Re: [SQU] TCP_DENIED/407 on all requests

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 30 Jan 2001 22:57:55 +0100

Probably the password fails to validate.

Can you (as the user Squid runs as, not root) run
/usr/sbin/squid_pam_auth and sucessfully validate the password?

The problem discussed was another one, not involving authentication.

--
Henrik Nordstrom
Squid hacker
Dustin Butler wrote:
> 
> I can't seem to find why I'm getting TCP_DENIED/407 messages in access.log.
> Whenever I comment out the http_access allow all line in the following
> squid.conf file I will get all TCP_DENIED on every request.  The
> squid_pam_auth program is working at I can authenticate properly from the
> shell using it.  I found one thread talking about this problem and that a
> solution was not found (included), I'm wondering is there is anymore
> information on this. I'm running squid-2.2.STABLE4-8
> 
> squid.conf
> ----------
> store_avg_object_size 6 KB
> authenticate_program /usr/sbin/squid_pam_auth
> authenticate_children 2
> authenticate_ttl 30
> positive_dns_ttl 120 seconds
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl localnet src 192.108.0.0/255.255.0.0
> acl password proxy_auth REQUIRED
> acl SSL_ports port 443 563
> acl Safe_ports port 80 88 89 21 443 563 70 210 1025-65535
> acl CONNECT method CONNECT
> 
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> #http_access allow all
> http_access allow localnet password
> 
> http_access deny all
> icp_access deny all
> miss_access allow all
> proxy_auth_realm web proxy-cache
> logfile_rotate 10
> 
> access.log
> ----------
> 980881595.764    937 192.108.0.221 TCP_DENIED/407 1411 GET
> http://my.yahoo.com/ fcupersmith NONE/- -
> 980881603.103   1009 192.108.0.221 TCP_DENIED/407 1516 GET
> http://dezigns4u.com/forums/LOCKER_ROOM/posts/1493.html fcupersmith NONE/- -
> 980881603.984    876 192.108.0.221 TCP_DENIED/407 1516 GET
> http://dezigns4u.com/forums/LOCKER_ROOM/posts/1493.html fcupersmith NONE/- -
> 980881652.043   1280 192.108.0.221 TCP_DENIED/407 1411 GET
> http://my.yahoo.com/ fcupersmith NONE/- -
> 
> Nate Cull wrote:
> >
> > Running a virgin Red Hat 7.0 server as a Squid proxy box
> > (squid-2.3STABLE4-1 rpm) with an ACL inclusion list (ie,
> > it will only allow connections to a specified list of sites)
> > we're getting an odd intermittent problem.  At random times
> > during the day (this seems to happen every couple of weeks),
> > squid will suddenly fall into a state where it rejects EVERY
> > http request sent to it (not just ones sent to unauthorised
> > sites). We can see this in the logs; suddenly every line becomes
> > a TCP_DENIED inst
> 
> Seen it in Squid-2.2.STABLE5-hno from time to time, but have not been
> able to isolate the cause. For me the some src type ACLs ceased to
> function from time to time.
> 
> acl localhost src 127.0.0.1/32
> 
> I cannot remember seeing any changes in Squid which has smelled like
> possibly fixing this issue, so I guess the problem is still there
> somewhere.
> 
> --
> Henrik Nordstrom
> Squid hacker
> 
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Tue Jan 30 2001 - 15:04:52 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:57:39 MST