Re: [squid-users] Brief Flash of CACHE_ACCESS_DENIED on 302 (yahoo.com)‏

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 23 Nov 2009 10:51:55 +1300

On Sun, 22 Nov 2009 21:07:52 +0000, Jenny Lee <bodycare_5_at_live.com> wrote:
> Hello Squid Users,
>
> Here is my problem: For our proxy_auth users, yahoo.com briefly flashes
a
> CACHE_ACCESS_DENIED error before showing the page. Is there something I
am
> not understanding about 302 Redirects? I am an old time squid users, I
did
> not face this issue with older squids.

I suspect something to do with the browser. All squid does is send back a
4xx auth challenge. Same as always.

>
> I tried all variations of http_access and can't get rid of
> CACHE_ACCESS_DENIED flashes on yahoo.com with authenticated users.
>
> Squid: 3.1.0.14
> RHEL 5.4 x86_64
> IE7
> proxy_auth NCSA_AUTH basic
>
> NOTE: All acl's related to local ips / localhost, etc are removed for
the
> sake of simplicity in testing.
>
> Thanks in advance for your help!
>
> Jen
>
>
> ./squidclient -h 127.0.0.1 -u TEST -w TEST -p 3128 http://www.yahoo.com
> HTTP/1.0 302 Moved Temporarily
> Date: Sun, 22 Nov 2009 20:05:51 GMT
> Location: http://m.www.yahoo.com/
>
> The document has moved here.
>
> 2009/11/23 00:07:47.587| Ready to serve requests.
> 2009/11/23 00:07:48.176| storeLateRelease: released 0 objects
> 2009/11/23 00:07:55.334| The request GET http://www.yahoo.com is DENIED,
> because it matched 'WANUSERS'
> 2009/11/23 00:07:55.336| errorpage.cc(1038) BuildContent: No existing
> error page language negotiated for ERR_CACHE_ACCESS_DENIED. Using
default
> error file.
> 2009/11/23 00:07:55.340| The reply for GET http://www.yahoo.com is
> ALLOWED, because it matched 'all'
> 2009/11/23 00:07:55.344| ConnStateData::swanSong: FD 6
> 2009/11/23 00:08:33.132| authenticateAuthUserAddIp: user 'TEST' has been
> seen at a new IP address (127.0.0.1:5199)
> 2009/11/23 00:08:33.132| The request GET http://www.yahoo.com is
ALLOWED,
> because it matched 'WANUSERS'
> 2009/11/23 00:08:33.172| The reply for GET http://www.yahoo.com/ is
> ALLOWED, because it matched 'all'
>
>
> ./squidclient -h 127.0.0.1 -u TEST -w TEST -p 3128 http://www.google.com
> HTTP/1.0 200 OK
> Date: Sun, 22 Nov 2009 20:09:22 GMT
>
>
> 2009/11/23 00:10:03.829| The request GET http://www.google.com is
ALLOWED,
> because it matched 'WANUSERS'
> 2009/11/23 00:10:03.875| The reply for GET http://www.google.com/ is
> ALLOWED, because it matched 'all'
>
>
>
> acl WANUSERS proxy_auth REQUIRED
> acl BADGUYS proxy_auth "/squid/BADGUYS"
> acl ERR_BADGUYS src 0.0.0.0/0.0.0.0

acl ERR_BADGUYS src all

or if you are trying to match just the IPv4 clients:
  acl ERR_BADGUYS src !ipv6

>
> http_access allow WANUSERS !BADGUYS all

same as:
 http_access allow WANUSERS !0.0.0.0/0 all

... so only IPv6 users who are logged in can use Squid.

> http_access deny BADGUYS ERR_BADGUYS
> http_access deny !WANUSERS all
>
> deny_info ERR_BADGUYS ERR_BADGUYS

Amos
Received on Sun Nov 22 2009 - 21:51:59 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 23 2009 - 12:00:04 MST