Re: [squid-users] Squid2.4 & /etc/hosts

2003-01-29 Thread Henrik Nordstrom 
Jay Turner wrote:
> 
> Hi All,
> 
> I am after some clarification regarding Squid-2.4.STABLE6-6.7.3 and the use
> of /etc/hosts.

Squid-2.4 does not read /etc/hosts when using the internal DNS client.
This feature is only available in Squid-2.5 and later.

To have Squid-2.4 use /etc/hosts it must be built with
--disable-internal-dns, but upgrading to Squid-2.5+patches is strongly
recommended.

Regards
Henrik

RE: [squid-users] Squid2.4 & /etc/hosts

2003-02-04 Thread Jay Turner 
Hi All,

I have resolved this issue I posted about last week by simply rebuilding the
RedHat src RPM with --disable-internal-dns.

I have now added the internal IP address of the web server to the proxy
servers /etc/hosts file and all is well. The proxy connects to the internal
address of the proxy and not the outside real world address as provided by a
regular DNS lookup.

The webserver is also listening on port 443 for a webmail connection. When a
user requests https://webmail.company.com the DNS server returns the outside
world IP address. Again squid needs to point to the internal IP address of
this server for these requests.

I tried adding webmail.company.com to /etc/hosts but this only resolves when
you enter http://webmail.company.com but it sends the request to port 80 and
thus the standard webserver returns the results not the webmail listening on
443. When entering https://webmail.company.com it continues to use the
address provided by the DNS server.

Is there a way I can get this to work as required.

Adding the webmail address to the company internal DNS server has been ruled
out by the company's tech staff.

Thanks
Jay

-Original Message-
From: Jay Turner [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 29 January 2003 11:58 AM
To: [EMAIL PROTECTED]
Subject: [squid-users] Squid2.4 & /etc/hosts


Hi All,

I am after some clarification regarding Squid-2.4.STABLE6-6.7.3 and the use
of /etc/hosts.

One of our proxies needs to access a webserver via it's internal address
rather than its world DNS address.
I have added the required information to /etc/hosts, confirmed nsswitch.conf
is checking files before DNS and restarted squid but it does not seem to be
taking.

I have a Squid 2.5 box that uses the host_file attribute in squid.conf and
it works no worries and I am able to see the listing via cachemgr under FQDN
Cache Statistics.

This information is not present in the 2.4STABLE6 version.

Trawling the archives I found this post from Henrik:

"Squid-2.3 defaults to use an internal DNS client implementation, talking
directly to your DNS server.

Squid-2.4 too defaults to using an internal DNS client, but reads
/etc/hosts on startup (I think, or maybe this is only in Squid-2.5?).

--
Henrik Nordstrom"

Is this actually the case? It appears not in my testing. Is there a way I
can add something to the Internal DNS that squid 2.4 uses?

I realise that I can recompile Squid2.4 with --disable-internal-dns, but
this is a production machine so re-compiling and upgrading to 2.5 are not an
option at this point. The network configuration in which the server sits
uses an unusual setup whereby adding an entry to the local DNS server in the
network is not an option. I really require a solution that can be
implemented on the Squid server.

All advice appreciated

Regards
Jay

RE: [squid-users] Squid2.4 & /etc/hosts

2003-02-04 Thread Henrik Nordstrom 
I would recommend upgrading to Squid-2.5.. Squid-2.4 is no longer
maintained or bugfixed by the Squid developers, and Squid-2.5 supports
/etc/hosts (squid-2.4 does not unless compiled with
--disable-internal-dns)

