[squid-users] me.com TCP_MISS/503

From: nickcx <ncairncross_at_condenast.co.uk>
Date: Tue, 22 Feb 2011 07:37:27 -0800 (PST)

Hi List,

I'm trying to get access to me.com working on my test proxy, but I keep
getting a timeout in my browsers: (110) Connection timed out. Access log
shows TCP_MISS/503. I have tried disabling various things to see if I can
get it working: authentication, send direct – even allow all at the top but
no joy.

On 3stable20 I've had this working ok..

Any help/pointers gratefully received,

Thanks
===

Squid 3.1.8 conf:

http_port 8080
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r
auth_param negotiate children 120 startup=70 idle=10
auth_param negotiate keep_alive on

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 60 startup=20 idle=5
auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 20 startup=10 idle =2
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

authenticate_ttl 1 hour
cache_mem 1024 MB
fqdncache_size 2048
ipcache_size 2048
ipcache_low 90
ipcache_high 95
maximum_object_size_in_memory 100 KB
max_filedesc 8072

cache_peer [omitted] parent 8080 0 no-query proxy-only no-digest default

cache_mgr [omitted]
cachemgr_passwd [omitted] all
client_persistent_connections on
#server_persistent_connections on
persistent_connection_after_error on

## LOG LOCATIONS
access_log /var/log/squid/access.log squid
cache_store_log none squid
cache_log /var/log/squid/cache.log squid

## USER-AGENT (Browser-type) ACLs
acl Java_jvm browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_JAVA.txt"
acl iTunes browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_APPLE.txt"
acl MSNMessenger browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_MSN.txt"

## USER AUTHENTICATION ACLs
acl AuthenticatedUsers proxy_auth REQUIRED

## URL DESTINATION ACLs
acl URL_ALLOWDstDomains dstdom_regex
"/etc/squid/ACL/URL/URL_ALLOWDstDomains.txt"

## URL Regex
acl URL_AllowRegex url_regex -i "/etc/squid/ACL/URL/URL_ALLOWRegex.txt"

## IP ACLS ##
acl CLIENTIP src "/etc/squid/ACL/IPADDRESSES/IP_CLIENTIP.txt"

## Windows Update ACLS
acl WSUS_IP src 172.16.10.127

# LAN IP ACLs
acl 172SUBNETS src 172.16.0.0/16
acl SERVERSUBNETS src 172.16.10.0/24
acl SERVERSUBNETS src 172.16.100.0/24

# Blocks CONNECT method to IP addresses (Blocks Skype amongst other things)
acl StopDirectIP url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+

# MSN Messenger Allow IP ACL
acl IP_MSNMessenger src "/etc/squid/ACL/IPADDRESSES/IP_MSNMESSENGER.txt"

# SEND DIRECT ACLs
acl SENDDIRECT_DstDomains dstdom_regex
"/etc/squid/ACL/SENDDIRECT/SENDDIRECT_DSTDOMAINS.txt"
acl SENDDIRECT_IPAddresses src
"/etc/squid/ACL/SENDDIRECT/SENDDIRECT_IPADDRESSES.txt"

# CONNECT Method Direct IP ACLs
acl IP_CONNECTALLOW src "/etc/squid/ACL/IPADDRESSES/IP_CONNECTALLOW.txt"

## LOCALHOST ACLs
acl localhost src 127.0.0.1
acl to_localhost dst 127.0.0.0/8

## CACHEMGR ACL
acl manager proto cache_object

## PORTS ACLs
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl RTMP_ports port 1935 # RTMP

# CONNECTION METHOD ACL
acl CONNECT method CONNECT
acl POST method POST

######### ICAP SERVER #########

## ICAP-specific ACLs - required to be placed before ICAP settings
acl ICAP_BYPASS dstdom_regex "/etc/squid/ACL/ICAP/ICAP_BYPASS_URL.txt"

## ICAP Settings
icap_enable on
icap_preview_enable on
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode on
icap_service ss reqmod_precache 0 icap://localhost:1344/ssreqmod
icap_service_revival_delay 60
adaptation_service_set c1 ss
adaptation_access c1 deny ICAP_BYPASS
# We don't check for auth for these either, so no point sending them to ICAP
adaptation_access c1 deny POST
#adaptation_access c1 deny CONNECT
adaptation_access c1 deny URL_ALLOWDstDomains
adaptation_access c1 deny URL_AllowRegex
adaptation_access c1 deny CLIENTIP
adaptation_access c1 deny WSUS_IP
adaptation_access c1 deny iTunes
adaptation_access c1 deny Java_jvm
# Check everything else
adaptation_access c1 allow all

## CACHEMGR ALLOW
http_access allow manager 172SUBNETS

## GLOBAL DENY RULES
http_access deny !Safe_ports
http_access deny to_localhost
http_access deny !SSL_Ports !172SUBNETS CONNECT
http_access deny !SSL_Ports !RTMP_ports !172SUBNETS POST
http_access deny 172SUBNETS !IP_MSNMESSENGER MSNMessenger
http_access deny !IP_CONNECTALLOW StopDirectIP
http_access deny !172SUBNETS iTunes
http_access deny !172SUBNETS Java_jvm

# USER AGENTS ALLOW #
http_access allow 172SUBNETS iTunes
http_access allow 172SUBNETS Java_jvm

# URL and IP DESTINATIONS NOT REQUIRING AUTHENTICATION
http_access allow URL_ALLOWDstDomains
http_access allow URL_ALLOWRegex
http_access allow CLIENTIP
http_access allow WSUS_IP

#Auth
http_access allow AuthenticatedUsers

## SEND DIRECT ALLOW
always_direct allow SENDDIRECT_DstDomains
always_direct allow SENDDIRECT_IPAddresses

## LOCAL HOST ALLOW ##
http_access allow localhost

###### CATCH ALL DENY ######
never_direct allow all
snmp_access deny all
#cache deny all
http_access deny all

-- 
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/me-com-TCP-MISS-503-tp3319397p3319397.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Tue Feb 22 2011 - 15:37:28 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 23 2011 - 12:00:03 MST