Re: icp_hit_stale can couse denied error for FTP: a fix

From: Duane Wessels <>
Date: Wed, 06 Aug 97 12:32:23 -0700 writes:

>I'm running V1.1.11 with icp_hit_stale on.
>When the siblings don't have miss-access "FTP-requests" can result in an
>Access-Denied error. (Very annoying for the users because another proxy
>outside their domain denies them access)
>Tests showed that only FTP produces this behavior (Gopher not tested). When
>"FTP-files" are stale a TCP_MISS is produced (apparently) and this is denied
>for the siblings.
>A work-around can be allowing MISS-ACCESS to siblings but this might not be
>desirable (as in our case where I have a sibling without any relation to our
>agency except for my personal one but also a few under my control)
>I decided to patch the source to produce only a UDP_HIT on a stale file is
>PROT_HTTP. This seems to work. Denied errors are gone and HTTP still gets
>UDP_HITS on stale files without any errors.
>static int icpCheckUdpHit(StoreEntry * e, request_t * request)
> if (e == NULL)
> return 0;
> if (!storeEntryValidToSend(e))
> return 0;
> /* if (Config.Options.icp_hit_stale)
> * only icp_hit_stale for http
> * Marc van Selm <>
> */
> if (Config.Options.icp_hit_stale && request->protocol== PROTO_HTTP)
> return 1;
> if (refreshCheck(e, request, 30))
> return 0;
> return 1;
>It might be useful to be able to enable icp_hit_stale per sibling_host. This
>way I can only grant this service to proxies in the domain under my control
>and grant other siblings only access to fresh files.

You really should not be using 'icp_hit_stale on' if you also
have 'miss_access' restrictions. The two are very incompatible.
I'll clarify the config file comments to make that more clear.

Duane W.

--                           Think Globally, Cache Locally.
Received on Wed Aug 06 1997 - 12:34:33 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:57 MST