Re: [squid-users] Squid ACL problem I think.....

From: Waitman C. Gobble, II <[email protected]>
Date: Sun, 4 Aug 2002 10:22:34 -0700

Hello There,

I am not sure if this will be helpful, but at my first glance it appears to
be a DNS issue. Just a couple of lincoln heads of my opinion for you....

Note that when a client going through squid makes a request for a web site,
it sends the host request to the server, where name resolution takes place.
name resolution is not performed on the client. I would suggest performing
some queries for the domains you mention below - from the server running
squid - and see if the resolved addresses make sense.

As an example, let's say I have a client on a network (192.168.168.0/24)
behind a firewall, with squid on a completely different network at a
different location. If I open my browser on the client and request
"192.168.168.5", perhaps some webserver on my local intranet, squid will
look for 192.168.168.5 on ITS network, not the network of the client
machine.

Of course, you can set your browser to avoid the cache request on internal
addresses, or particular blocks, etc.

However - I really hadn't thought much about it previously, but this could
actually be some sort of security concern? Someone outside can easily map to
internal addresses...

I suppose I need to re-evaluate my own squid configuration file....

Take care,

Waitman Gobble
EMK Design
Buena Park California
+1.7145222528
http://emkdesign.com

----- Original Message -----
From: "1.The NetSys Company" <admin@netsys.hn>
To: "Squid Help" <squid-users@squid-cache.org>
Sent: Sunday, August 04, 2002 6:11 AM
Subject: [squid-users] Squid ACL problem I think.....

> -- [ From: 1.The NetSys Company * EMC.Ver #2.5.02 ] --
>
> Hello from Honduras
>
> We are a national ISP and have several hundred dedicated networks under
our
> IP blocks ... we pass all http traffic thru Squid however our clients are
> unable to see any web domains of my dedicated clients...
>
> In other words, our clients, whether dedicated or dialup cannot see the
> websites of any of our true domain clients..... for instance ... no
netsys.
> hn client can see www.banpais.hn or mayanet.hn..... they can see ALL other
> webites ... no problem ... just the webservers under our IP blocks cannot
be
> seen by any NetSys clients...
>
> Any help in this would be greatly appreciated...
>
> --
>
> Quin Taylor
> Operations Manager
>
> The NetSys Company of Honduras
> Email: admin@netsys.hn
> WWWeb site: http://www.netsys.hn
>
> Hotline HelpDesk: 566-1055
> Tel: 504-566-1055
> Fax: 504-566-3183
>
>
Received on Sun Aug 04 2002 - 11:23:31 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:30 MST