I am embarrassed to say that I've discovered the cause of my problem and it
looks to be a mainly non-Squid problem.
I've been running an Apache module (derived from mod_extract_forwarded
http://web.systhug.com/mod_extract_forwarded/) which uses the Forwarded-For
information to spoof the rest of the Apache modules into believing the
origin of an incoming request was the IP number in the Forwarded-For header
rather than the IP number of the Squid proxy (but only as long as that
header was written by a 'trusted' proxy server). This allows a degree of
low grade domain based security as part of an overall authentication scheme
even though the Apache server is behind a Squid proxy.
This spoofing is done by the Apache module concerned modifying the
connection record associated with a request to change its remote-ip field.
Guess what seems to happen if the Squid-Apache connections are persistent?
You guessed right! The changes to the connection record as successive
requests arrive from Squid down the same connection interfere with each
other leading to faulty attribution of IP numbers to each request.
Setting the server_persistent_connections to off in squid.conf clears the
problem.
I've got a couple of test scripts which when run on a couple of different
machines make request via the Squid proxy server and reliably demonstrate
the problem with server_persistent_connections on and show it stops when
server_persistent_connections are off.
But in one respect I'm not entirely sure that Squid's hands are clean in
this matter. In some instances, the requests pushed done the same
connection by Squid seem to be incompatible. In particular, some requests
containing no user authentication and others that do seem to be made down a
common connection by Squid. I do not believe Squid should do this. If I
understand correctly, some of the information associated with
authentication is lodged in the Apache connection record rather than the
request record and I presume that connection sharing by Squid might thus
lead to problems similar to those I have experienced. I've not tried to
prove this. I'm just hypothesising.
Thanks for the help offered to me in resolving this problem.
At 22:10 30/04/2002 +0200, Squid Support (Henrik Nordstrom) wrote:
> >From what it looks in the source this can happen if the original
>client aborted the request and Squid continues to make the request to
>the origin server.
>
>What is your quick_abort_* settings?
>
>Regards
>Henrik
>
>On Tuesday 30 April 2002 20:49, Richard Barrett wrote:
>
> > I have what appears to be clear evidence from collating Squid and
> > Apache access log entries that, at times, Squid is putting an
> > incorrect IP number in the Forwarder-For header it includes in the
> > HTTP requests it makes to the Apache server. At time, Squid is
> > logging the IP number of the incoming connections but inserting a
> > different IP number in the Forwarder-For header.
Received on Wed May 01 2002 - 11:21:34 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:51 MST