[squid-users] reverse proxy - sporadic TCP_MISS/403

Hi everyone,

I have a problem with my reverse proxy running Squid 3.0.STABLE19 in the following scenario:

I give customers access to one of our internal web-applications running tomcat on port 8080 (unencrypted).
The customer accesses the reverse proxy on port 443 (certificates are in place)

When a customer accesses the reverse proxy for the first time he receives:

        Forwarding Denied
        This cache will not forward your request because it is trying to enforce a sibling relationship. Perhaps the client at xyz.xyz.xyz.xyz (THE CUSTOMERS IP!) is a cache which has been misconfigured.

The access.log of the sever contains the following message:
        1254302414.527 1 xyz.xyz.xyz.xyz TCP_MISS/403 2347 GET https://customer.mycompany.com/ - NONE/- text/html

When the customer does a browser refresh, the login page appears and he can work without any further error messages.

My squid.conf contains the following entries:
        cache_mgr info_at_mycompany.com
        access_log /var/log/squid/access.log squid
        
        acl manager proto cache_object
        acl localhost src 127.0.0.1/32
        acl to_localhost dst 127.0.0.0/8
        
        acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
        acl externalnet src all
        
        acl SSL_ports port 443
        acl Safe_ports port 443
        acl CONNECT method CONNECT
        
        http_access deny !Safe_ports
        http_access deny CONNECT !SSL_ports
        
        http_access allow externalnet
        
        http_access deny all
        icp_access deny all
        htcp_access deny all
        
        https_port 443 cert=/etc/ssl/reverse_proxy/customer.mycompany.com.cert key=/etc/ssl/reverse_proxy/customer.mycompany.com.key defaultsite=customer.mycompany.com options=NO_SSLv2 accel
        cache_peer 192.168.1.50 parent 8080 0 no-query originserver name=tomcatapplication # 192.168.1.50 is the internal IP of the tomcat web application
        acl reverse_tomcatapplication dst customer.mycompany.com
        http_access allow reverse_tomcatapplication
        cache_peer_access tomcatapplication allow reverse_tomcatapplication
        cache_peer_access tomcatapplication deny all
        http_access allow all
        miss_access allow reverse_tomcatapplication
        miss_access deny all
        http_access deny all

This error always existed since I installed the reverse proxy for the first time. It was no problem when few customers accessed the system. Since this number will increase a lot in the near future I have to fix this.

Thanks in advance for your help

Michael

-- 
Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 -
sicherer, schneller und einfacher! http://portal.gmx.net/de/go/atbrowser