RE: [squid-users] Brief Flash of CACHE_ACCESS_DENIED on 302 (yahoo.com)

From: Jenny Lee <bodycare_5_at_live.com>
Date: Mon, 23 Nov 2009 04:43:12 +0000

> Um, sounds like you might have a few legacy setting issues.
> Mail me a copy of your config if you would like a free audit.

Amos, thank you so much for your help and offer, my config is working as expected now. It is not necessary to waste more of your time. That 'all' made _ALL_ the difference!
 
I put a reminder to myself, I will donate within next few months. I am using squid close to 15 years now! Henrik and I grew old on squid :) (Bless him, he helped way too much back in days). Even though I always wanted to contribute, I never got around to it. This was a good opportunity.
 
I spent a week debugging 3.1 configs. I especially had serious problems with proxy_auth accesses, returning proper error pages, cache_peer selections and always_direct. Nothing worked the way it should have. 'all' instead of '0.0.0.0/0' fixed it all for me. I also realized that I had '0.0.0.0/0.0.0.0' with some acls, and '0.0.0.0/0' with some others.
 
 
>>
>> What exactly has changed from '0.0.0.0/0.0.0.0' or older '0.0.0.0/0',
>> '0/0' to 'all'?
>>
>> Thank you!
>>
>> Jen
>>
>>
>> PS: I have ipv6 stack removed from RedHat kernel and squid built with no
>> ipv6.
>
> Strangely the only difference between them is when squid is built with
> IPv6 support.
>
> '0.0.0.0/0.0.0.0' becomes a weird 'odd' bitmask of ::ffff:0:0 in IPv6.
> Which maps non-reversibly to a /0 CIDR (aka the bitmask of ::)
>
> '0.0.0.0/0' maps to ::/0, which is at least usable. But is noisy on
> startup warnings because the /0 removes the four ::ffff* bits of the
> 0.0.0.0 IP's v4-mapping bitmask.
>
> 'all' is hard-coded to match /0 (always true).
>
> '0/0' causes a DNS lookup to find the hostname '0' (zero).
> That may result in a routable IP address if 0.example.com has rDNS.
> Before the /0 arrives and saves the day by wiping the address bitmask away.
> *** Unfortunately that only save the day in IPv4. In IPv6 it wipes the
> bitmask down to a /96 CIDR and leaves the first 96 bits of the old IP being
> used to match (or mostly fail rather) and many of the default squid
> settings suddenly becomes 'allow' in IPv6.
>
> Thanks for making me think about this. It's reminded me I have to add
> extra checking and warnings for those values in 3.1.
>
> Amos

 
Thank you for thorough explanation. I have squid compiled with:
 
--enable-delay-pools \
--enable-poll \
--enable-auth=basic \
--enable-basic-auth-helpers=NCSA \
--disable-carp \
--disable-wccp \
--disable-wccp2 \
--disable-snmp \
--disable-htcp \
--disable-ident-lookups \
--disable-unlinkd \
--disable-translation \
--disable-auto-locale \
--disable-loadable-modules \
--disable-ipv6
 
 
It mentioned 'no ipv6 support found' and complained about leftover ::1 in /etc/hosts upon start. Definitely no ipv6 in this machine.
 
I have 2 questions though. I currently have 'cache deny all' in my setup, using proxy-only. What is the proper way to do ONLY ON-MEMORY caching, say with 4GB memory? Is using no cache/store directory directives sufficient?
 
I also remember about a light squid project -- all caching code stripped from squid for proxy-only use. I couldn't find on the net. Anyone knows which project it is? Or if there would be any advantage to it where one does no caching?
 
Thank you!
 
 
Jen
 
 

                                                
_________________________________________________________________
Windows 7: It works the way you want. Learn more.
http://www.microsoft.com/Windows/windows-7/default.aspx?ocid=PID24727::T:WLMTAGL:ON:WL:en-US:WWL_WIN_evergreen:112009v2
Received on Mon Nov 23 2009 - 04:43:20 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 23 2009 - 12:00:04 MST