Re: [squid-users] TCP_MISS/403

hello,

here is the answers to your questions:

> In order for us to better understand your problem, could you provide
> more information on:
> 1) what authorization scheme you are using in the original http server?
nothing.

> 2) what's exactly the 403 error message you are receiving from squid?
1017052785.357 2 10.0.4.99 TCP_HIT/403 1061 GET http://index.hu/ - NONE/- text/html
1017052840.047 71 10.0.4.99 TCP_REFRESH_HIT/403 1072 GET http://www.ahrt.hu/ - DIRECT/212.92.0.130 text/html

but here is the other part of log:

1017052874.838 15 10.1.1.30 TCP_HIT/200 848 GET http://www.any.domain.com/ - NONE/- text/html
1017052875.382 382 10.1.1.30 TCP_HIT/200 9218 GET http://www.any.domain.com/ - NONE/- image/jpeg
.
.

> 3) list the acl setting part of your squid.conf
(sorry for the long lines and this long mail:)

acl QUERY urlpath_regex cgi-bin \? php
acl all src 10.1.0.0/255.255.0.0
acl any src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl girls url_regex -i aaaaa adult adserv ashole ...
acl music url_regex \.mp3 \.mpeg \.mpg \.mov \.avi \.asf
acl nimda url_regex -i readme.eml
acl valid_url url_regex gsm\.hu index\.hu origo\.hu cisco\.com tele-satellite\.com satcodx\.com
acl max_user_conn maxconn 5
acl all src 10.0.0.0/255.255.0.0
acl petzval srcdomain "/etc/squid/list/HOSTS"
acl feherj src "/etc/squid/list/feherj"
acl fenyig src "/etc/squid/list/fenyig"
acl galfalvygy src "/etc/squid/list/galfalvygy"
acl szeydl src "/etc/squid/list/szeydl"
acl szollosim src "/etc/squid/list/szollosim"
acl verest src "/etc/squid/list/verest"
acl vip src 10.1.16.0/255.255.255.0
acl ras src 10.1.20.0/255.255.255.0
acl lehet1 time 16:00-24:00
acl lehet2 time 00:00-09:00
acl lehet3 time A 00:00-24:00
acl lehet4 time S 00:00-24:00

and here is the list of http_access's:

http_access deny manager # this for just manager...
http_access deny nimda # this for just nimda...
http_access allow vip
http_access deny ras # this for just RAS users...
http_access allow feherj
http_access allow fenyig
http_access allow galfalvygy
http_access allow szeydl
http_access allow szollosim
http_access allow verest
http_access allow valid_url
http_access deny CONNECT !SSL_ports
http_access allow all
http_access allow any

Please, HELP ME!!!

A.

> >Hello,
> >
> >sorry for this post, i know, there are more mail in list
> >archive, but i didn't find for me the answer.
> >
> >sorry for the long mail.
> >
> >i have a FreeBSD 4.4, Squid 2.5 PRE5, in our Intranet.
> >Squid ip's is 10.0.100.251.
> >
> >Here are two networks, what squid works for: 10.1.0.0/16 and
> >10.0.0.0/16, but second network fragmented more little networks.
> >(forexample: 10.0.4.0/24, 10.0.5.0/24...)
> >
> >every ip connection works correctly, from everywhere. (icmp,
> >ssh, etc...)
> >
> >HTTP connect works correctly from 10.1.0.0/16, but does not
> >works for any hosts, here is sample log:
> >
> >1016920321.721 1216 10.0.4.60 TCP_MISS/403 ... http://www....
> >
> >in squid.conf _is_not_ any deny acl. (nothing deny, all acl
> >are allow!)
> >
> >the different between two networks (example: 10.0.4.0 &
> >10.1.0.0) is routing, but here are two traceroute output:
> >
> >proxy:~# traceroute 10.1.1.30
> >traceroute to 10.1.1.30 (10.1.1.30), 30 hops max, 38 byte packets
> >1 10.0.100.249 (10.0.100.249) 1.235 ms 2.031 ms 1.167 ms
> >2 10.0.100.254 (10.0.100.254) 8.940 ms 6.652 ms 2.234 ms
> >3 10.0.100.10 (10.0.100.10) 18.052 ms 10.0.100.5 (10.0.100.5) 47.025 ms
> >40.766 ms
> >4 10.1.1.30 (10.1.1.30) 48.802 ms 32.628 ms 48.742 ms
> >(this works correctly)
> >
> >proxy:~# traceroute 10.0.4.60
> >traceroute to 10.0.4.60 (10.0.4.60), 30 hops max, 38 byte packets
> >1 10.0.100.249 (10.0.100.249) 0.859 ms 0.816 ms 0.966 ms
> >2 10.0.4.60 (10.0.4.60) 0.610 ms 0.655 ms 0.487 ms
> >
> >or:
> >
> >proxy:~# traceroute 10.0.13.11
> >traceroute to 10.0.13.11 (10.0.13.11), 30 hops max, 38 byte packets
> >1 10.0.100.249 (10.0.100.249) 0.820 ms 1.850 ms 1.617 ms
> >2 10.0.100.41 (10.0.100.41) 16.440 ms 16.250 ms 16.223 ms
> >3 10.0.13.11 (10.0.13.11) 19.553 ms 17.611 ms 17.794 ms
> >
> >in first case is a redirect, there is an other router.
> >
> >
> >
> >what is the problem?
> >
> >please help me, it is very hard problem.
> >
> >thank you:
> >
> >a.
> >
> >
> >
>
>

-- 
Minden baj forrása az 1/x függvény.