RE: [SQU] Squid behind firewall - DNS Problem

From: Magnus Ullberg <[email protected]>
Date: Fri, 15 Dec 2000 13:29:27 -0600

Looks like -D just disables the initial dns tests that squid runs at
startup. I ended up adding a new acl called "dstdomain_norev".. I'd really
like some feedback on the possible problems that this code can cause..

Here is the code that does the actuall acl-checking..

case ACL_DST_DOMAIN_NOREV:
return aclMatchDomainList(&ae->data, r->host);
        /* NOTREACHED */
case ACL_DST_DOMAIN:
        if ((ia = ipcacheCheckNumeric(r->host)) == NULL)
            return aclMatchDomainList(&ae->data, r->host);
        fqdn = fqdncache_gethostbyaddr(ia->in_addrs[0],
FQDN_LOOKUP_IF_MISS);
        if (fqdn)
            return aclMatchDomainList(&ae->data, fqdn);
        if (checklist->state[ACL_DST_DOMAIN] == ACL_LOOKUP_NONE) {
            debug(28, 3) ("aclMatchAcl: Can't yet compare '%s' ACL for
'%s'\n",
                ae->name, inet_ntoa(ia->in_addrs[0]));
            checklist->state[ACL_DST_DOMAIN] = ACL_LOOKUP_NEEDED;
            return 0;
        }
        return aclMatchDomainList(&ae->data, "none");
        /* NOTREACHED */

acl intranet dstdomain_norev .abc.net

Magnus Ullberg
Network Coordinator

Area Bancshares Corporation
Networking Department
230 Frederica St.
Owensboro, KY 42301

        -----Original Message-----
        From: Stolle, Martin [SMTP:MStolle@KIV.DE]
        Sent: Friday, December 15, 2000 9:41 AM
        To: 'Magnus Ullberg'
        Subject: AW: [SQU] Squid behind firewall - DNS Problem
        Importance: High

        Try to start squid with

        /usr/sbin/squid -sYD

        which will prevent the reverse name lookup.

        This is the reason, why this problem didn't happen with my squid.

        When I removed -sYD, the reverse name lookup also happened on my
squid.

        Yours,

        Martin Stolle
        Administrator
        KIV in Hessen

        -----Urspr�ngliche Nachricht-----
        Von: Magnus Ullberg [mailto:UllbergM@abcbank.com]
        Gesendet: Freitag, 15. Dezember 2000 16:29
        An: 'Stolle, Martin'
        Cc: 'squid-users@ircache.net'
        Betreff: RE: [SQU] Squid behind firewall - DNS Problem

        I'm using Squid2.3STABLE4
        So do I have to modify the code to have it not do a lookup?

        Thanks,
        Magnus Ullberg
        Network Coordinator

        Area Bancshares Corporation
        Networking Department
        230 Frederica St.
        Owensboro, KY 42301

         -----Original Message-----
        From: Stolle, Martin [mailto:MStolle@KIV.DE]
        Sent: Friday, December 15, 2000 8:59 AM
        To: 'Magnus Ullberg'
        Cc: 'squid-users@ircache.net'
        Subject: AW: [SQU] Squid behind firewall - DNS Problem

        I use SQUID 2.2

        In my original squid.conf, there is the following comment:
        # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
        # # based URL is used. The name "none" is used if the
reverse lookup
        # # fails.
        #
        This is the reason.
        However, on my squid behind a firewall this problem does not happen.

        I tried
        never_direct deny test.abc.de
        never_direct allow all

        always_direct allow test.abc.de
        always_direct allow all

        I tried Squid 2.2stable5

        Yours,

        Martin Stolle

        -----Urspr�ngliche Nachricht-----
        Von: Magnus Ullberg [mailto:UllbergM@abcbank.com]
        Gesendet: Freitag, 15. Dezember 2000 15:24
        An: 'Stolle, Martin'
        Cc: 'squid-users@ircache.net'
        Betreff: RE: [SQU] Squid behind firewall - DNS Problem

        Yes..
        I forgot to include my configuration in my last email.. this is what
I
        have.. I believe that the dstdomain acl may be the problem.. to me
it looks
        like maybe its trying to resolve the ipaddresses to hostnames to see
if they
        are in the .abc.net domain..

        acl intranet dstdomain .abc.net
        never_direct deny intranet
        never_direct allow all

        always_direct allow intranet
        always_direct deny all

        The internal proxy has the ICP port for both parent caches set.

        Magnus Ullberg
        Network Coordinator

        Area Bancshares Corporation
        Networking Department
        230 Frederica St.
        Owensboro, KY 42301

         -----Original Message-----
        From: Stolle, Martin [mailto:MStolle@KIV.DE]
        Sent: Friday, December 15, 2000 7:58 AM
        To: 'Magnus Ullberg'
        Cc: 'squid-users@ircache.net'
        Subject: AW: [SQU] Squid behind firewall - DNS Problem

        Did you use the statement "never direct allow all" in your
squid.conf ?
        This will prevent the client cache to ask directly the internet.

        Another Possibility: Did you allow UDP Port 3130 (for ICP requests)
through
        your firewall and configured your client to use it
        e.g.

        cache peer 195.27.54.3 parent 3128 3130

        for with internet-proxy on IP-Adress 195.27.54.3, proxy-port 3128
and
        ICP-Port 3130

        Otherwise, your client will time out.

        Greetings,

        Martin Stolle

        -----Urspr�ngliche Nachricht-----
        Von: Magnus Ullberg [mailto:UllbergM@abcbank.com]
        Gesendet: Freitag, 15. Dezember 2000 15:00
        An: squid-users@ircache.net
        Betreff: [SQU] Squid behind firewall - DNS Problem

        I've got a problem. This is my setup:

        Proxy1 Proxy2
            | |
            \_____________/
                         |
                    IntProxy

        Proxy 1 & 2 is on the internet while IntProxy is only on the
internal
        network. Everything works fine except when you try to access a
website using
        their IP address.
        It hangs for a couple of minutes before showing the page. I think
I've
        narrowed it down to what is happening. It looks like it does a
reverse dns
        lookup on the ip address and it has to wait for that to time out.

        Any suggestions for me?

        Thanks,
        Magnus Ullberg
        Network Coordinator

        Area Bancshares Corporation
        Networking Department
        230 Frederica St.
        Owensboro, KY 42301

        --
        To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

        --
        To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

        --
        To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

        --
        To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Fri Dec 15 2000 - 12:32:27 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:59 MST