We are unable to get to internal resources via hostname but using the
IP address works fine. Immediately, I thought this was DNS but when I
checked the /etc/resolv.conf/ file it was pointing correctly to our
Windows DNS server and we can ping all devices using their hostname,
just not when browsing to it. This leads me to believe something may
be wrong with our squid config.
hard to guess without seeing logs or ACL's.
On 28.08.24 15:24, Piana, Josh wrote:
Here's the log and (I think) relevant ACL's?
-----------------------------------------------------------------------------------------------------------
# /var/log/squid/access.log results for internal conflicts
28/Aug/2024:10:57:17 -0400.234 10.46.49.190 TCP_DENIED/407 4132 CONNECT hexcelssp:443 - HIER_NONE/- text/html
28/Aug/2024:10:57:17 -0400.253 10.46.49.190 NONE_NONE/500 0 CONNECT hexcelssp:443 JPIANA@AD.<DOMAIN>.COM HIER_NONE/- -
28/Aug/2024:10:57:17 -0400.380 10.46.49.190 TCP_DENIED/407 4132 CONNECT hexcelssp:443 - HIER_NONE/- text/html
28/Aug/2024:10:57:17 -0400.399 10.46.49.190 NONE_NONE/500 0 CONNECT hexcelssp:443 JPIANA@AD.<DOMAIN>.COM HIER_NONE/- -
-----------------------------------------------------------------------------------------------------------
[...]
acl from_arc src 10.46.0.0/15
[...]
acl local_dst_addr dst bldg3.<domain>.com
acl local_dst_addr dst bldg5.<domain>.com
Are you aware that these get translated to IP addresses?
If you want to use domain names as provided by client, use "dstdomain".
# these keep URLs of popular local servers from being forwarded
acl local_dst_dom dstdomain arcgate
...just like this.
# allow connects to local destinations without authentication
# by domain name from URL
http_access allow local_dst_dom
http_reply_access allow local_dst_dom
http_reply_access is usually not needed, unless you want control what
clients get only after the content is known to squid, which generally
applies to e.g. mime types.
If you don't do that, better comment out "http_reply_access" lines.
# allow trusted hosts without authentication
# these are just ip's on the 10.46.11.x network
acl authless_src src "/etc/squid/authless_src"
http_access allow authless_src
http_reply_access allow authless_src
I don't see any http_access "deny" line.
Also, I don't see any "http_access allow from_arc"
or any other line that should allow CONNECT from 10.46.49.190 to "hexcelssp"
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
