Re: [squid-users] destination ip to splice

Mon, 15 May 2017 18:52:37 -0700 

On 05/15/2017 06:40 PM, Eliezer  Croitoru wrote:
> I tried this with splice but it just doesn't work the requests are still 
> being bumped.

Do you know exactly why they are being bumped? Check the debugging logs
if you do not.


> From the docs I understand that it should work on the URL destination hostname
> and not the ip of the destination hostname.

The dst ACL works on IPs (including, when necessary and allowed, on IPs
obtained from resolved domain names). In a forward-proxy configuration,
those IPs or domains are extracted from the URL. In an ssl_bump context,
that URL comes from the CONNECT request target.


> So my assumption is that it's not in the tcp socket level but the
> http hostname url-hostname level.

What is the exact CONNECT request URL when your dst ACL is being
evaluated in your ssl_bump test case? Does the ACL match? Attach the
corresponding debugging log snippet.

Alex.


> -----Original Message-----
> From: Alex Rousskov [mailto:rouss...@measurement-factory.com] 
> Sent: Tuesday, May 16, 2017 3:31 AM
> To: Eliezer Croitoru <elie...@ngtech.co.il>; squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] destination ip to splice
> 
> On 05/15/2017 06:11 PM, Eliezer  Croitoru wrote:
>> I want to [match] all localnet(10.0.0.0/8, 192.168.0.0/16...)
> 
> How about something like this, adapted from the existing localnet ACL
> definition in squid.conf.documented?
> 
>>   acl to_localnet dst 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
>>   acl to_localnet dst 10.0.0.0/8         # RFC 1918 local private network 
>> (LAN)
>>   acl to_localnet dst 100.64.0.0/10      # RFC 6598 shared address space 
>> (CGN)
>>   acl to_localnet dst 169.254.0.0/16     # RFC 3927 link-local (directly 
>> plugged)
>>   acl to_localnet dst 172.16.0.0/12      # RFC 1918 local private network 
>> (LAN)
>>   acl to_localnet dst 192.168.0.0/16     # RFC 1918 local private network 
>> (LAN)
>>   acl to_localnet dst fc00::/7           # RFC 4193 local private network 
>> range
>>   acl to_localnet dst fe80::/10          # RFC 4291 link-local (directly 
>> plugged) 
> 
> Alex.
> 

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to