Joseph Jenkins wrote:
> http_port 172.24.245.7:3128
>
> hierarchy_stoplist cgi-bin ?
>
> acl QUERY urlpath_regex cgi-bin \?
>
> cache deny QUERY
>
> access_log /opt/csw/var/logs/access.log squid
>
> logfile_rotate 10
>
> refresh_pattern ^ftp: 1440 20% 10080
>
> refresh_pattern ^gopher: 1440 0% 1440
>
> refresh_pattern . 0 20% 4320
>
> acl apache rep_header Server ^Apache
>
> broken_vary_encoding allow apache
>
> acl all src 0.0.0.0/0.0.0.0
>
> acl manager proto cache_object
>
> acl localhost src 127.0.0.1/255.255.255.255
>
> acl to_localhost dst 127.0.0.0/8
>
> acl SSL_ports port 443
>
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
>
> http_access deny manager
>
> http_access deny !Safe_ports
>
> acl our_networks src 172.24.160.0/255.255.255.0
> 172.24.161.0/255.255.255.0 10.52.1.0/255.255.255.0 10.52.5.0/255.255.255.0
>
> http_access allow our_networks
>
> http_access deny all
>
> icp_access deny all
>
> htcp_access deny all
>
> cache_mgr joseph.jenkins@xxx.xxx <mailto:joseph.jenkins@xxx.xxx>
>
> cache_effective_user latsquid
>
> cache_effective_group bin
>
> visible_hostname lauxproxy01.xxx.com
>
> snmp_port 0
>
> icp_port 0
>
> coredump_dir /opt/csw/var/cache
>
Well, nothing out of the ordinary there.
It should be doing its own resolution from the servers in /etc/resolv.conf
It sounds like behaviour others have spoken of recently as 'working' in
squid 2.5, but has been stopped as a security problem in 2.6.
If its not that, then I'm stumped on this one.
Amos
> On Nov 16, 2007, at 2:45 PM, Amos Jeffries wrote:
>
>> Joseph Jenkins wrote:
>>> I verified that the squid cache is not using it's own dns resolution
>>> for the clients browsing, instead it is relying on the client's dns
>>> resolution. I verified that the squid cache is able to do dns
>>> resolution. Is there an option that I need to enable in the
>>> squid.conf so that the cache will do dns resolution? Is there
>>> something else I need to install for this?
>>
>> Should not be.
>> What is in your squid.conf (without comments) please.
>>
>> Amos
>>
>>
>>> TIA
>>> On Nov 15, 2007, at 7:15 PM, Amos Jeffries wrote:
>>>>> How do I verify that the cache is doing the dns resolution and it
>>>>> isn't relying on the client's dns resolution? So the "it" referred
>>>>> setting up the cache to do dns resolution and not to use the clients
>>>>> dns resolution.
>>>>> On Nov 15, 2007, at 1:54 PM, Amos Jeffries wrote:
>>>>>
>>>>>>> May be I am missing this, but I have not been able to find it. How
>>>>>>> do
>>>>>>> I have the squid cache do the dns lookup and use that rather than
>>>>>>> trusting the address that the client looks up?
>>>>>>>
>>>>>>
>>>>>> 'it' referring to what?
>>>>>> When using a proxy clients rarely ever do DNS lookups themselves.
>>>>>>
>>>>>> Amos
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> Oh. You can:
>>>>
>>>> enable the DNS section of debug logging in cache.log and watch the DNS
>>>> lookups in progress.
>>>>
>>>> tcpdump/wireshark the data stream and see who is doing lookup for
>>>> domains.
>>>>
>>>> log on the local networks DNS server to see who is looking up what when.
>>>>
>>>> (in recent squid) look in squids access.log to see where its requesting
>>>> traffic from for any given request.
>>>>
>>>> use 'squidclient mgr:ipcache" to see what squid has resolved each
>>>> domain to.
>>>>
>>>> Amos
>>>>
>>>>
>>
>
Received on Fri Nov 16 2007 - 16:42:15 MST
This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST