On 2024-08-28 14:18, Alex Rousskov wrote:
On 2024-08-28 11:24, Piana, Josh wrote:
Here's the log and (I think) relevant ACL's?
According to your access.log, Squid denies problematic CONNECT requests
with HTTP 407 errors responses. Usually, that means those requests match
an "http_access deny" rule. Clearly, you expect an "allow" outcome
instead, but it is difficult (for me) to figure out where your
expectations mismatch reality; there are no rules that explicitly
mention hexcelssp domain, for example: Which "http_access allow" rule do
you expect those denied requests to match?
Sorry, I probably misinterpreted those access.log records: It looks like
the denied (TCP_DENIED/407) access is something you actually expect
because you want that test request to be authenticated. The client
supplies the necessary credentials in the second request, and then that
second request fails with a (rather generic) HTTP 500 error code,
without contacting the origin server.
I am guessing that you are concerned about that second
request/transaction rather than the first one.
Squid generates HTTP 500 errors for a variety of different reasons. Are
there any messages in cache.log (at default debugging level) that
correspond to these failing test transactions? If there are none, please
add %err_code/%err_detail to your access_log logformat so that Squid
logs more information about the problem to access.log (see logformat and
access_log directives in squid.conf.documented for details).
Thank you,
Alex.
Also, does mgr:ipcache cache manager query confirm that Squid has read
your /etc/hosts file and cached the record you expect it to use?
Alex.
-----------------------------------------------------------------------------------------------------------
# /var/log/squid/access.log results for internal conflicts
28/Aug/2024:10:57:17 -0400.234 10.46.49.190 TCP_DENIED/407 4132
CONNECT hexcelssp:443 - HIER_NONE/- text/html
28/Aug/2024:10:57:17 -0400.253 10.46.49.190 NONE_NONE/500 0 CONNECT
hexcelssp:443 JPIANA@AD.<DOMAIN>.COM HIER_NONE/- -
28/Aug/2024:10:57:17 -0400.380 10.46.49.190 TCP_DENIED/407 4132
CONNECT hexcelssp:443 - HIER_NONE/- text/html
28/Aug/2024:10:57:17 -0400.399 10.46.49.190 NONE_NONE/500 0 CONNECT
hexcelssp:443 JPIANA@AD.<DOMAIN>.COM HIER_NONE/- -
-----------------------------------------------------------------------------------------------------------
# acl all src all
acl src_self src 127.0.0.0/8
acl src_self src 10.46.11.69
acl dst_self dst 127.0.0.0/8
acl dst_self dst 10.46.11.69
acl from_arc src 10.46.0.0/15
acl local_dst_addr dst 10.0.0.0/8
acl local_dst_addr dst 172.0.0.0/8
acl local_dst_addr dst bldg3.<domain>.com
acl local_dst_addr dst bldg5.<domain>.com
# these keep URLs of popular local servers from being forwarded
acl local_dst_dom dstdomain arcgate
# allow connects to local destinations without authentication
# by domain name from URL
http_access allow local_dst_dom
http_reply_access allow local_dst_dom
# by IP address name resolves to
http_access allow local_dst_addr
http_reply_access allow local_dst_addr
# allow trusted hosts without authentication
# these are just ip's on the 10.46.11.x network
acl authless_src src "/etc/squid/authless_src"
http_access allow authless_src
http_reply_access allow authless_src
-----------------------------------------------------------------------------------------------------------
-----Original Message-----
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On
Behalf Of Matus UHLAR - fantomas
Sent: Wednesday, August 28, 2024 10:47 AM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Unable to access internal resources via
hostname
Caution: This email originated from outside of Hexcel. Do not click
links or open attachments unless you recognize the sender and know the
content is safe.
On 28.08.24 14:20, Piana, Josh wrote:
Hello Squid Support,
This squid user forum FYI
We are unable to get to internal resources via hostname but using the
IP address works fine. Immediately, I thought this was DNS but when I
checked the /etc/resolv.conf/ file it was pointing correctly to our
Windows DNS server and we can ping all devices using their hostname,
just not when browsing to it. This leads me to believe something may
be wrong with our squid config.
hard to guess without seeing logs or ACL's.
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users