Re: [squid-users] Apache ProxyPass -> Squid -> Zope but TCP_DENIED/403

Peter Bengtsson wrote:

> This is getting frustrating. I've set up Apache with ProxyPass to
> redirect all requests of mobile.peterbe.com -> Squid (with squidGuard)
> -> Zope.
> The requests seem to reach Zope if I look at the log file but they are
> all HTTP 1.1 403 and the users who go to mobile.peterbe.com see a
> squid error message page where it says Access Denied.
>
> I don't care to use Squid for proxying outbound access. Only as a http
> accelerator to speed up cachable web pages.
>
> Before, when I was proxypassing from Apache into Zope everything was
> working fine. Now I want to add Squid to improve performance.
>
> Apache runs on 80
> Squid runs on 3128
> Zope runs on 9080
>
> The /var/log/squid/access.log spits out stuff like this:
> 1150291833.853 0 127.0.0.1 TCP_DENIED/403 1572 GET
> http://80.68.212.7:3128/VirtualHostBase/http/mobile.peterbe.com:80/www/VirtualHostRoot/plog/better-select-boxes
>
> - NONE/- text/html
>
>
> My apache2 stanza looks like this:
> <VirtualHost 80.68.212.7>
> ServerAdmin mail@peterbe.com
> ServerName mobile.peterbe.com
>
> ProxyPass /
> http://localhost:3128/VirtualHostBase/http/mobile.peterbe.com:80/$
> ProxyPassReverse /
> http://localhost:3128/VirtualHostBase/http/mobile.peterbe.$
> ProxyPass /misc_ http://localhost:3128/misc_
> ProxyPass /p_ http://localhost:3128/p_
> ErrorLog /var/log/apache2/mobile.peterbe.error_log
> CustomLog /var/log/apache2/mobile.peterbe.access_log combined
> </VirtualHost>
>
> My squid.conf looks like this (strippped down and sorted):

Stripped down and sorted? Order is of paramount importance.

SNIP

>
> httpd_accel_host virtual
> httpd_accel_port 0

I'm a bit confused here. All of this is hosted on a single server. Why
are you using httpd_accel_host virtual and a redirector? That seems to
me to be adding unneeded complexity. Values of...

httpd_accel_host moble.peterbe.com # or perhaps localhost
http_accel_port 9080
httpd_accel_single_host on

...seem like they would be a better fit.

> icp_access allow all
> no_cache deny QUERY
> redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
> refresh_pattern . 0 20% 4320
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> visible_hostname www.peterbe.com
>
>
> My squidGuard.conf looks like this:
> acl {
> default {
> redirect http://localhost:9080/%p
> }
> }
>
> I can give more info but I don't know what matters to anybody who can
> help me.

As for the source of the 403 errors... That's a good question. Given
the order of the http_access lines given, I don't see anything that
would cause problems. You might peruse the FAQ section on ACLs
(http://www.squid-cache.org/Doc/FAQ/FAQ-10.html) and see if you find
solace there (the subsection on debugging ACLs might give some clue).

Chris
Received on Wed Jun 14 2006 - 15:26:42 MDT