Re[4]: [squid-users] reverse DNS by squid when using parent proxy from Cliff on 2002-02-17 (squid-users)

From: Cliff <cliff@dont-contact.us>
Date: Sun, 17 Feb 2002 13:18:27 -0900

Hi Henrick.

Sunday, February 17, 2002, 9:43:36 AM, you wrote:

SSHN> If you want to deny proxying then this has to be done outside Squid
SSHN> (usually in the browser configuration). Squid has no control of what
SSHN> reaches Squid, only how Squid will forward the request once it has
SSHN> been accepted by Squid.

SSHN> But I am not sure I understand yoru setup fully. What DNS servers are
SSHN> you using

resolv.conf:
nameserver 192.168.1.222
search milkyway.hom
search antares.hom

eth1 DSL in/out
eth0 192.168.1.222 bigdipper.milkyway.hom
eth2 192.168.2.222 bigdipper.antares.hom
The local webserver resides at .222 on both networks
Squid successfully proxys at .222:3128 for both networks
DNS resides at .222 on both networks.
Gateway for both networks is .222

I can get on the 192.168.1.x network and set the browser
to go to 192.168.2.222:3128 for proxy and it works fine.

I can get on the 192.168.2.x network and set the browser
to go to 192.168.1.222:3128 for proxy and it works fine.

Meaning that....
From both networks I can set the browser to proxy from
.222 on the *other* network and it works fine.
Or I can just point the browser at .222 on it's own network
and squid works just fine.

Squid seems to be 100% transparent whether I use the direct
ip addy or my 2 fake internal domain names.

But I enable cache_peer - I lose the ability to hit the
local webserver at 192.168.1.222 (bigdipper.milkyway.hom)
and 192.168.2.222 (bigdipper.antares.hom) directly by ip addy.
Yet canonical name still proxys just fine from both networks.

Disable cache_peer and restart squid - everything is fine again.

I have not enabled always_direct.
I have not enabled never_direct.

SSHN> and how do the the relevant parts of your squid.conf look
SSHN> like?

# TAG: http_port
# http_port 3128

# TAG: icp_port
icp_port 3130
# enabled this for parent cache

# TAG: htcp_port
#htcp_port 4827

# TAG: mcast_groups
#mcast_groups 239.128.16.128

# TAG: tcp_outgoing_address
#tcp_outgoing_address 0.0.0.0
#udp_incoming_address 0.0.0.0
#udp_outgoing_address 0.0.0.0

# TAG: cache_peer
#
#cache_peer hostname type 3128 3130
cache_peer sd.us.ircache.net parent 3128 3130 login=yasure@u-huh.net:dsfgdsfgdfsgfdsg
cache_peer sv.us.ircache.net parent 3128 3130 login=yasure@u-huh.net:sdfgdfgsdfgdfsg

# TAG: cache_peer_domain

# TAG: neighbor_type_domain
#EXAMPLE:
# cache_peer parent cache.foo.org 3128 3130
# neighbor_type_domain cache.foo.org sibling .com .net
# neighbor_type_domain cache.foo.org sibling .au .de

# TAG: icp_query_timeout (msec)
#icp_query_timeout 0

# TAG: maximum_icp_query_timeout (msec)
#maximum_icp_query_timeout 2000

# TAG: mcast_icp_query_timeout (msec)
#mcast_icp_query_timeout 2000

# TAG: dead_peer_timeout (seconds)
#dead_peer_timeout 10 seconds

# TAG: hierarchy_stoplist
#hierarchy_stoplist cgi-bin ?

# TAG: no_cache
#acl QUERY urlpath_regex cgi-bin \?
#no_cache deny QUERY

# TAG: log_fqdn on|off
log_fqdn on

#dns_nameservers none
#dns_nameservers 192.168.1.222

# TAG: acl

# # acl snmppublic snmp_community public
acl snmppublic snmp_community public

#Examples:
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#
#Defaults:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

# TAG: http_access
#Default configuration:
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# i added this
http_access allow all
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access allow localhost
http_access deny all
http_access allow all

# TAG: icp_access
icp_access allow all

# TAG: miss_access
miss_access allow all

# TAG: cache_peer_access
#proxy_auth_realm Squid proxy-caching web server

# TAG: ident_lookup_access
#ident_lookup_access deny all

# TAG: announce_period
#announce_period 1 day

# TAG: announce_host
# TAG: announce_file
# TAG: announce_port
#announce_host tracker.ircache.net
#announce_port 3131

# HTTPD-ACCELERATOR OPTIONS
#httpd_accel_host hostname
#httpd_accel_port port

# TAG: httpd_accel_with_proxy on|off
#httpd_accel_with_proxy off

# TAG: httpd_accel_uses_host_header on|off
#httpd_accel_uses_host_header off

# TAG: append_domain
#append_domain .yourdomain.com
append_domain .milkyway.hom

# TAG: forwarded_for on|off
#forwarded_for on

# TAG: log_icp_queries on|off
#log_icp_queries on
log_icp_queries on

# TAG: always_direct
# acl local-external dstdomain external.foo.net
# acl local-servers dstdomain foo.net
# always_direct deny local-external
# always_direct allow local-servers
#
# This option replaces some v1.1 options such as local_domain
# and local_ip.

# TAG: never_direct
# servers. For example, to force the use of a proxy for all
# requests, except those in your local domain use something like:
#
# acl local-servers dstdomain foo.net
# acl all src 0.0.0.0/0.0.0.0
# never_direct deny local-servers
# never_direct allow all
#
# or if squid is inside a firewall and there is local intranet
# servers inside the firewall then use something like:
#
# acl local-intranet dstdomain foo.net
# acl local-external dstdomain external.foo.net
# always_direct deny local-external
# always_direct allow local-intranet
# never_direct allow all
#

# TAG: snmp_port
snmp_port 3401

# TAG: snmp_access

#Example:
snmp_access allow snmppublic localhost
#snmp_access deny all
snmp_access allow all

# TAG: snmp_incoming_address
# TAG: snmp_outgoing_address
#snmp_incoming_address 0.0.0.0
#snmp_outgoing_address 0.0.0.0

SSHN> and how do the the relevant parts of your squid.conf look
SSHN> like?

SSHN> Regards
SSHN> Henrik

SSHN> On Sunday 17 February 2002 06.41, Cliff wrote:

>> I'm seeing exactly this...I think.
>> Squid gets slow and there's reverse lookups happening
>> for my internal networks, which shouldn't leak out
>> to the internet. Am I understanding the
>> implications correctly?
>>
>> I don't want squid to proxy for both my internal networks
>> only when the destination is the web server running on
>> the same box.
>>
>> So how do I deny proxying for:
>>
>> eth1 DSL out to the wild
>> eth0 192.168.1.x milkyway.hom
>> eth2 192.168.2.x antares.hom
>>
>> when the requests are going to the same box?
>> The local webserver is at .222 on both networks
>> and solarwinds swears up and down that everything
>> is fully forward/reversable - no errors on a DNS audit.
>> 192.168.1.222 and 192.168.2.222 are the gateways on the same box.
>> So there shouldn't be any need for squid to look outside for
>> a name lookup even if I turn on FDQN logging, Right?
>>
>> Happen to have an example of 2 or more networks ACL?
>> I'm lost and confused!
>>
>> Thanks.

-- 
Best regards,
 Cliff                            mailto:cliff@acsalaska.net

Received on Sun Feb 17 2002 - 15:18:32 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:06:25 MST