[squid-users] https from different Subnet not working

From: Jarosch, Ralph <Ralph.Jarosch_at_justiz.niedersachsen.de>
Date: Tue, 14 Jul 2009 10:14:53 +0200

Hallo zusammen,

ich habe mal wieder ein kleines Problem mit meinen Squid Servern. Auf bau ist wie folgt.

Wir haben verschiedene Netzsegmente die auf die einzelnen Standorte aufgeteilt 10.37.*.* 10.39.*.* 10.55.*.* .... /24 Alle greifen via VPN über den Proxy in der Zentrale auf das Internet zu. Das Proxy System besteh aus einem Frontproxy sowie 4 dahinter liegenden Parantproxys die als Cache Systeme dienen.

Desweitern gibt es noch einen Squidguard der auf der Selben Maschnine wie der Frontproxy werkelt. Ich kann von allen Netzen ohne Probleme auf http Seiten im Intra und Internet zugreifen. Rufe ich allerdings https Seiten auf funktionieren diese nur aus 10.37 Netzen. Aus allen anderen wird die Anfrage verstümmelt z.B wird aus https://www.bank.de --> http.bank.de.

Ich bin nun mit meinem Latein am Ende. Vielleicht findet ja wer von euch meinen Fehler. Bin für jeden Tipp echt dankbar

Hier meine Konfig vom Front-Proxy

Hi @all,

I´ve have a little problem with my Squid Proxys.

We have different class C subnets at our branch offices (10.37.*.* 10.39.*.* ....)
All of them connect to our main location by vpn.
The Squidproxy is located in our main location.
If I connect from an branch office with the subnet 10.37.34.*/24 to an https website i´ve no Problems.
If I do the same from another location with an subnet like 10.39.85.*/24 I get the following error message.

The requested URL could not be retrieved
--------------------------------------------------------------------------------
While trying to retrieve the URL: http.yyy.xxx:443
The following error was encountered:
Unable to determine IP address from host name for
The dnsserver returned:
Name Error: The domain name does not exist.
This means that:
 The cache was not able to resolve the hostname presented in the URL.
 Check if the address is correct.
Your cache administrator is webmaster.
--------------------------------------------------------------------------------
Generated Tue, 14 Jul 2009 08:10:39 GMT by xxxxxxx (squid/2.5.STABLE12)

The requester url was https://www.ebay.com

My squid.conf:

acl all src 0.0.0.0/0.0.0.0
acl netze src 10.39.0.0/16, 10.38.0.0/16, 10.37.0.0/16, 10.40.0.0/16, 10.41.0.0/16, 10.55.0.0/16, 10.59.0.0/16, 10.61.0.0/16, 10.66.0.0/16, 10.68.0.0/16
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 8080 3443 8443 4443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost netze
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow netze
http_access allow localhost
http_access deny all
icp_access allow all
 follow_x_forwarded_for allow netze
http_port 3128
cache_peer 10.37.132.5 parent 3128 7 no-query proxy-only no-digest sourcehash
cache_peer 10.37.132.6 parent 3128 7 no-query proxy-only no-digest sourcehash
cache_peer 10.37.132.7 parent 3128 7 no-query proxy-only no-digest sourcehash
cache_peer 10.37.132.8 parent 3128 7 no-query proxy-only no-digest sourcehash
hierarchy_stoplist cgi-bin ?
access_log /data/log/access.log squid
debug_options ALL,9
url_rewrite_program /usr/local/bin/squidGuard
 redirector_bypass off
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
visible_hostname proxy.yyy.xxx.de
acl local-server dst 10.39.0.0/16, 10.38.0.0/16, 10.37.0.0/16, 10.40.0.0/16, 10.41.0.0/16, 10.55.0.0/16, 10.59.0.0/16, 10.61.0.0/16, 10.66.0.0/16, 10.68.0.0/16
acl local-webserver dstdomain *.yyy.xxx.de
always_direct allow local-server
always_direct allow local-webserver
never_direct allow all
append_domain .yyy.xxx.de
forwarded_for on
coredump_dir /var/spool/squid

thanks for help

Ralph Jarosch
ZIB
Zentraler IT-Betrieb Niedersächsische Justiz

- Technisches Betriebszentrum -
Ralph Jarosch
Schlossplatz 2
29221 Celle
Tel.:         +49 (5141) 206-145
Mobil:       +49 (162) 9069470
E-Mail:    ralph.jarosch_at_justiz.niedersachsen.de
Intranet: http://intra.zib.niedersachsen.de
Received on Tue Jul 14 2009 - 08:15:21 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 14 2009 - 12:00:03 MDT