Squid 4.9 Client IP PTR lookup on connect

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid 4.9 Client IP PTR lookup on connect

Romanov Vonamor
Hello.
 
I'm trying to configure Squid 4.9 in such a way that it does not perform a reverse IP lookup of the client at approximately every HTTP request.
The PTR lookup happens immediately after the connection, before the HTTP request is even parsed.
Any insight would be greatly appreciated.
 
Romanov
 
-------- 8< --------
Log:
 
2019/11/29 14:02:15.765 kid1| 5,2| TcpAcceptor.cc(224) doAccept: New connection on FD 8
2019/11/29 14:02:15.765 kid1| 5,2| TcpAcceptor.cc(312) acceptNext: connection on local=0.0.0.0:3130 remote=[::] FD 8 flags=9
2019/11/29 14:02:15.770 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 9 HTTP Request
2019/11/29 14:02:15.770 kid1| 33,4| client_side.cc(2520) httpAccept: local=10.254.236.19:3130 remote=10.229.200.152:56040 FD 9 flags=1: accepted
2019/11/29 14:02:15.770 kid1| 35,4| fqdncache.cc(420) fqdncache_nbgethostbyaddr: fqdncache_nbgethostbyaddr: Name '10.229.200.152'.
2019/11/29 14:02:15.771 kid1| 78,3| dns_internal.cc(1831) idnsPTRLookup: idnsPTRLookup: buf is 45 bytes for 10.229.200.152, id = 0x5eb3
 
-------- 8< --------
[root@sls squid-4.9]# squid -v
Squid Cache: Version 4.9
Service Name: squid
configure options: --enable-ltdl-convenience
 
-------- 8< --------
[root@sls sls]# squid -u0 -f /etc/squid/sites/sls/sls.conf -k parse
2019/11/29 14:49:21| Startup: Initializing Authentication Schemes ...
2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'basic'
2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'digest'
2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'negotiate'
2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'ntlm'
2019/11/29 14:49:21| Startup: Initialized Authentication.
2019/11/29 14:49:21| aclIpParseIpData: IPv6 has not been enabled.
2019/11/29 14:49:21| aclIpParseIpData: IPv6 has not been enabled.
2019/11/29 14:49:21| Processing Configuration File: /etc/squid/sites/sls/sls.conf (depth 0)
2019/11/29 14:49:21| Processing: visible_hostname sls
2019/11/29 14:49:21| Processing: http_port 3130
2019/11/29 14:49:21| Processing: coredump_dir /var/crash/squid
2019/11/29 14:49:21| Processing: pid_filename /proxy/logs/squid/sls/sls.pid
2019/11/29 14:49:21| Processing: cache_effective_user sls
2019/11/29 14:49:21| Processing: cache_effective_group squid
2019/11/29 14:49:21| Processing: strip_query_terms off
2019/11/29 14:49:21| Processing: request_timeout 360 seconds
2019/11/29 14:49:21| Processing: client_db off
2019/11/29 14:49:21| Processing: dns_multicast_local off
2019/11/29 14:49:21| Processing: eui_lookup off
2019/11/29 14:49:21| Processing: debug_options ALL,4
2019/11/29 14:49:21| Processing: acl from-all src all
2019/11/29 14:49:21| Processing: acl CONNECT method CONNECT
2019/11/29 14:49:21| Processing: acl ssl-ports port 443 16000-16900
2019/11/29 14:49:21| Processing: acl safe-ports port 80 # http
2019/11/29 14:49:21| Processing: acl safe-ports port 81-98 # http
2019/11/29 14:49:21| Processing: acl safe-ports port 443 # https
2019/11/29 14:49:21| Processing: acl safe-ports port 1025-65535 # unregistered ports
2019/11/29 14:49:21| Processing: http_access deny !safe-ports
2019/11/29 14:49:21| Processing: http_access deny CONNECT !ssl-ports
2019/11/29 14:49:21| Processing: http_access allow from-all
2019/11/29 14:49:21| Processing: cache_log stdio:/proxy/logs/squid/sls/cache-sls.log
 
 

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.9 Client IP PTR lookup on connect

Amos Jeffries
Administrator
On 30/11/19 4:49 am, Romanov Vonamor wrote:
> Hello.
>  
> I'm trying to configure Squid 4.9 in such a way that it does not perform
> a reverse IP lookup of the client at approximately every HTTP request.
> The PTR lookup happens immediately after the connection, before the HTTP
> request is even parsed.
> Any insight would be greatly appreciated.
>  

The PTR should only need to be looked up at all if something needs to
use the client FQDN. Usually that is logging. I suspect your build
auto-enabled ICAP features which uses the FQDN for icap_log.

