kevin band wrote:
> Hi,
>
> I'm hoping somebody can help me here, because I'm at a loss about what
> to do next.
>
> Basically we have squid running as a proxy server to restrict access
> to just those sites which we've included in our ACL's
> I have noticed recently that it isn't handling HTTPS reqests properly
> if the URL contains an IP address instead of a domain name.
>
> The reason this is a particular problem is that although the users can
> connect to the page using the domain name, something within that
> domain is then forwarding requests to the same web-server using its IP
> address.
> I'm sure I have my ACL's setup correctly because squid will forward
> the request using either URL if I send the requests using HTTP. It
> then times out on the web-server because it only allows https, but at
> least the request is being forwarded to the web-server rather than
> being denied in squid
The remote web server(s) is rejecting the connections. Probably because
the SSL certificates require a domain name as part of their
authentication validation.
It's probably a broken client browser or maybe the website itself
sending funky page URLs with the raw-IP inside. If you care you need to
find out which and complain to whoever made the broken bits. Squid is
just an innocent middleman here.
>
> Here's an extract from the logs that might explain it better :-
>
> 158.41.4.44 - - [04/Dec/2009:15:56:47 +0000] "GET
> http://stpaccess.marksandspencer.com/ HTTP/1.1" 504 1024 TCP_MISS:NONE
> 158.41.4.44 - - [04/Dec/2009:15:57:02 +0000] "CONNECT
> stpaccess.marksandspencer.com:443 HTTP/1.0" 200 7783 TCP_MISS:DIRECT
> 158.41.4.44 - - [04/Dec/2009:16:01:53 +0000] "GET
> http://63.130.82.113/Citrix/MetaFrameXP/default/login.asp HTTP/1.1"
> 504 1064 TCP_MISS:NONE
> 158.41.4.44 - - [04/Dec/2009:16:03:13 +0000] "CONNECT
> 63.130.82.113:443 HTTP/1.0" 403 980 TCP_DENIED:NONE
>
>
> And config extracts:
>
> acl SSL_ports port 443 563 444
> acl Safe_ports port 80 8002 23142 5481 5181 5281 5381 5481 5581
> 5400 5500 # http
> acl Safe_ports port 23142 # OPEL project
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 444 563 # https, snew#s
>
> acl CONNECT method CONNECT
>
> acl regex_ms dstdom_regex -i "/home/security/regex_marksandspencer.txt"
> acl urlregex_mands url_regex -i
> "/home/security/regex_marksandspencer_ip.txt"
> acl mands_allowed_nets src "/home/security/mands_allowed_nets.txt"
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> http_access allow regex_ms mands_allowed_nets
> http_access allow urlregex_mands mands_allowed_nets
> http_access deny all
>
> There are actually a lot more ACL's than this, but these are the only
> ones I think are relevant
>
> relevant extracts from files linked to ACLs:
> regex_marksandspencer.txt
> .*marksandspencer.*com
>
> regex_marksandspencer_ip.txt
> .*.63.130.82.113
>
>
> Thanks for any help.
>
> Kevin,
Kevin, meet dstdomain:
acl markandspencer dstdomain .marksandspencer.com 63.130.82.113
http_access allow markandspencer mands_allowed_nets
10x or more faster than regex. Matching marksandspencer.com, all
sub-domains and the raw-IP address form.
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.15Received on Mon Dec 07 2009 - 09:54:55 MST
This archive was generated by hypermail 2.2.0 : Mon Dec 07 2009 - 12:00:01 MST