RE: [squid-users] Squid2.4 & /etc/hosts

From: Jay Turner <[email protected]>
Date: Wed, 5 Feb 2003 16:04:12 +0800

I will have to double check. The server is offsite, so I will need to go and
run some more tests. We have bypassed the issue by allowing users to connect
directly to this address via the BorderManager child.

I am just pursuing this now in order to determine if this is actually a bug
that needs fixing so it won't affect others in the future.

If http://webmail.company.com shows the IP as being the internal IP, would
this suggest there is a bug with the https:// code?

If http://webmail.company.com also shows the external IP, then the problem
is elsewhere?

We are using squidGuard, but it is not actually blocking anything, just
passing all traffic through unrestricted (Admin users).

-----Original Message-----
From: hno@marasystems.com [mailto:hno@marasystems.com]On Behalf Of
Henrik Nordstrom
Sent: Wednesday, 5 February 2003 3:05 PM
To: jturner@bsis.com.au
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Squid2.4 & /etc/hosts

What do you get in Squid access.log on a request for
http://webmail.company.com/?

Are you using any redirectors?

Regard
Henrik

Jay Turner wrote:
>
> Hi Robert,
>
> Thanks for your reply. Checking the log file the CONNECT method is
provided
> to squid with the hostname webmail.company.com however the IP address that
> is shown is the world address rather than the address specified in the
> /etc/hosts file.
>
> ie
> /etc/hosts entry: 10.14.12.122 webmail.company.com
> Browser Request: https://webmail.company.com
> Log Shows: 10.14.12.123 TCP_MISS/503 0 CONNECT webmail.company.com:443 -
> DIRECT/203.123.xxx.xxx -
>
> So you are saying this should work and is probably a bug?
>
> -----Original Message-----
> From: Robert Collins [mailto:robertc@squid-cache.org]
> Sent: Wednesday, 5 February 2003 9:14 AM
> To: jturner@bsis.com.au
> Cc: Henrik Nordstrom; squid-users@squid-cache.org
> Subject: RE: [squid-users] Squid2.4 & /etc/hosts
>
> On Wed, 2003-02-05 at 12:02, Jay Turner wrote:
> > But it is maintained by Red Hat who backport any security patches to the
> 2.4
> > version they ship with 7.3.
> >
> > If you could please re-read my post you will note that I have recompiled
> > with --disable-internal-dns and it successfully references /etc/hosts
for
> > http:// pages. My question relates to https:// pages and having squid do
a
> > local lookup from somewhere for the IP address rather than fetching it
> from
> > the DNS (as it does with /etc/hosts for http:// requests).
>
> Which you probably can't do.
> If the CONNECT verb is provided to squid with an ip address rather than
> a hostname, no proxy can do what you are asking.
> If a hostname is provided, then the same host->ip lookup path is
> followed as for http:// requests.
>
> Check access.log. If you see CONNECT ipaddress:443 then you need to look
> at using a redirectory to alter the requested IP address.
> If you see CONNECT hostname:443, then please log a bug in bugzilla.
>
> Rob
> --
> GPG key available at: <http://users.bigpond.net.au/robertc/keys.txt>.
Received on Wed Feb 05 2003 - 00:58:41 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:14 MST