marc.van.selm@nc3a.nato.int writes:
>I'm running V1.1.11 with icp_hit_stale on.
>
>When the siblings don't have miss-access "FTP-requests" can result in an
>Access-Denied error. (Very annoying for the users because another proxy
>outside their domain denies them access)
>
>Tests showed that only FTP produces this behavior (Gopher not tested). When
>"FTP-files" are stale a TCP_MISS is produced (apparently) and this is denied
>for the siblings.
>
>A work-around can be allowing MISS-ACCESS to siblings but this might not be
>desirable (as in our case where I have a sibling without any relation to our
>agency except for my personal one but also a few under my control)
>
>I decided to patch the source to produce only a UDP_HIT on a stale file is
>PROT_HTTP. This seems to work. Denied errors are gone and HTTP still gets
>UDP_HITS on stale files without any errors.
>
>icp.c:
>static int icpCheckUdpHit(StoreEntry * e, request_t * request)
>{
> if (e == NULL)
> return 0;
> if (!storeEntryValidToSend(e))
> return 0;
> /* if (Config.Options.icp_hit_stale)
> * only icp_hit_stale for http
> * Marc van Selm <selm@nc3a.nato.int>
> */
> if (Config.Options.icp_hit_stale && request->protocol== PROTO_HTTP)
> return 1;
> if (refreshCheck(e, request, 30))
> return 0;
> return 1;
>}
>
>It might be useful to be able to enable icp_hit_stale per sibling_host. This
>way I can only grant this service to proxies in the domain under my control
>and grant other siblings only access to fresh files.
You really should not be using 'icp_hit_stale on' if you also
have 'miss_access' restrictions. The two are very incompatible.
I'll clarify the config file comments to make that more clear.
Duane W.
-- wessels@nlanr.net Think Globally, Cache Locally.Received on Wed Aug 06 1997 - 12:34:33 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:57 MST