AW: [squid-users] https from different Subnet not working

From: Jarosch, Ralph <Ralph.Jarosch_at_justiz.niedersachsen.de>
Date: Tue, 14 Jul 2009 11:11:40 +0200

This is the latest support squid-2 version for RHEL5.3

An I want to use the dnsserver

-----Ursprüngliche Nachricht-----
Von: adrian.chadd_at_gmail.com [mailto:adrian.chadd_at_gmail.com] Im Auftrag von Adrian Chadd
Gesendet: Dienstag, 14. Juli 2009 10:38
An: Jarosch, Ralph
Betreff: Re: [squid-users] https from different Subnet not working

The first thing you should do is upgrade to the latest Squid-2 or
Squid-3, depending upon your environment needs.

Secondly, you should evaluate whether you truely want to use
dnsserver, or whether you can use the internal DNS redirector.

HTH,

Adrian

2009/7/14 Jarosch, Ralph <Ralph.Jarosch_at_justiz.niedersachsen.de>:
> Hallo zusammen,
>
> ich habe mal wieder ein kleines Problem mit meinen Squid Servern. Auf bau ist wie folgt.
>
> Wir haben verschiedene Netzsegmente die auf die einzelnen Standorte aufgeteilt 10.37.*.* 10.39.*.* 10.55.*.* .... /24 Alle greifen via VPN über den Proxy in der Zentrale auf das Internet zu. Das Proxy System besteh aus einem Frontproxy sowie 4 dahinter liegenden Parantproxys die als Cache Systeme dienen.
>
> Desweitern gibt es noch einen Squidguard der auf der Selben Maschnine wie der Frontproxy werkelt. Ich kann von allen Netzen ohne Probleme auf http Seiten im Intra und Internet zugreifen. Rufe ich allerdings https Seiten auf funktionieren diese nur aus 10.37 Netzen. Aus allen anderen wird die Anfrage verstümmelt z.B wird aus https://www.bank.de --> http.bank.de.
>
> Ich bin nun mit meinem Latein am Ende. Vielleicht findet ja wer von euch meinen Fehler. Bin für jeden Tipp echt dankbar
>
> Hier meine Konfig vom Front-Proxy
>
>
> Hi @all,
>
> I´ve have a little problem with my Squid Proxys.
>
> We have different class C subnets at our branch offices (10.37.*.* 10.39.*.* ....)
> All of them connect to our main location by vpn.
> The Squidproxy is located in our main location.
> If I connect from an branch office with the subnet 10.37.34.*/24 to an https website i´ve no Problems.
> If I do the same from another location with an subnet like 10.39.85.*/24 I get the following error message.
>
>
>
> The requested URL could not be retrieved
> --------------------------------------------------------------------------------
> While trying to retrieve the URL: http.yyy.xxx:443
> The following error was encountered:
> Unable to determine IP address from host name for
> The dnsserver returned:
> Name Error: The domain name does not exist.
> This means that:
>  The cache was not able to resolve the hostname presented in the URL.
>  Check if the address is correct.
> Your cache administrator is webmaster.
> --------------------------------------------------------------------------------
> Generated Tue, 14 Jul 2009 08:10:39 GMT by xxxxxxx (squid/2.5.STABLE12)
>
>
> The requester url was https://www.ebay.com
>
> My squid.conf:
>
> acl all src 0.0.0.0/0.0.0.0
> acl netze src 10.39.0.0/16, 10.38.0.0/16, 10.37.0.0/16, 10.40.0.0/16, 10.41.0.0/16, 10.55.0.0/16, 10.59.0.0/16, 10.61.0.0/16, 10.66.0.0/16, 10.68.0.0/16
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563 8080 3443 8443 4443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost netze
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow netze
> http_access allow localhost
> http_access deny all
> icp_access allow all
>  follow_x_forwarded_for allow netze
> http_port 3128
> cache_peer 10.37.132.5 parent 3128 7 no-query proxy-only no-digest sourcehash
> cache_peer 10.37.132.6 parent 3128 7 no-query proxy-only no-digest sourcehash
> cache_peer 10.37.132.7 parent 3128 7 no-query proxy-only no-digest sourcehash
> cache_peer 10.37.132.8 parent 3128 7 no-query proxy-only no-digest sourcehash
> hierarchy_stoplist cgi-bin ?
> access_log /data/log/access.log squid
> debug_options ALL,9
> url_rewrite_program /usr/local/bin/squidGuard
>  redirector_bypass off
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern .               0       20%     4320
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> visible_hostname proxy.yyy.xxx.de
> acl local-server dst 10.39.0.0/16, 10.38.0.0/16, 10.37.0.0/16, 10.40.0.0/16, 10.41.0.0/16, 10.55.0.0/16, 10.59.0.0/16, 10.61.0.0/16, 10.66.0.0/16, 10.68.0.0/16
> acl local-webserver dstdomain *.yyy.xxx.de
> always_direct allow local-server
> always_direct allow local-webserver
> never_direct allow all
> append_domain .yyy.xxx.de
> forwarded_for on
> coredump_dir /var/spool/squid
>
>
>
> thanks for help
>
> Ralph Jarosch
> ZIB
> Zentraler IT-Betrieb Niedersächsische Justiz
>
> - Technisches Betriebszentrum -
> Ralph Jarosch
> Schlossplatz 2
> 29221 Celle
> Tel.:         +49 (5141) 206-145
> Mobil:       +49 (162) 9069470
> E-Mail:    ralph.jarosch_at_justiz.niedersachsen.de
> Intranet: http://intra.zib.niedersachsen.de
>
>
Received on Tue Jul 14 2009 - 09:12:01 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 14 2009 - 12:00:03 MDT