Re: [squid-users] Re: Unable to forward this request at this time.

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 26 Jan 2012 13:50:13 +1300

On 26.01.2012 13:21, Henrik Nordström wrote:
> ons 2012-01-25 klockan 08:50 -0800 skrev Luc Igert:
>> Hi Amos, and thanks a lot for your answer.I Forgot to say I’m
>> running as a
>> Reverse Proxy with multiple backends, Squid 3.1
>>
>> What’s confusing for me is the fact that www.xxx.ch is working,
>> while
>> backup.xxx.ch or wbbltest.xxx.ch aren’t.
>
> So what cache_peer and cache_peer_access/cache_peer_domain rules do
> you
> have?

Three properly configured cache_peer, with unique cache_peer_domain and
a vhost port.

>> http_access allow manager localhost
>> http_access allow manager localnet
>> http_access allow localnet
>> http_access allow localhost
>> http_access allow manager
>> http_access deny !Safe_ports

This might be part of the problem. reverse-proxy traffic does not work
well behind forward-proxy security limitations.

...

>> http_port 80 accel defaultsite=backup.XXX.ch vhost

>> cache_peer 172.17.2.30 parent 80 0 no-query no-digest originserver
name=mysite1
>> cache_peer 172.17.2.32 parent 80 0 no-query no-digest originserver
name=mysite2
>> cache_peer 172.17.2.116 parent 80 0 no-query no-digest originserver
name=mysite3
>>
>> cache_peer_domain mysite1 www.XXX.ch
>> cache_peer_domain mysite2 wbbltest.XXX.ch
>> cache_peer_domain mysite3 backup.XXX.ch
>>
>> acl my_site1 dstdomain www.XXX.ch
>> acl my_site2 dstdomain wbbltest.XXX.ch
>> acl my_site3 dstdomain backup.XXX.ch
>> acl myaccelport port 80
>> acl myaccelport2 port 8080
>>
>> http_access allow my_site1 myaccelport
>> http_access allow my_site2 myaccelport
>> http_access allow my_site3 myaccelport2

This last rule might be the issue with backup.*. Expecting traffic on
port 80 to be received with port value 8080. To pass that ACL requires
the sending client to violate HTTP specifications, sending "Host:
backup.XXX.ch:8080" when the host authority is actually
"backup.XXX.ch:80"

It could also be a dead peer (or firewall) issue since wbbltest.* is
breaking too. Or broken origin server configuration.

Amos
Received on Thu Jan 26 2012 - 00:50:19 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 26 2012 - 12:00:03 MST