[squid-users] Pseudo-random 403 Forbidden... from John Doe on 2008-07-02 (squid-users)

From: John Doe <jdmls_at_yahoo.com>
Date: Wed, 2 Jul 2008 07:09:07 -0700 (PDT)

> > Looks like a false positive.
> >
> > Maybe you need to enable retry_on_error. Shouldn't be needed, but I
> > haven't verified this in quite a while..
>
> It only changed the "403 Forbiden" to constant "200 No headers, assuming
> HTTP/0.9"
>
> > > 'The "latest" from a CentOS 5.2: squid-2.6.STABLE6-5.el5_1.2
> > > I guess I will have to manualy compile a STABLE20... Or is 2.7STABLE3
> better
> > and as stable?
> >
> > I would recomment 2.7.
> >
> > If you recompile 2.6 then make sure to get 2.6.STABLE21, or you'll miss
> > some annoying bugfixes..
>
> I compiled 2.7STABLE3 and no more problems...
> Now I will just have to parse my confs for 2.6->2.7 changes.

Hum, I rejoiced too quickly...
Same problem with 2.7STABLE3

Stop squids, rm -Rf <cache_dirs>, start squids and get objects on random squid:

Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/index.html = 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/spain.gif = 200 OK
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/greece.gif = 200 OK
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/france.gif = 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/denmark.gif = 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/sweden.gif = 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/finland.gif = 403 Forbidden
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/japan.gif = 200 OK
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/usa.gif = 200 OK
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/russia.gif = 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/brasil.gif = 200 OK
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/portugal.gif = 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/polska.gif = 200 OK
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/netherlands.gif = 200 OK
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/taiwan.gif = 403 Forbidden
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/china.gif = 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/italia.gif = 403 Bad Request
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/turkey.gif = 200 OK

Always the same objects, failing on any of the 3 squids...
And, from times to times, "403 Forbidden" becomes "403 Bad Request" (Most of the time if I put "retry_on_error on").

By example, when squid1 is asked for http://127.0.0.1/img/finland.gif (nobody has finland.gif since I deleted the cache).

squid1:
1215006500.805 0 192.168.17.11 TCP_DENIED/403 1297 GET http://127.0.0.1/img/finland.gif - NONE/- text/html
1215006500.805 1 192.168.17.11 TCP_MISS/403 1297 GET http://127.0.0.1/img/finland.gif - CD_SIBLING_HIT/squid2 text/html
1215006500.806 3 192.168.17.11 TCP_MISS/403 1297 GET http://127.0.0.1/img/finland.gif - CD_SIBLING_HIT/squid2 text/html
1215006500.806 4 192.168.17.11 TCP_MISS/403 1297 GET http://127.0.0.1/img/finland.gif - CD_SIBLING_HIT/squid2 text/html
1215006500.806 5 192.168.17.11 TCP_MISS/403 1297 GET http://127.0.0.1/img/finland.gif - CD_SIBLING_HIT/squid2 text/html
.. . .

squid2:
1215006500.805 0 192.168.17.12 TCP_MISS/403 1297 GET http://127.0.0.1/img/finland.gif - CD_SIBLING_HIT/squid1 text/html
1215006500.805 2 192.168.17.12 TCP_MISS/403 1297 GET http://127.0.0.1/img/finland.gif - CD_SIBLING_HIT/squid1 text/html
1215006500.806 3 192.168.17.12 TCP_MISS/403 1297 GET http://127.0.0.1/img/finland.gif - CD_SIBLING_HIT/squid1 text/html
1215006500.806 5 192.168.17.12 TCP_MISS/403 1297 GET http://127.0.0.1/img/finland.gif - CD_SIBLING_HIT/squid1 text/html
.. . .

squid3:
Nothing

Idem if I ask squid2 (but the TCP_DENIED is by squid2).

But if I ask squid3:

squid3:
1215006804.230 609 192.168.17.13 TCP_MISS/403 1297 GET http://127.0.0.1/img/finland.gif - CD_SIBLING_HIT/squid1 text/html

squid1:
1215006803.990 0 192.168.17.11 TCP_DENIED/403 1297 GET http://127.0.0.1/img/finland.gif - NONE/- text/html
1215006803.990 1 192.168.17.11 TCP_MISS/403 1297 GET http://127.0.0.1/img/finland.gif - CD_SIBLING_HIT/squid2 text/html
1215006803.991 3 192.168.17.11 TCP_MISS/403 1297 GET http://127.0.0.1/img/finland.gif - CD_SIBLING_HIT/squid2 text/html
1215006803.991 4 192.168.17.11 TCP_MISS/403 1297 GET http://127.0.0.1/img/finland.gif - CD_SIBLING_HIT/squid2 text/html
1215006803.992 6 192.168.17.11 TCP_MISS/403 1297 GET http://127.0.0.1/img/finland.gif - CD_SIBLING_HIT/squid2 text/html
.. . .

squid2:
1215006803.990 1 192.168.17.12 TCP_MISS/403 1297 GET http://127.0.0.1/img/finland.gif - CD_SIBLING_HIT/squid1 text/html
1215006803.990 2 192.168.17.12 TCP_MISS/403 1297 GET http://127.0.0.1/img/finland.gif - CD_SIBLING_HIT/squid1 text/html
1215006803.991 3 192.168.17.12 TCP_MISS/403 1297 GET http://127.0.0.1/img/finland.gif - CD_SIBLING_HIT/squid1 text/html
1215006803.991 5 192.168.17.12 TCP_MISS/403 1297 GET http://127.0.0.1/img/finland.gif - CD_SIBLING_HIT/squid1 text/html
.. . .

I also get apache2 error logs like (mainly with "retry_on_error on"):
[Wed Jul 02 15:34:24 2008] [error] [client 127.0.0.1] request failed: error reading the headers
[Wed Jul 02 15:34:25 2008] [error] [client 127.0.0.1] request failed: error reading the headers
[Wed Jul 02 15:34:26 2008] [error] [client 127.0.0.1] request failed: error reading the headers

Any idea?
JD

Received on Wed Jul 02 2008 - 14:09:17 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 07 2008 - 12:00:03 MDT