On 18/06/11 09:43, David Dyer-Bennet wrote:
> My first squid setup. It's very very simple -- I defined acl
> "our_networks" in the default config with the Centos package to recognize
> our networks, and that's about it.
>
> I manually configured my desktop firefox to use the squid proxy I set up
> (the proxy is not on my desktop; it's on lnx01, we'll call it (the real
> name is longer and hard to type)).
>
> lnx01 also runs Apache, and some local websites (nagios, mrtg, a foswiki,
> that kind of thing).
>
> From my desktop, using the proxy, I can access external sites, and I can
> access other inside sites -- except for the ones hosted on lnx01, the same
> system that squid runs on.
>
> Then I found something even weirder -- if I use the IP address instead of
> the DNS name for lnx01, I can get to the sites it hosts through the proxy.
> So, http://lnx01/mrtg fails (gets "the requested url could not be
> retrieved" and "access denied"; the error page has a squid signature at
> the bottom). But http://192.168.1.22/mrtg succeeds. (There's an FQDN for
> lnx01 that I'm glossing over; the full and short names behave the same.)
"access denied" is a it weird. Unless you have "deny to_localhost"
matching those requests. (not part of the default config from upstream)
>
> Other internal people, not using the proxy, can access the sites hosted on
> lnx01 as before, no problem, no change.
>
> Haven't been able to find discussion of anything like this googling around
> or scanning the FAQ. I'm sure it's something I've got wrong in my config,
> but I looked pretty carefully to see which ACLs would apply to this
> request, and which http_access statements involved those ACLs, and I can't
> find anything that would be denying access by name. In fact I don't know
> how I'd do it deliberately if I wanted to. But then, I first looked at
> the squid docs today (well, I did run it for a while over a decade ago in
> a different job, but I don't remember much, and I imagine it's change
> since then).
>
> I've currently got the firewall on lnx01 off, so it's not some interaction
> with the firewall.
>
> The access.log file shows the access, and the denial, but nothing that
> tells me anything. The squid.out log shows nothing since creating the
> swap directories when I first ran it.
>
> Any thoughts?
>
With the default config it all comes down to DNS resolution showing
Squid an IP it can contact. Log into a shell on lnx01 box and type
"host lnx01". See what IP Squid is told to relay to.
If it is too difficult to fix DNS, you can work around DNS issues by
adding a cache_peer entry for each of the local apps.
BUT "access denied" is an explicit block somewhere in http_access
which this does not fix.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.8 and 3.1.12.2Received on Sat Jun 18 2011 - 01:24:03 MDT
This archive was generated by hypermail 2.2.0 : Sat Jun 18 2011 - 12:00:03 MDT