Regards
Henrik


tis 2003-02-04 klockan 10.19 skrev Jay Turner:
> Hi All,
> 
> I have resolved this issue I posted about last week by simply rebuilding the
> RedHat src RPM with --disable-internal-dns.
> 
> I have now added the internal IP address of the web server to the proxy
> servers /etc/hosts file and all is well. The proxy connects to the internal
> address of the proxy and not the outside real world address as provided by a
> regular DNS lookup.
> 
> The webserver is also listening on port 443 for a webmail connection. When a
> user requests https://webmail.company.com the DNS server returns the outside
> world IP address. Again squid needs to point to the internal IP address of
> this server for these requests.
> 
> I tried adding webmail.company.com to /etc/hosts but this only resolves when
> you enter http://webmail.company.com but it sends the request to port 80 and
> thus the standard webserver returns the results not the webmail listening on
> 443. When entering https://webmail.company.com it continues to use the
> address provided by the DNS server.
> 
> Is there a way I can get this to work as required.
> 
> Adding the webmail address to the company internal DNS server has been ruled
> out by the company's tech staff.
> 
> Thanks
> Jay
> 
> -Original Message-
> From: Jay Turner [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 29 January 2003 11:58 AM
> To: [EMAIL PROTECTED]
> Subject: [squid-users] Squid2.4 & /etc/hosts
> 
> 
> Hi All,
> 
> I am after some clarification regarding Squid-2.4.STABLE6-6.7.3 and the use
> of /etc/hosts.
> 
> One of our proxies needs to access a webserver via it's internal address
> rather than its world DNS address.
> I have added the required information to /etc/hosts, confirmed nsswitch.conf
> is checking files before DNS and restarted squid but it does not seem to be
> taking.
> 
> I have a Squid 2.5 box that uses the host_file attribute in squid.conf and
> it works no worries and I am able to see the listing via cachemgr under FQDN
> Cache Statistics.
> 
> This information is not present in the 2.4STABLE6 version.
> 
> Trawling the archives I found this post from Henrik:
> 
> "Squid-2.3 defaults to use an internal DNS client implementation, talking
> directly to your DNS server.
> 
> Squid-2.4 too defaults to using an internal DNS client, but reads
> /etc/hosts on startup (I think, or maybe this is only in Squid-2.5?).
> 
> --
> Henrik Nordstrom"
> 
> Is this actually the case? It appears not in my testing. Is there a way I
> can add something to the Internal DNS that squid 2.4 uses?
> 
> I realise that I can recompile Squid2.4 with --disable-internal-dns, but
> this is a production machine so re-compiling and upgrading to 2.5 are not an
> option at this point. The network configuration in which the server sits
> uses an unusual setup whereby adding an entry to the local DNS server in the
> network is not an option. I really require a solution that can be
> implemented on the Squid server.
> 
> All advice appreciated
> 
> Regards
> Jay
> 
-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

RE: [squid-users] Squid2.4 & /etc/hosts

2003-02-04 Thread Jay Turner 
But it is maintained by Red Hat who backport any security patches to the 2.4
version they ship with 7.3.

If you could please re-read my post you will note that I have recompiled
with --disable-internal-dns and it successfully references /etc/hosts for
http:// pages. My question relates to https:// pages and having squid do a
local lookup from somewhere for the IP address rather than fetching it from
the DNS (as it does with /etc/hosts for http:// requests).

Regards
Jay

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, 4 February 2003 6:54 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [squid-users] Squid2.4 & /etc/hosts


I would recommend upgrading to Squid-2.5.. Squid-2.4 is no longer
maintained or bugfixed by the Squid developers, and Squid-2.5 supports
/etc/hosts (squid-2.4 does not unless compiled with
--disable-internal-dns)

