W dniu pt., 10.08.2018 o 20:28 Alex Rousskov < rouss...@measurement-factory.com> napisał(a):
> On 08/10/2018 12:05 PM, pius wrote: > > I am getting IP address of the client instead of the domain name I > requested. > > I suspect you are getting your Squid https_port address > (10.222.17.106:3130) rather than the client IP address (10.222.25.60). > Logging Squid IP instead of the intended server IP feels wrong to me, > but that is not why things do not otherwise "work" in your test. > > Your test request is probably not getting through because your > http_access rules (or equivalent) deny the (fake) CONNECT request to > 216.58.212.100 (or whatever one of the www.google.com server IPs is in > your environment). Check your access control rules while keeping in mind > that the initial (i.e. step1) fake CONNECT request on an intercepting > https_port has nothing but TCP/IP-level information. > > > HTH, > > Alex. > > > > I am trying curl -iv https://www.google.com from a client machine > > (10.222.17.106). I am not getting google.com in the access log and > getting > > TCP_DENIED. Looks like traffic is blocked before checking the > certificate( I > > am not sure ). And HTTP works fine (curl -iv http://www.google.com). I > have > > included LOG for from both requests. Please help. > > > > ############## > > HTTPS REQUEST > > 1533917193.498 0 10.222.25.60 TCP_DENIED/200 0 CONNECT > > 10.222.17.106:3130 - HIER_NONE/- - > > ############## > > HTTP REQUEST > > 1533917208.934 35 10.222.25.60 TCP_MISS/200 11561 GET > > http://www.google.com/ - HIER_DIRECT/216.58.212.100 text/html > > ############## > > > > > > > > > > > ################################################################################ > > Here is my squid.conf > > ############### > > http_port 3128 > > > > http_port 0.0.0.0:3129 ssl-bump \ > > cert=/etc/squid/ssl_cert/cert.pem \ > > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > > > https_port 0.0.0.0:3130 ssl-bump intercept \ > > cert=/etc/squid/ssl_cert/cert.pem \ > > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > > > acl step1 at_step SslBump1 > > acl step2 at_step SslBump2 > > acl ssl_exclude_domains ssl::server_name > "/etc/squid/exclude_domains.conf" > > > > ssl_bump splice localhost > > ssl_bump peek step1 all > > ssl_bump splice ssl_exclude_domains > > ssl_bump stare step2 all > > ssl_bump bump all > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
