LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   squid drops connections to ip addresses, but allows connections to domain names (https://www.linuxquestions.org/questions/linux-networking-3/squid-drops-connections-to-ip-addresses-but-allows-connections-to-domain-names-4175524602/)

igoryonya 11-06-2014 07:30 PM
squid drops connections to ip addresses, but allows connections to domain names
 
when some program tries to connect to some address by using ip instead of a domain name, it gives me this in the log file:

Code:
1414709903.045      0 192.168.0.82 TCP_MISS/500 4429 GET http://213.59.3.178/xmlzone/release/1000/windows/versions.xml - HIER_NONE/- text/html "-"
1414709927.237      0 192.168.0.144 TCP_MISS/500 4565 GET http://192.168.24.1:2869/upnphost/udhisapi.dll? - HIER_NONE/- text/html "-"
When it connects by using a domain name, everything is working fine. When I get HIER_NONE, it doesn't even try to download anything, just drops. How can I solve this problem.

ember1205 11-06-2014 09:41 PM
The "MISS" entry seems to imply that Squid sees that the content is not in the cache and that it should be retrieved. Are you using a secondary filter like squidGuard? Or do you have ACLs that are specifically designed to block URLs composed with an IP Address instead of a host name?

Post your Squid config file.

igoryonya 11-06-2014 10:23 PM
Exactly, the miss should start downloading it from the internet, but instead, it says HIER_NONE.
No, I don't have any external filteres and no ip blocking in the squid conf, unles I am missing something.
I disabled direct access and everything goes through parent proxies.

squid.conf
Code:
acl all_IPs dst 195.239.111.0/24        #I've tried to explicitly enable access to certain ip addresses, when I noticed the problem, but it didn't help
acl Reroute_filtered_sites dstdomain .adesk.com .download.virtualbox.org .ubuntuforums.org .rusnoc.ru
acl Slow_sites dstdomain .mail.ru .imgsmail.ru
acl Slow_sites_problem dstdomain .dnevnik.ru
acl Load_ballance_sites dstdomain .chukotnet.ru
acl Deny_sites url_regex -i \bblob\.core\.windows\.net\b|\bmc\.yandex\.ru(/(metrika|clmap|watch|webvisor)|\:443)\b|bar-navig\.yandex\.ru\:443|ocsp\.comodoca\.com|(autoupdate|sitecheck)\.opera\.com

acl LAN src 192.168.0.0/24
acl LAN_servers src 192.168.254.0/24
acl LAN_3_214 src 192.168.24.0/24
acl LAN_1_203 src 192.168.23.0/24
acl LAN_1_205 src 192.168.25.0/24
acl LAN_1_303 src 192.168.33.0/24

acl dLAN dst 192.168.0.0/24

acl SSL_ports port 443
acl SSL_ports port 8443        # acquiring.platbox.com - Оплата карт
acl SSL_ports port 2096        # cPanel webmail
acl SSL_ports port 6665        # IRC channel
acl SSL_ports port 6667        # IRC channel
acl SSL_ports port 7000        # IRC channel
acl SSL_ports port 7779        # rusfinance.ru
acl SSL_ports port 8001        # IRC channel

acl Safe_ports port 80                # http
acl Safe_ports port 21                # ftp
acl Safe_ports port 443                # https
acl Safe_ports port 70                # gopher
acl Safe_ports port 210                # wais
acl Safe_ports port 1025-65535        # unregistered ports
acl Safe_ports port 280                # http-mgmt
acl Safe_ports port 488                # gss-http
acl Safe_ports port 591                # filemaker
acl Safe_ports port 777                # multiling http

acl CONNECT method CONNECT

acl U_vip arp 20:cf:30:b4:90:62 bc:5f:f4:3a:8b:a7 10:78:D2:DA:71:BF 10:78:D2:DA:71:1A 00:15:58:8c:56:80 00:25:22:c7:7d:fb bc:5f:f4:53:ab:68
acl U_vip arp 10:78:d2:da:71:35        #Паксюткина

http_access deny Deny_sites
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow LAN
http_access allow LAN_servers
http_access allow LAN_3_214
http_access allow LAN_1_203
http_access allow LAN_1_205
http_access allow LAN_1_303
http_access allow localhost
http_access allow all_IPs
http_access allow all_IPs CONNECT
http_access deny all

icp_access allow LAN_servers
icp_access allow localhost
icp_access deny all

http_port 192.168.0.237:8080
http_port 192.168.23.254:8080
http_port 192.168.24.254:8080
http_port 192.168.25.254:8080
http_port 192.168.33.254:8080
http_port 192.168.254.253:8080

cache_peer 192.168.0.15 parent 8080 0 login=admin:obslujivanie no-query round-robin
cache_peer 192.168.254.254 parent 3128 3130 round-robin

cache_peer_access 192.168.0.15 deny Reroute_filtered_sites
cache_peer_access 192.168.0.15 deny Slow_sites
cache_peer_access 192.168.0.15 allow Slow_sites_problem
cache_peer_access 192.168.0.15 allow Load_ballance_sites
cache_peer_access 192.168.0.15 deny U_vip
cache_peer_access 192.168.0.15 allow LAN_servers
cache_peer_access 192.168.0.15 allow LAN
cache_peer_access 192.168.0.15 allow LAN_3_214
cache_peer_access 192.168.0.15 allow LAN_1_203
cache_peer_access 192.168.0.15 allow LAN_1_205
cache_peer_access 192.168.0.15 allow LAN_1_303
cache_peer_access 192.168.0.15 deny all

cache_peer_access 192.168.254.254 allow Reroute_filtered_sites
cache_peer_access 192.168.254.254 allow Slow_sites
cache_peer_access 192.168.254.254 allow Slow_sites_problem
cache_peer_access 192.168.254.254 allow Load_ballance_sites
cache_peer_access 192.168.254.254 allow U_vip
cache_peer_access 192.168.254.254 allow LAN_servers
cache_peer_access 192.168.254.254 deny LAN
cache_peer_access 192.168.254.254 deny LAN_3_214
cache_peer_access 192.168.254.254 deny LAN_1_203
cache_peer_access 192.168.254.254 deny LAN_1_205
cache_peer_access 192.168.254.254 deny LAN_1_303
cache_peer_access 192.168.254.254 deny all

never_direct deny dLAN
never_direct allow all

cache_dir ufs /var/spool/squid3 40000 16 256
logformat squid-referrer        %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt "%{Referer}>h"
access_log daemon:/var/log/squid3/access.log squid-referrer
coredump_dir /var/spool/squid3

refresh_pattern ^ftp:                1440        20%        10080
refresh_pattern ^gopher:        1440        0%        1440
refresh_pattern -i (/cgi-bin/|\?) 0        0%        0
refresh_pattern (Release|Packages(.gz)*)$      0      20%    2880
refresh_pattern .                0        20%        4320

icp_port 3130
log_icp_queries off

always_direct allow dLAN
always_direct deny all

dns_v4_first on

ember1205 11-07-2014 09:52 AM
Have you checked the logs on the peers to see if it is being handed off but blocked there?

igoryonya 11-07-2014 05:10 PM
As far as I remember, I did check for traversal, but since I've tried so much, I don't reember for sure. I've been already trying to figure this problem out for over a month now. I will test to make sure and post a followup.


All times are GMT -5. The time now is 07:32 PM.