2.0 KiB
【K18】部分网站intercept失效
| ID | Creation Date | Assignee | Status |
|---|---|---|---|
| OMPUB-389 | 2022-02-28T15:29:31.000+0800 | 陆秋文 | 已关闭 |
客户反馈,使用有线或移动网络,配置DNS为8.8.8.8时,访问 avg.com studylib.ru 网站证书未能成功替换。
me.me网站可以正常替换证书。luqiuwen commented on 2022-02-28T17:45:07.270+0800:
因K现场全网已下发拦截avg.com的规则,可以在现场维护人员[~jiaojianzhi] 的笔记本上测试。通过指定host的方法,令域名解析到指定的IP地址。当域名到23.61.224.112,无拦截效果,当域名解析到185.189.92.41是,有拦截效果,证书可以被替换。为此,考虑tera侧没有完整地拦截所有去往avg.com的流量。已建议业主排查tera侧的回流规则,等待业主的回复。
Hi, Alibek @Alibek The problem which is about the website "www.avg.com" cannot be intercepted, here is all information I know:
- the test point is a mobile phone.
- the website cannot be intercepted when the DNS is not 8.8.8.8
we found that www.avg.com is using akamai's CDN service, which means this website may have several server IP addresses. I think some IP addresses may be missed from Tera's steering rules.
we have done some access tests on Jiojio's laptop. the website can be intercepted when the server's IP is 185.189.92.41, however, the intercept is failed when the server's IP is 23.61.224.112. The two server IPs are resolved from different DNS nameservers.
Here's my question and suggestion about this problem:
- Could you help us to check the steering rules again? How do you steer all the traffic which access avg.com?
- If there's no problem with Tera's steering rules, I think we can check the session record again in NP to verify all traffic is steering to our system.
luqiuwen commented on 2022-03-10T09:46:45.288+0800:
业主反馈Tera侧故障导致该问题,关闭该Issue。