Regards
Henrik


tis 2003-02-04 klockan 10.19 skrev Jay Turner:
> Hi All,
>
> I have resolved this issue I posted about last week by simply rebuilding
the
> RedHat src RPM with --disable-internal-dns.
>
> I have now added the internal IP address of the web server to the proxy
> servers /etc/hosts file and all is well. The proxy connects to the
internal
> address of the proxy and not the outside real world address as provided by
a
> regular DNS lookup.
>
> The webserver is also listening on port 443 for a webmail connection. When
a
> user requests https://webmail.company.com the DNS server returns the
outside
> world IP address. Again squid needs to point to the internal IP address of
> this server for these requests.
>
> I tried adding webmail.company.com to /etc/hosts but this only resolves
when
> you enter http://webmail.company.com but it sends the request to port 80
and
> thus the standard webserver returns the results not the webmail listening
on
> 443. When entering https://webmail.company.com it continues to use the
> address provided by the DNS server.
>
> Is there a way I can get this to work as required.
>
> Adding the webmail address to the company internal DNS server has been
ruled
> out by the company's tech staff.
>
> Thanks
> Jay
>
> -Original Message-
> From: Jay Turner [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 29 January 2003 11:58 AM
> To: [EMAIL PROTECTED]
> Subject: [squid-users] Squid2.4 & /etc/hosts
>
>
> Hi All,
>
> I am after some clarification regarding Squid-2.4.STABLE6-6.7.3 and the
use
> of /etc/hosts.
>
> One of our proxies needs to access a webserver via it's internal address
> rather than its world DNS address.
> I have added the required information to /etc/hosts, confirmed
nsswitch.conf
> is checking files before DNS and restarted squid but it does not seem to
be
> taking.
>
> I have a Squid 2.5 box that uses the host_file attribute in squid.conf and
> it works no worries and I am able to see the listing via cachemgr under
FQDN
> Cache Statistics.
>
> This information is not present in the 2.4STABLE6 version.
>
> Trawling the archives I found this post from Henrik:
>
> "Squid-2.3 defaults to use an internal DNS client implementation, talking
> directly to your DNS server.
>
> Squid-2.4 too defaults to using an internal DNS client, but reads
> /etc/hosts on startup (I think, or maybe this is only in Squid-2.5?).
>
> --
> Henrik Nordstrom"
>
> Is this actually the case? It appears not in my testing. Is there a way I
> can add something to the Internal DNS that squid 2.4 uses?
>
> I realise that I can recompile Squid2.4 with --disable-internal-dns, but
> this is a production machine so re-compiling and upgrading to 2.5 are not
an
> option at this point. The network configuration in which the server sits
> uses an unusual setup whereby adding an entry to the local DNS server in
the
> network is not an option. I really require a solution that can be
> implemented on the Squid server.
>
> All advice appreciated
>
> Regards
> Jay
>
--
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

RE: [squid-users] Squid2.4 & /etc/hosts

2003-02-04 Thread Robert Collins 
On Wed, 2003-02-05 at 12:02, Jay Turner wrote:
> But it is maintained by Red Hat who backport any security patches to the 2.4
> version they ship with 7.3.
> 
> If you could please re-read my post you will note that I have recompiled
> with --disable-internal-dns and it successfully references /etc/hosts for
> http:// pages. My question relates to https:// pages and having squid do a
> local lookup from somewhere for the IP address rather than fetching it from
> the DNS (as it does with /etc/hosts for http:// requests).

Which you probably can't do.
If the CONNECT verb is provided to squid with an ip address rather than
a hostname, no proxy can do what you are asking.
If a hostname is provided, then the same host->ip lookup path is
followed as for http:// requests.

Check access.log. If you see CONNECT ipaddress:443 then you need to look
at using a redirectory to alter the requested IP address.
If you see CONNECT hostname:443, then please log a bug in bugzilla.

Rob
-- 
GPG key available at: .



signature.asc
Description: This is a digitally signed message part

RE: [squid-users] Squid2.4 & /etc/hosts

2003-02-04 Thread Jay Turner 
Hi Robert,

Thanks for your reply. Checking the log file the CONNECT method is provided
to squid with the hostname webmail.company.com however the IP address that
is shown is the world address rather than the address specified in the
/etc/hosts file.

ie
/etc/hosts entry: 10.14.12.122 webmail.company.com
Browser Request: https://webmail.company.com
Log Shows: 10.14.12.123 TCP_MISS/503 0 CONNECT webmail.company.com:443 -
DIRECT/203.123.xxx.xxx -

So you are saying this should work and is probably a bug?

