACL's.
> >
> >
> > --
> > Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
> > Warning: I wish NOT to receive e-mail advertising to this address.
> > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> > It's now safe to throw off your computer.
> > _______________________________________________
> > squid-users mailing list
> > squid-users@xxxxxxxxxxxxxxxxxxxxx
> > https://lists.squid-cache.org/listinfo/squid-users
> > _______________________________________________
> > squid-users mailing list
> > squid-users@xxxxxxxxxxxxxxxxxxxxx
> > https://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users