[squid-users] squid failing with downstream proxy, yet Apache works from Bill DeGan on 2011-03-15 (squid-users)

From: Bill DeGan <bdegan2_at_gmail.com>
Date: Tue, 15 Mar 2011 11:53:24 -0500

We have been using squid in a reverse proxy mode for several weeks now
and its been working well.

Lately we have remote users that have a transparent proxy and users
are getting hung when trying to access a particular page.

Going thru cache.log and all I see for every connection is "ALLOWED",
but do see lines line this:

2011/03/15 09:47:20| clientReadBody: start fd=48 body_size=97
in.offset=0 cb=0x450740 req=0x1cf9dd40
2011/03/15 09:47:20| clientProcessBody: start fd=48 body_size=97
in.offset=0 cb=0x450740 req=0x1cf9dd40
2011/03/15 09:47:20| clientProcessBody: start fd=48 body_size=97
in.offset=97 cb=0x450740 req=0x1cf9dd40
2011/03/15 09:47:20| clientProcessBody: end fd=48 size=97 body_size=0
in.offset=0 cb=0x450740 req=0x1cf9dd40
2011/03/15 09:47:20| The reply for POST
http://IP_ADDRESS/services/forward/jcore_security_check is ALLOWED,
because it matched 'all'

Not sure if clientProcessBody is a problem or not?

Another group wants to replace the squid with Apache reverse proxy and
tried it out this morning and it didn't have any problems with the
remote user and the downstream proxy server.

Here are my squid_conf settings:

auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squid_passwd
auth_param basic realm Ericsson. For support email
performance_at_ericsson.com . A login
auth_param basic credentialsttl 1 hours
authenticate_ttl 1 hour
authenticate_ip_ttl 1 hour
external_acl_type mysession ttl=10 children=5 negative_ttl=0 %LOGIN
%PATH /usr/local/bin/ckuser.pl
acl mysession external mysession %LOGIN %PATH
acl strt1 url_regex [-i] ^http://www.ericssonperformance.com$
acl strt2 url_regex [-i] ^http://129.192.172.19$
acl good_src url_regex -i \.php 129.192.172.19\/$ www.ericssonperformance.com\/$
acl all src all
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl ncsa_users proxy_auth REQUIRED
acl CONNECT method CONNECT
deny_info ERR_ACCESS_DENIED Safe_ports
http_access deny !Safe_ports
deny_info ERR_ACCESS_DENIED ncsa_users
http_access allow mysession ncsa_users
http_access deny all
http_reply_access allow all
icp_access allow localnet
icp_access deny all
reply_body_max_size 0 allow all
acl_uses_indirect_client on
http_port 10.102.16.101:80 accel defaultsite=129.192.172.19 vhost
forwarded_for on
                    cache_peer 10.202.16.117 parent 80 0 no-query
originserver name=ADMIN
                    cache_peer_access ADMIN allow all
                    cache_peer 10.202.16.37 parent 80 0 no-query
originserver name=WPP1
                    cache_peer_access WPP1 allow all
                    cache_peer 10.202.16.40 parent 80 0 no-query
originserver name=WPP2
                    cache_peer_access WPP2 allow all
hierarchy_stoplist cgi-bin ?
cache_dir null /tmp
access_log /var/log/squid/access.log squid
debug_options ALL,1 33,2
log_fqdn off
url_rewrite_program /usr/local/bin/rewrite.pl
url_rewrite_children 20
url_rewrite_concurrency 0
url_rewrite_host_header on
redirector_bypass off
location_rewrite_program /usr/local/bin/rewrite.pl
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
cache deny all
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
negative_ttl 0 minutes
positive_dns_ttl 1 minutes
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
via on
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
refresh_stale_hit 0 seconds
header_access Accept allow all
header_access Accept-Encoding allow all
header_access Accept-Language allow all
header_access Authorization allow all
header_access Cache-Control allow all
header_access Content-Disposition allow all
header_access Content-Encoding allow all
header_access Content-Length allow all
header_access Content-Location allow all
header_access Content-Range allow all
header_access Content-Type allow all
header_access Cookie allow all
header_access Expires allow all
header_access Host allow all
header_access If-Modified-Since allow all
header_access Location allow all
header_access Range allow all
header_access Referer allow all
header_access Set-Cookie allow all
header_access WWW-Authenticate allow all
header_access All deny all
client_persistent_connections off
always_direct allow all
check_hostnames off
forwarded_for on
coredump_dir /var/spool/squid

Any help would be appreciated.

thanks
Received on Tue Mar 15 2011 - 16:53:31 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 16 2011 - 12:00:03 MDT