-Original Message-
From: Robert Collins [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 5 February 2003 9:14 AM
To: [EMAIL PROTECTED]
Cc: Henrik Nordstrom; [EMAIL PROTECTED]
Subject: RE: [squid-users] Squid2.4 & /etc/hosts


On Wed, 2003-02-05 at 12:02, Jay Turner wrote:
> But it is maintained by Red Hat who backport any security patches to the
2.4
> version they ship with 7.3.
>
> If you could please re-read my post you will note that I have recompiled
> with --disable-internal-dns and it successfully references /etc/hosts for
> http:// pages. My question relates to https:// pages and having squid do a
> local lookup from somewhere for the IP address rather than fetching it
from
> the DNS (as it does with /etc/hosts for http:// requests).

Which you probably can't do.
If the CONNECT verb is provided to squid with an ip address rather than
a hostname, no proxy can do what you are asking.
If a hostname is provided, then the same host->ip lookup path is
followed as for http:// requests.

Check access.log. If you see CONNECT ipaddress:443 then you need to look
at using a redirectory to alter the requested IP address.
If you see CONNECT hostname:443, then please log a bug in bugzilla.

Rob
--
GPG key available at: <http://users.bigpond.net.au/robertc/keys.txt>.

Re: [squid-users] Squid2.4 & /etc/hosts

2003-02-04 Thread Henrik Nordstrom 
Jay Turner wrote:
> 
> But it is maintained by Red Hat who backport any security patches to the 2.4
> version they ship with 7.3.

Sure.. you get the most blatant security fixes, but nearly no other bug
fixes.

If you have any issue with Squid-2.4 and ask here on Squid-users the
first response will unconditionally be upgrade to the current STABLE
release.

> If you could please re-read my post you will note that I have recompiled
> with --disable-internal-dns and it successfully references /etc/hosts for
> http:// pages. My question relates to https:// pages and having squid do a
> local lookup from somewhere for the IP address rather than fetching it from
> the DNS (as it does with /etc/hosts for http:// requests).

Squid does not make any difference between hostnames in a GET or a
CONNECT request.

What does access.log show for these "https://"; requests (btw, Squid-2.4
technically does not support https://, only proxy tunnelling of SSL via
CONNECT).

Regards
Henrik

Re: [squid-users] Squid2.4 & /etc/hosts

2003-02-04 Thread Henrik Nordstrom 
What do you get in Squid access.log on a request for
http://webmail.company.com/?

Are you using any redirectors?

Regard
Henrik

Jay Turner wrote:
> 
> Hi Robert,
> 
> Thanks for your reply. Checking the log file the CONNECT method is provided
> to squid with the hostname webmail.company.com however the IP address that
> is shown is the world address rather than the address specified in the
> /etc/hosts file.
> 
> ie
> /etc/hosts entry: 10.14.12.122 webmail.company.com
> Browser Request: https://webmail.company.com
> Log Shows: 10.14.12.123 TCP_MISS/503 0 CONNECT webmail.company.com:443 -
> DIRECT/203.123.xxx.xxx -
> 
> So you are saying this should work and is probably a bug?
> 
> -Original Message-
> From: Robert Collins [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 5 February 2003 9:14 AM
> To: [EMAIL PROTECTED]
> Cc: Henrik Nordstrom; [EMAIL PROTECTED]
> Subject: RE: [squid-users] Squid2.4 & /etc/hosts
> 
> On Wed, 2003-02-05 at 12:02, Jay Turner wrote:
> > But it is maintained by Red Hat who backport any security patches to the
> 2.4
> > version they ship with 7.3.
> >
> > If you could please re-read my post you will note that I have recompiled
> > with --disable-internal-dns and it successfully references /etc/hosts for
> > http:// pages. My question relates to https:// pages and having squid do a
> > local lookup from somewhere for the IP address rather than fetching it
> from
> > the DNS (as it does with /etc/hosts for http:// requests).
> 
> Which you probably can't do.
> If the CONNECT verb is provided to squid with an ip address rather than
> a hostname, no proxy can do what you are asking.
> If a hostname is provided, then the same host->ip lookup path is
> followed as for http:// requests.
> 
> Check access.log. If you see CONNECT ipaddress:443 then you need to look
> at using a redirectory to alter the requested IP address.
> If you see CONNECT hostname:443, then please log a bug in bugzilla.
> 
> Rob
> --
> GPG key available at: <http://users.bigpond.net.au/robertc/keys.txt>.