If you do not need or plan to use ICAP features you can rebuild with
--disable-icap which should resolve this.


> Romanov
>  
> -------- 8< --------
> Log:
>  
> 2019/11/29 14:02:15.765 kid1| 5,2| TcpAcceptor.cc(224) doAccept: New
> connection on FD 8
> 2019/11/29 14:02:15.765 kid1| 5,2| TcpAcceptor.cc(312) acceptNext:
> connection on local=0.0.0.0:3130 remote=[::] FD 8 flags=9
> 2019/11/29 14:02:15.770 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 9
> HTTP Request
> 2019/11/29 14:02:15.770 kid1| 33,4| client_side.cc(2520) httpAccept:
> local=10.254.236.19:3130 remote=10.229.200.152:56040 FD 9 flags=1: accepted
> 2019/11/29 14:02:15.770 kid1| 35,4| fqdncache.cc(420)
> fqdncache_nbgethostbyaddr: fqdncache_nbgethostbyaddr: Name '10.229.200.152'.
> 2019/11/29 14:02:15.771 kid1| 78,3| dns_internal.cc(1831) idnsPTRLookup:
> idnsPTRLookup: buf is 45 bytes for 10.229.200.152, id = 0x5eb3
>  
> -------- 8< --------
> [root@sls squid-4.9]# squid -v
> Squid Cache: Version 4.9
> Service Name: squid
> configure options: --enable-ltdl-convenience
>  
> -------- 8< --------
> [root@sls sls]# squid -u0 -f /etc/squid/sites/sls/sls.conf -k parse
> 2019/11/29 14:49:21| Startup: Initializing Authentication Schemes ...
> 2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'basic'
> 2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'digest'
> 2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'negotiate'
> 2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'ntlm'
> 2019/11/29 14:49:21| Startup: Initialized Authentication.
> 2019/11/29 14:49:21| aclIpParseIpData: IPv6 has not been enabled.
> 2019/11/29 14:49:21| aclIpParseIpData: IPv6 has not been enabled.
> 2019/11/29 14:49:21| Processing Configuration File:
> /etc/squid/sites/sls/sls.conf (depth 0)
> 2019/11/29 14:49:21| Processing: visible_hostname sls

> 2019/11/29 14:49:21| Processing: acl from-all src all

That is pretty pointless. "src all" is the definition of the built-in
"all" ACL. Might as well use that instead of these 'from-all' and make
it more clear that you have no restrictions on what clients can do with
your proxy.

> 2019/11/29 14:49:21| Processing: http_access deny !safe-ports
> 2019/11/29 14:49:21| Processing: http_access deny CONNECT !ssl-ports
> 2019/11/29 14:49:21| Processing: http_access allow from-all
> 2019/11/29 14:49:21| Processing: cache_log
> stdio:/proxy/logs/squid/sls/cache-sls.log
>  
>  
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.9 Client IP PTR lookup on connect

Amos Jeffries
Administrator
On 30/11/19 5:43 am, Amos Jeffries wrote:

> On 30/11/19 4:49 am, Romanov Vonamor wrote:
>> Hello.
>>  
>> I'm trying to configure Squid 4.9 in such a way that it does not perform
>> a reverse IP lookup of the client at approximately every HTTP request.
>> The PTR lookup happens immediately after the connection, before the HTTP
>> request is even parsed.
>> Any insight would be greatly appreciated.
>>  
>
> The PTR should only need to be looked up at all if something needs to
> use the client FQDN. Usually that is logging. I suspect your build
> auto-enabled ICAP features which uses the FQDN for icap_log.
>
> If you do not need or plan to use ICAP features you can rebuild with
> --disable-icap which should resolve this.

Sorry that should have been --disable-icap-client

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.9 Client IP PTR lookup on connect

Alex Rousskov
In reply to this post by Amos Jeffries
On 11/29/19 11:43 AM, Amos Jeffries wrote:

> The PTR should only need to be looked up at all if something needs to
> use the client FQDN. Usually that is logging. I suspect your build
> auto-enabled ICAP features which uses the FQDN for icap_log.

