Hi Amos,
Really appreciate your help.
I did changes with your sugguestion.
Some debug logs are here:
2012/01/11 13:21:58.167| The request GET http://ids-ams.elabs.eds.com/
is ALLOWED, because it matched 'origin_servers'
2012/01/11 13:21:58.168| client_side_request.cc(547)
clientAccessCheck2: No adapted_http_access configuration.
2012/01/11 13:21:58.168| The request GET http://ids-ams.elabs.eds.com/
is ALLOWED, because it matched 'origin_servers'
2012/01/11 13:21:58.170| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80
2012/01/11 13:21:58.171| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed
2012/01/11 13:21:58.171| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/
2012/01/11 13:21:58.177| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80
2012/01/11 13:21:58.177| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed
2012/01/11 13:21:58.177| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/
2012/01/11 13:21:58.183| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80
2012/01/11 13:21:58.184| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed
2012/01/11 13:21:58.184| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/
2012/01/11 13:21:58.190| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80
2012/01/11 13:21:58.191| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed
2012/01/11 13:21:58.191| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/
2012/01/11 13:21:58.197| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80
2012/01/11 13:21:58.197| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed
2012/01/11 13:21:58.197| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/
2012/01/11 13:21:58.203| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80
2012/01/11 13:21:58.204| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed
2012/01/11 13:21:58.204| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/
2012/01/11 13:21:58.210| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80
2012/01/11 13:21:58.210| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed
2012/01/11 13:21:58.210| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/
2012/01/11 13:21:58.216| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80
2012/01/11 13:21:58.216| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed
2012/01/11 13:21:58.217| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/
2012/01/11 13:21:58.222| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80
2012/01/11 13:21:58.223| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed
2012/01/11 13:21:58.223| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/
2012/01/11 13:21:58.229| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80
2012/01/11 13:21:58.229| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed
2012/01/11 13:21:58.229| Detected DEAD Parent: main
2012/01/11 13:21:58.229| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/
2012/01/11 13:21:58.235| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80
2012/01/11 13:21:58.236| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed
2012/01/11 13:21:58.236| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 dead
2012/01/11 13:21:58.236| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/
2012/01/11 13:21:58.238| The reply for GET
http://ids-ams.elabs.eds.com/ is ALLOWED, because it matched 'all'
2012/01/11 13:21:58.240| ConnStateData::swanSong: FD 9
2012/01/11 13:22:07.406| The request GET http://ids-ams.elabs.eds.com/
is ALLOWED, because it matched 'origin_servers'
2012/01/11 13:22:07.406| client_side_request.cc(547)
clientAccessCheck2: No adapted_http_access configuration.
2012/01/11 13:22:07.406| The request GET http://ids-ams.elabs.eds.com/
is ALLOWED, because it matched 'origin_servers'
2012/01/11 13:22:07.407| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80
2012/01/11 13:22:07.408| Failed to select source for
'http://ids-ams.elabs.eds.com/'
2012/01/11 13:22:07.408| always_direct = 0
2012/01/11 13:22:07.408| never_direct = 0
2012/01/11 13:22:07.408| timedout = 0
2012/01/11 13:22:07.410| The reply for GET
http://ids-ams.elabs.eds.com/ is ALLOWED, because it matched 'all'
2012/01/11 13:22:07.410| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 dead
2012/01/11 13:22:07.412| ConnStateData::swanSong: FD 9
2012/01/11 13:22:09.381| The request GET http://ids-ams.elabs.eds.com/
is ALLOWED, because it matched 'origin_servers'
2012/01/11 13:22:09.381| client_side_request.cc(547)
clientAccessCheck2: No adapted_http_access configuration.
2012/01/11 13:22:09.381| The request GET http://ids-ams.elabs.eds.com/
is ALLOWED, because it matched 'origin_servers'
2012/01/11 13:22:09.383| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80
2012/01/11 13:22:09.384| Failed to select source for
'http://ids-ams.elabs.eds.com/'
2012/01/11 13:22:09.384| always_direct = 0
2012/01/11 13:22:09.384| never_direct = 0
2012/01/11 13:22:09.384| timedout = 0
2012/01/11 13:22:09.386| The reply for GET
http://ids-ams.elabs.eds.com/ is ALLOWED, because it matched 'all'
2012/01/11 13:22:09.386| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 dead
2012/01/11 13:22:09.387| ConnStateData::swanSong: FD 9
My squid environment information:
RHEL6.0 64bit.
squid v 3.1.4
Thanks,
~Kimi
On 11/01/2012, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 11/01/2012 8:46 p.m., kimi ge(巍俊葛) wrote:
>> Thanks Amos.
>>
>> I did the lynx test on back-end web site on squid system like this:
>> sudo lynx http://wtestsm1.asiapacific.hpqcorp.net
>>
>> First, it show the message:
>> Alert!: Invalid header 'WWW-Authenticate: NTLM'
>>
>> Then it show the following message.
>> Show the 401 message body? (y/n)
>
> Aha. NTLM authentication. Very probaby that login=PASS then.
>
>>
>> For the domain auth, I mean the back-end web site need corp domain
>> user to be accessed.
>> I put this in this way, if I log on with my corp domain on my laptop,
>> then I could acces IIS Share Point without any credentials window pop
>> up. If not, I have to input my domain account on credentials window to
>> access the Share Point Site.
>>
>>
>> The following is my squid configuration about this case which I ignore
>> some default sections.
>> #added by kimi
>> acl hpnet src 16.0.0.0/8 # RFC1918 possible internal network
>> #added by kimi
>> acl origin_servers dstdomain ids-ams.elabs.eds.com
>> http_access allow origin_servers
>> http_access allow hpnet
>>
>> http_port 192.85.142.88:80 accel defaultsite=ids-ams.elabs.eds.com
>> connection-auth=on
>>
>> forwarded_for on
>>
>> request_header_access WWW-Authenticate allow all
>
> This is not needed. The Squid default is to relay www-auth headers
> through. www-authenticate is a reply header anyway, to inform the client
> agent what types of auth it can use.
>
>>
>> cache_peer wtestsm1.asiapacific.hpqcorp.net parent 80 0 no-query
>> no-digest originserver name=main connection-auth=on login=PASS
>
> "connection-auth=on" should be enough. Try without login=PASS.
>
>>
>> cache_peer_domain main .elabs.eds.com
>>
>> hierarchy_stoplist cgi-bin ?
>>
>> coredump_dir /var/spool/squid
>>
>> # Add any of your own refresh_pattern entries above these.
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern . 0 20% 4320
>>
>> cache_dir aufs /data/squid/cache 12000 64 256
>> cache_mem 1024 MB
>> maximum_object_size_in_memory 1024 KB
>> maximum_object_size 51200 KB
>>
>> visible_hostname ids-ams.elabs.eds.com
>> debug_options ALL,5
>> http_access deny all
>>
>> While let squid be running, I do test like this
>> http://ids-ams.elabs.eds.com
>>
>> The 404 error page is shown.
>
> Okay. Which error page? Squid sends three different ones with that
> status code. Invalid request or Invalid URL or something else?
>
>> That's why I am wondering squid could be as reverse-proxy with IIS
>> SharePoint as back-end?
>
> It can be. There is normally no trouble. But the newer features MS have
> been adding for IPv6 and cloud support recently are not widely tested yet.
>
> Amos
>
Received on Wed Jan 11 2012 - 13:28:09 MST
This archive was generated by hypermail 2.2.0 : Thu Jan 12 2012 - 12:00:02 MST