RE: [squid-users] Squid Maxing Out - Help required

> Further to the Page Cannot be Displayed errors I am getting
>
> From the cache.log
> 2008/07/23 10:47:50| The request POST
> http://webmail.controlpanel.com.au/ is ALLOWED, because it matched
> 'PowerProxy'
> 2008/07/23 10:47:50| The reply for POST
> http://webmail.controlpanel.com.au/ is ALLOWED, because it matched 'all'
> 2008/07/23 10:47:50| The request GET
> http://webmail.controlpanel.com.au/vopmail.css is DENIED, because it
> matched 'PowerProxy'
> 2008/07/23 10:47:50| The request GET
> http://webmail.controlpanel.com.au/vopmail.css is DENIED, because it
> matched 'PowerProxy'
> 2008/07/23 10:47:50| The request GET
> http://webmail.controlpanel.com.au/vopmail.css is ALLOWED, because it
> matched 'PowerProxy'
> 2008/07/23 10:47:56| The request POST
> http://webmail.controlpanel.com.au/ is ALLOWED, because it matched
> 'PowerProxy'
> 2008/07/23 10:47:56| The reply for POST
> http://webmail.controlpanel.com.au/ is ALLOWED, because it matched 'all'
> 2008/07/23 10:48:08| The request GET
> http://webmail.controlpanel.com.au/?AutoLogon=no is ALLOWED, because it
> matched 'PowerProxy'
> 2008/07/23 10:48:09| The reply for GET
> http://webmail.controlpanel.com.au/?AutoLogon=no is ALLOWED, because it
> matched 'all'
> 2008/07/23 10:48:10| The request POST
> http://webmail.controlpanel.com.au/ is DENIED, because it matched
> 'PowerProxy'
> 2008/07/23 10:48:10| The request POST
> http://webmail.controlpanel.com.au/ is DENIED, because it matched
> 'PowerProxy'
> 2008/07/23 10:48:10| The request POST
> http://webmail.controlpanel.com.au/ is ALLOWED, because it matched
> 'PowerProxy'
> 2008/07/23 10:48:11| The reply for POST
> http://webmail.controlpanel.com.au/ is ALLOWED, because it matched 'all'
>
>
> Why am I seeing DENIED, should I be concerned?

Looks like two clients accessing a system with slightly broken
authentication failover.

 - User 1, has (NTLM?) login working and gets through.
 - User 2, has no (NTLM?) login and gets redirected to a backup login
(form?).

Then things go all funky on User2.

Going only by the URL; the 'AutoLogin=no' POST request (login form
submission?) is denied because the (NTLM?) fails.
BUT, that failure maybe is why the POST exists in the first place.

**** Please verify manually yourself, if my theory above is correct about
the two login methods before trying to fix. ****

If my analysis is right. You need to whitelist POST requests to the backup
login form handler. Maybe get the system POST'ing to a different URL (ie.
*/login?AutoLogin=no) which can be specially whitelisted by itself.

Amos

>
> Here is part of the squid.conf
>
> acl Proxy external nt_group ProxyUsers
> acl PowerProxy external nt_group ProxyPowerUsers
> acl White url_regex "/etc/squid/white.list"
> acl Denied url_regex -i "/etc/squid/denied.list"
> acl Refuse url_regex -i "/etc/squid/refuse.list"
> acl ATO dstdomain eci.ato.gov.au pki.ato.gov.au
> no_cache deny QUERY
> always_direct allow FTP
> always_direct allow localhost
> always_direct allow ATO
>
> # ACL List of Allow or Deny and the order they flow
> http_access allow White
> http_access deny Denied
> http_access allow PowerProxy
> http_access deny Refuse
> http_access allow Proxy
> http_access allow ATO
> http_access allow manager
> http_access deny all
>
> Any suggestions would be most welcome
>
> Cheers,
> Scott
>
> -----Original Message-----
> From: Thompson, Scott (WA) [mailto:Scott.Thompson_at_affoods.com.au]
> Sent: Wednesday, 23 July 2008 9:07 AM
> To: squid-users_at_squid-cache.org
> Subject: RE: [squid-users] Squid Maxing Out - Help required
>
> Thx Henrik
> Nothing I can see that is obvious
> tail messages
> Jul 23 08:15:26 pelpx01 squid[29720]: Squid Parent: child process 12961
> started
> Jul 23 08:34:01 pelpx01 squid[29720]: Squid Parent: child process 12961
> exited due to signal 6
> Jul 23 08:34:04 pelpx01 squid[29720]: Squid Parent: child process 17905
> started
> Jul 23 08:34:34 pelpx01 squid[29720]: Squid Parent: child process 17905
> exited due to signal 6
> Jul 23 08:34:37 pelpx01 squid[29720]: Squid Parent: child process 18211
> started
> Jul 23 08:34:54 pelpx01 squid[29720]: Squid Parent: child process 18211
> exited due to signal 6
> Jul 23 08:34:57 pelpx01 squid[29720]: Squid Parent: child process 18433
> started
> Jul 23 08:38:06 pelpx01 squid[29720]: Squid Parent: child process 18433
> exited due to signal 6
> Jul 23 08:38:09 pelpx01 squid[29720]: Squid Parent: child process 19855
> started
> Jul 23 08:39:55 pelpx01 sshd(pam_unix)[20645]: session opened for user
> root by root(uid=0)
>
> Cache log just seems to have the usual requests etc
> Plenty of Gets and Allowed. It happened whilst I was checking the cache
> log so I had a site to reference and there was nothing unusual!
>
> Any other suggestions would be appreciated
>
> Scott
>
> -----Original Message-----
> From: Henrik Nordstrom [mailto:henrik_at_henriknordstrom.net]
> Sent: Wednesday, 23 July 2008 4:03 AM
> To: Thompson, Scott (WA)
> Cc: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Squid Maxing Out - Help required
>
> On tis, 2008-07-22 at 15:44 +0800, Thompson, Scott (WA) wrote:
>> Hi all
>> We are seeing some weird behaviour with our Squid server
>> Thru out the day Internet Explorer will come back with Internet
> Explorer
>> cannot display the page
>> No errors from Squid as such, it appears that IE simply cannot contact
>> the squid server, that's what it looks like to me!
>
> Anything in cache.log?
>
> Anything in /var/log/messages?
>
> Regards
> Henrik
>
Received on Wed Jul 23 2008 - 04:10:22 MDT