RE: [squid-users] Squid2.4 & /etc/hosts

2003-02-04 Thread Jay Turner 
I will have to double check. The server is offsite, so I will need to go and
run some more tests. We have bypassed the issue by allowing users to connect
directly to this address via the BorderManager child.

I am just pursuing this now in order to determine if this is actually a bug
that needs fixing so it won't affect others in the future.

If http://webmail.company.com shows the IP as being the internal IP, would
this suggest there is a bug with the https:// code?

If http://webmail.company.com also shows the external IP, then the problem
is elsewhere?


We are using squidGuard, but it is not actually blocking anything, just
passing all traffic through unrestricted (Admin users).

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Henrik Nordstrom
Sent: Wednesday, 5 February 2003 3:05 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [squid-users] Squid2.4 & /etc/hosts


What do you get in Squid access.log on a request for
http://webmail.company.com/?

Are you using any redirectors?

Regard
Henrik

Jay Turner wrote:
>
> Hi Robert,
>
> Thanks for your reply. Checking the log file the CONNECT method is
provided
> to squid with the hostname webmail.company.com however the IP address that
> is shown is the world address rather than the address specified in the
> /etc/hosts file.
>
> ie
> /etc/hosts entry: 10.14.12.122 webmail.company.com
> Browser Request: https://webmail.company.com
> Log Shows: 10.14.12.123 TCP_MISS/503 0 CONNECT webmail.company.com:443 -
> DIRECT/203.123.xxx.xxx -
>
> So you are saying this should work and is probably a bug?
>
> -Original Message-
> From: Robert Collins [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 5 February 2003 9:14 AM
> To: [EMAIL PROTECTED]
> Cc: Henrik Nordstrom; [EMAIL PROTECTED]
> Subject: RE: [squid-users] Squid2.4 & /etc/hosts
>
> On Wed, 2003-02-05 at 12:02, Jay Turner wrote:
> > But it is maintained by Red Hat who backport any security patches to the
> 2.4
> > version they ship with 7.3.
> >
> > If you could please re-read my post you will note that I have recompiled
> > with --disable-internal-dns and it successfully references /etc/hosts
for
> > http:// pages. My question relates to https:// pages and having squid do
a
> > local lookup from somewhere for the IP address rather than fetching it
> from
> > the DNS (as it does with /etc/hosts for http:// requests).
>
> Which you probably can't do.
> If the CONNECT verb is provided to squid with an ip address rather than
> a hostname, no proxy can do what you are asking.
> If a hostname is provided, then the same host->ip lookup path is
> followed as for http:// requests.
>
> Check access.log. If you see CONNECT ipaddress:443 then you need to look
> at using a redirectory to alter the requested IP address.
> If you see CONNECT hostname:443, then please log a bug in bugzilla.
>
> Rob
> --
> GPG key available at: <http://users.bigpond.net.au/robertc/keys.txt>.

RE: [squid-users] Squid2.4 & /etc/hosts

2003-02-05 Thread Jay Turner 
Jay Turner wrote:
>>
>> But it is maintained by Red Hat who backport any security patches to the
2.4
>> version they ship with 7.3.


>Sure.. you get the most blatant security fixes, but nearly no other bug
>fixes.

>If you have any issue with Squid-2.4 and ask here on Squid-users the
>first response will unconditionally be upgrade to the current STABLE
>release.

Understood, I am looking to move everything to 2.5. It was just convenient
to stick with the Red Hat release as the errata can be downloaded and
installed automatically via Ximian RCD rather than me manually downloading
the SRC RPM, compiling it and deploying it.

Thanks for all your help regardless.

Jay