Quick Recap (see my earlier posting below): This squid (2.4.STABLE6) is
set up as a reverse accelerator for our webserver and some application
servers. I have only recently upgraded to the latest version. This squid
should not act as a proxy server at the same time. Sometimes the squid
denies access to objects for no apparent reason.
I have some more information on this. First, I have found that the old
version of squid that we were using also denied access to some requests
in the same manner - it just didn't report this to cache.log.
This is really weird, the same client can get certain objects, and is
denied other objects. There are no restrictive acl's whatsoever. There
is nothing that would differentiate these objects (same real server,
same virtual host, etc). For example, here are two log entries by the
same client. The first one gets served OK, the second is being denied. I
just can't think of a reason why this is so. (For better readability I
have broken the log into lines). Whenever I tried (from LAN, ISP, Shell
Account) to fetch the denied object myself I had no problems getting it.
If you need more info please let me know. If this is documented
somewhere I'd appreciate pointers. I have searched the whole squid site
for information on this but without success.
OK
-------------------------------------------------------------------------
217.232.143.XXX - - [27/Mar/2002:20:12:51 +0100] "GET http://www.server.de/common/db/jscripts/lib_neu.js HTTP/1.0" 200 6729 TCP_MEM_HIT:NONE
Accept: */*
Referer: http://www.server.de/cgi-perl/rental/or?tset=common/db&language=de&AGIA=579112&land=DE&pickup_kst=175&pickup_date=200204190900&return_kst=175&return_date=200204210900
Accept-Language: de
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0)
Host: www.e-sixt.de
HTTP/1.1 200 OK
Date: Wed, 27 Mar 2002 17:31:13 GMT
Server: Microsoft-IIS/4.0
Last-Modified: Wed, 08 Aug 2001 08:11:01 GMT
ETag: "1a7329-1911-3b70f415"
Accept-Ranges: bytes\r\nContent-Length: 6417
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: application/x-javascript
DENIED
-------------------------------------------------------------------------
217.232.143.XXX - - [27/Mar/2002:20:12:52 +0100] "GET http://www.server.de/common/db/jscripts/bigger2001.js HTTP/1.0" 403 1070 TCP_DENIED:NONE
Accept: */*
Referer: http://www.server.de/cgi-perl/rental/or?tset=common/db&language=de&AGIA=579112&land=DE&pickup_kst=175&pickup_date=200204190900&return_kst=175&return_date=200204210900
Accept-Language: de
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0)
Host: www.e-sixt.de
HTTP/1.0 403 Forbidden
Server: Squid/2.4.STABLE6
Mime-Version: 1.0
Date: Wed, 27 Mar 2002 19:12:52 GMT
Content-Type: text/html
Content-Length: 774
Expires: Wed, 27 Mar 2002 19:12:52 GMT
X-Squid-Error: ERR_ACCESS_DENIED 0
> Date: Tue, 26 Mar 2002 19:25:24 +0100
> From: Hans Juergen von Lengerke <lengerkeh@SIXT.DE>
> Subject: [squid-users] proxy request denied in accel_only mode
>
> I just upgraded an accelerator squid to 2.4.STABLE6 with:
>
> ./configure --prefix=/home/www/squid
> --enable-removal-policies=heap,lru --enable-storeio=ufs,aufs
> --disable-ident-lookups --disable-wccp --disable-snmp --enable-poll
> --disable-internal-dns --enable-async-io
>
> The cache.log frequently reports:
>
> 2002/03/26 18:51:20| clientAccessCheck: proxy request denied in
> accel_only mode
>
> which it never did before (before we were using a 2.3 Version).
>
> I do understand that if I wanted the squid to act as a normal proxy
> too I have to set httpd_accel_with_proxy. But thats not what I want!
> This thing should only accelerate.
>
> The problem I have with the error, is that clients seem to be
> getting this error when trying to get objects from the accelerated
> site. Here is an example access.log entry (with emulate_httpd_log
> and log_mime_hdrs set):
>
> __client_ip_adress__ - - [26/Mar/2002:18:39:28 +0100] "GET
> http://__my_accelerated_host__/gfx/auswahl_f.gif HTTP/1.0" 403 1040
> TCP_DENIED:NONE [Accept: */*\r\nReferer:
>
http://__my_accelerated_host__/cgi-perl/rental/or?language=de&tset=de&land=DE&prl=WX1&action=cars\r\nAccept-Language:
> de\r\nProxy-Connection: Keep-Alive\r\nUser-Agent: Mozilla/4.0
> (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)\r\nHost:
> __my_accelerated_host__\r\n] [HTTP/1.0 403 Forbidden\r\nServer:
> Squid/2.4.STABLE6\r\nMime-Version: 1.0\r\nDate: Tue, 26 Mar 2002
> 17:39:28 GMT\r\nContent-Type: text/html\r\nContent-Length:
> 744\r\nExpires: Tue, 26 Mar 2002 17:39:28 GMT\r\nX-Squid-Error:
> ERR_ACCESS_DENIED 0\r\n\r]
>
> Hmm. This shouldn't be, or should it? What am I doing wrong?
Received on Thu Mar 28 2002 - 05:59:46 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:10 MST