... but icap_log is disabled by default, even in Squid builds that have
ICAP support enabled, right? If a disabled icap_log triggers DNS
lookups, there is a Squid bug we should fix.

FWIW, the easiest way to figure out what triggered the lookup could be
to start Squid in a debugger, and then, before starting the test
transaction, add a breakpoint for fqdncache_nbgethostbyaddr. Post a
stack trace from that function (when it is triggered after the
httpAccept line is logged as shown in your cache.log).

Alex.


>> -------- 8< --------
>> Log:
>>  
>> 2019/11/29 14:02:15.765 kid1| 5,2| TcpAcceptor.cc(224) doAccept: New
>> connection on FD 8
>> 2019/11/29 14:02:15.765 kid1| 5,2| TcpAcceptor.cc(312) acceptNext:
>> connection on local=0.0.0.0:3130 remote=[::] FD 8 flags=9
>> 2019/11/29 14:02:15.770 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 9
>> HTTP Request
>> 2019/11/29 14:02:15.770 kid1| 33,4| client_side.cc(2520) httpAccept:
>> local=10.254.236.19:3130 remote=10.229.200.152:56040 FD 9 flags=1: accepted
>> 2019/11/29 14:02:15.770 kid1| 35,4| fqdncache.cc(420)
>> fqdncache_nbgethostbyaddr: fqdncache_nbgethostbyaddr: Name '10.229.200.152'.
>> 2019/11/29 14:02:15.771 kid1| 78,3| dns_internal.cc(1831) idnsPTRLookup:
>> idnsPTRLookup: buf is 45 bytes for 10.229.200.152, id = 0x5eb3
>>  
>> -------- 8< --------
>> [root@sls squid-4.9]# squid -v
>> Squid Cache: Version 4.9
>> Service Name: squid
>> configure options: --enable-ltdl-convenience
>>  
>> -------- 8< --------
>> [root@sls sls]# squid -u0 -f /etc/squid/sites/sls/sls.conf -k parse
>> 2019/11/29 14:49:21| Startup: Initializing Authentication Schemes ...
>> 2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'basic'
>> 2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'digest'
>> 2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'negotiate'
>> 2019/11/29 14:49:21| Startup: Initialized Authentication Scheme 'ntlm'
>> 2019/11/29 14:49:21| Startup: Initialized Authentication.
>> 2019/11/29 14:49:21| aclIpParseIpData: IPv6 has not been enabled.
>> 2019/11/29 14:49:21| aclIpParseIpData: IPv6 has not been enabled.
>> 2019/11/29 14:49:21| Processing Configuration File:
>> /etc/squid/sites/sls/sls.conf (depth 0)
>> 2019/11/29 14:49:21| Processing: visible_hostname sls
>
>> 2019/11/29 14:49:21| Processing: acl from-all src all
>
> That is pretty pointless. "src all" is the definition of the built-in
> "all" ACL. Might as well use that instead of these 'from-all' and make
> it more clear that you have no restrictions on what clients can do with
> your proxy.
>
>> 2019/11/29 14:49:21| Processing: http_access deny !safe-ports
>> 2019/11/29 14:49:21| Processing: http_access deny CONNECT !ssl-ports
>> 2019/11/29 14:49:21| Processing: http_access allow from-all
>> 2019/11/29 14:49:21| Processing: cache_log
>> stdio:/proxy/logs/squid/sls/cache-sls.log
  
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.9 Client IP PTR lookup on connect

Amos Jeffries
Administrator
On 1/12/19 6:31 am, Alex Rousskov wrote:
> On 11/29/19 11:43 AM, Amos Jeffries wrote:
>
>> The PTR should only need to be looked up at all if something needs to
>> use the client FQDN. Usually that is logging. I suspect your build
>> auto-enabled ICAP features which uses the FQDN for icap_log.
>
> ... but icap_log is disabled by default, even in Squid builds that have
> ICAP support enabled, right? If a disabled icap_log triggers DNS
> lookups, there is a Squid bug we should fix.

I thought so. But something is turning on log_fqdn, there are no ACLs or
logformat lines in that config. Which leaves us the default settings, of
which only icap_log format uses %<A these days.

>
> FWIW, the easiest way to figure out what triggered the lookup could be
> to start Squid in a debugger, and then, before starting the test
> transaction, add a breakpoint for fqdncache_nbgethostbyaddr. Post a
> stack trace from that function (when it is triggered after the
> httpAccept line is logged as shown in your cache.log).

Seconded.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users