This is the latest support squid-2 version for RHEL5.3 An I want to use the dnsserver
-----Ursprüngliche Nachricht----- Von: adrian.ch...@gmail.com [mailto:adrian.ch...@gmail.com] Im Auftrag von Adrian Chadd Gesendet: Dienstag, 14. Juli 2009 10:38 An: Jarosch, Ralph Betreff: Re: [squid-users] https from different Subnet not working The first thing you should do is upgrade to the latest Squid-2 or Squid-3, depending upon your environment needs. Secondly, you should evaluate whether you truely want to use dnsserver, or whether you can use the internal DNS redirector. HTH, Adrian 2009/7/14 Jarosch, Ralph <ralph.jaro...@justiz.niedersachsen.de>: > Hallo zusammen, > > ich habe mal wieder ein kleines Problem mit meinen Squid Servern. Auf bau ist > wie folgt. > > Wir haben verschiedene Netzsegmente die auf die einzelnen Standorte > aufgeteilt 10.37.*.* 10.39.*.* 10.55.*.* .... /24 Alle greifen via VPN über > den Proxy in der Zentrale auf das Internet zu. Das Proxy System besteh aus > einem Frontproxy sowie 4 dahinter liegenden Parantproxys die als Cache > Systeme dienen. > > Desweitern gibt es noch einen Squidguard der auf der Selben Maschnine wie der > Frontproxy werkelt. Ich kann von allen Netzen ohne Probleme auf http Seiten > im Intra und Internet zugreifen. Rufe ich allerdings https Seiten auf > funktionieren diese nur aus 10.37 Netzen. Aus allen anderen wird die Anfrage > verstümmelt z.B wird aus https://www.bank.de --> http.bank.de. > > Ich bin nun mit meinem Latein am Ende. Vielleicht findet ja wer von euch > meinen Fehler. Bin für jeden Tipp echt dankbar > > Hier meine Konfig vom Front-Proxy > > > Hi @all, > > I´ve have a little problem with my Squid Proxys. > > We have different class C subnets at our branch offices (10.37.*.* 10.39.*.* > ....) > All of them connect to our main location by vpn. > The Squidproxy is located in our main location. > If I connect from an branch office with the subnet 10.37.34.*/24 to an https > website i´ve no Problems. > If I do the same from another location with an subnet like 10.39.85.*/24 I > get the following error message. > > > > The requested URL could not be retrieved > -------------------------------------------------------------------------------- > While trying to retrieve the URL: http.yyy.xxx:443 > The following error was encountered: > Unable to determine IP address from host name for > The dnsserver returned: > Name Error: The domain name does not exist. > This means that: > The cache was not able to resolve the hostname presented in the URL. > Check if the address is correct. > Your cache administrator is webmaster. > -------------------------------------------------------------------------------- > Generated Tue, 14 Jul 2009 08:10:39 GMT by xxxxxxx (squid/2.5.STABLE12) > > > The requester url was https://www.ebay.com > > My squid.conf: > > acl all src 0.0.0.0/0.0.0.0 > acl netze src 10.39.0.0/16, 10.38.0.0/16, 10.37.0.0/16, 10.40.0.0/16, > 10.41.0.0/16, 10.55.0.0/16, 10.59.0.0/16, 10.61.0.0/16, 10.66.0.0/16, > 10.68.0.0/16 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 563 8080 3443 8443 4443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > http_access allow manager localhost netze > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow netze > http_access allow localhost > http_access deny all > icp_access allow all > follow_x_forwarded_for allow netze > http_port 3128 > cache_peer 10.37.132.5 parent 3128 7 no-query proxy-only no-digest sourcehash > cache_peer 10.37.132.6 parent 3128 7 no-query proxy-only no-digest sourcehash > cache_peer 10.37.132.7 parent 3128 7 no-query proxy-only no-digest sourcehash > cache_peer 10.37.132.8 parent 3128 7 no-query proxy-only no-digest sourcehash > hierarchy_stoplist cgi-bin ? > access_log /data/log/access.log squid > debug_options ALL,9 > url_rewrite_program /usr/local/bin/squidGuard > redirector_bypass off > acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > acl apache rep_header Server ^Apache > broken_vary_encoding allow apache > visible_hostname proxy.yyy.xxx.de > acl local-server dst 10.39.0.0/16, 10.38.0.0/16, 10.37.0.0/16, 10.40.0.0/16, > 10.41.0.0/16, 10.55.0.0/16, 10.59.0.0/16, 10.61.0.0/16, 10.66.0.0/16, > 10.68.0.0/16 > acl local-webserver dstdomain *.yyy.xxx.de > always_direct allow local-server > always_direct allow local-webserver > never_direct allow all > append_domain .yyy.xxx.de > forwarded_for on > coredump_dir /var/spool/squid > > > > thanks for help > > Ralph Jarosch > ZIB > Zentraler IT-Betrieb Niedersächsische Justiz > > - Technisches Betriebszentrum - > Ralph Jarosch > Schlossplatz 2 > 29221 Celle > Tel.: +49 (5141) 206-145 > Mobil: +49 (162) 9069470 > E-Mail: ralph.jaro...@justiz.niedersachsen.de > Intranet: http://intra.zib.niedersachsen.de > >
