Looks like -D just disables the initial dns tests that squid runs at
startup. I ended up adding a new acl called "dstdomain_norev".. I'd really
like some feedback on the possible problems that this code can cause..
Here is the code that does the actuall acl-checking..
case ACL_DST_DOMAIN_NOREV:
return aclMatchDomainList(&ae->data, r->host);
/* NOTREACHED */
case ACL_DST_DOMAIN:
if ((ia = ipcacheCheckNumeric(r->host)) == NULL)
return aclMatchDomainList(&ae->data, r->host);
fqdn = fqdncache_gethostbyaddr(ia->in_addrs[0],
FQDN_LOOKUP_IF_MISS);
if (fqdn)
return aclMatchDomainList(&ae->data, fqdn);
if (checklist->state[ACL_DST_DOMAIN] == ACL_LOOKUP_NONE) {
debug(28, 3) ("aclMatchAcl: Can't yet compare '%s' ACL for
'%s'\n",
ae->name, inet_ntoa(ia->in_addrs[0]));
checklist->state[ACL_DST_DOMAIN] = ACL_LOOKUP_NEEDED;
return 0;
}
return aclMatchDomainList(&ae->data, "none");
/* NOTREACHED */
acl intranet dstdomain_norev .abc.net
Magnus Ullberg
Network Coordinator
Area Bancshares Corporation
Networking Department
230 Frederica St.
Owensboro, KY 42301
-----Original Message-----
From: Stolle, Martin [SMTP:MStolle@KIV.DE]
Sent: Friday, December 15, 2000 9:41 AM
To: 'Magnus Ullberg'
Subject: AW: [SQU] Squid behind firewall - DNS Problem
Importance: High
Try to start squid with
/usr/sbin/squid -sYD
which will prevent the reverse name lookup.
This is the reason, why this problem didn't happen with my squid.
When I removed -sYD, the reverse name lookup also happened on my
squid.
Yours,
Martin Stolle
Administrator
KIV in Hessen
-----Urspr�ngliche Nachricht-----
Von: Magnus Ullberg [mailto:UllbergM@abcbank.com]
Gesendet: Freitag, 15. Dezember 2000 16:29
An: 'Stolle, Martin'
Cc: 'squid-users@ircache.net'
Betreff: RE: [SQU] Squid behind firewall - DNS Problem
I'm using Squid2.3STABLE4
So do I have to modify the code to have it not do a lookup?
Thanks,
Magnus Ullberg
Network Coordinator
Area Bancshares Corporation
Networking Department
230 Frederica St.
Owensboro, KY 42301
-----Original Message-----
From: Stolle, Martin [mailto:MStolle@KIV.DE]
Sent: Friday, December 15, 2000 8:59 AM
To: 'Magnus Ullberg'
Cc: 'squid-users@ircache.net'
Subject: AW: [SQU] Squid behind firewall - DNS Problem
I use SQUID 2.2
In my original squid.conf, there is the following comment:
# For dstdomain and dstdom_regex a reverse lookup is tried if a IP
# # based URL is used. The name "none" is used if the
reverse lookup
# # fails.
#
This is the reason.
However, on my squid behind a firewall this problem does not happen.
I tried
never_direct deny test.abc.de
never_direct allow all
always_direct allow test.abc.de
always_direct allow all
I tried Squid 2.2stable5
Yours,
Martin Stolle
-----Urspr�ngliche Nachricht-----
Von: Magnus Ullberg [mailto:UllbergM@abcbank.com]
Gesendet: Freitag, 15. Dezember 2000 15:24
An: 'Stolle, Martin'
Cc: 'squid-users@ircache.net'
Betreff: RE: [SQU] Squid behind firewall - DNS Problem
Yes..
I forgot to include my configuration in my last email.. this is what
I
have.. I believe that the dstdomain acl may be the problem.. to me
it looks
like maybe its trying to resolve the ipaddresses to hostnames to see
if they
are in the .abc.net domain..
acl intranet dstdomain .abc.net
never_direct deny intranet
never_direct allow all
always_direct allow intranet
always_direct deny all
The internal proxy has the ICP port for both parent caches set.
Magnus Ullberg
Network Coordinator
Area Bancshares Corporation
Networking Department
230 Frederica St.
Owensboro, KY 42301
-----Original Message-----
From: Stolle, Martin [mailto:MStolle@KIV.DE]
Sent: Friday, December 15, 2000 7:58 AM
To: 'Magnus Ullberg'
Cc: 'squid-users@ircache.net'
Subject: AW: [SQU] Squid behind firewall - DNS Problem
Did you use the statement "never direct allow all" in your
squid.conf ?
This will prevent the client cache to ask directly the internet.
Another Possibility: Did you allow UDP Port 3130 (for ICP requests)
through
your firewall and configured your client to use it
e.g.
cache peer 195.27.54.3 parent 3128 3130
for with internet-proxy on IP-Adress 195.27.54.3, proxy-port 3128
and
ICP-Port 3130
Otherwise, your client will time out.
Greetings,
Martin Stolle
-----Urspr�ngliche Nachricht-----
Von: Magnus Ullberg [mailto:UllbergM@abcbank.com]
Gesendet: Freitag, 15. Dezember 2000 15:00
An: squid-users@ircache.net
Betreff: [SQU] Squid behind firewall - DNS Problem
I've got a problem. This is my setup:
Proxy1 Proxy2
| |
\_____________/
|
IntProxy
Proxy 1 & 2 is on the internet while IntProxy is only on the
internal
network. Everything works fine except when you try to access a
website using
their IP address.
It hangs for a couple of minutes before showing the page. I think
I've
narrowed it down to what is happening. It looks like it does a
reverse dns
lookup on the ip address and it has to wait for that to time out.
Any suggestions for me?
Thanks,
Magnus Ullberg
Network Coordinator
Area Bancshares Corporation
Networking Department
230 Frederica St.
Owensboro, KY 42301
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
-- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Fri Dec 15 2000 - 12:32:27 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:59 MST