Quantcast

browser (and access.log) says access denied but cache.log says it's ok?!?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

browser (and access.log) says access denied but cache.log says it's ok?!?

Anton Melser
Hi,
I have searched high and low for this, and can't get anywhere!!! I am
using 2.6.STABLE5 (standard debian etch package).
I am trying to get squid to accelerate both a local apache and a
distant apache (I only want accelerating, nothing else).
If I set squid up on 3128 (with both local and distant apache on 80),
then everything works fine. However, when I set up squid on 80 and
local apache on either 81 (or whatever) or 127.0.0.1:80 then for the
local site I get an access denied.

ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: http://lesite.org/

The following error was encountered:

   * Access Denied.

     Access control configuration prevents your request from being
allowed at this time. Please contact your service provider if you feel
this is incorrect.

Your cache administrator is webmaster.
Generated Wed, 16 May 2007 17:59:44 GMT by lesite.org (squid/2.6.STABLE5)

In the access.log I get :

1179338384.598      0 ip_address_of_machine TCP_DENIED/403 1568 GET
http://lesite.org/ - NONE/- text/html
1179338384.598      9 firwall_ip TCP_MISS/403 1766 GET
http://lesite.org/ - DIRECT/172.16.116.1 text/html

But putting debug_options ALL,1 33,2
In cache.log I get
2007/05/16 19:59:44| The request GET http://lesite.org/ is ALLOWED,
because it matched 'sites_server_2'
2007/05/16 19:59:44| The request GET http://lesite.org/ is ALLOWED,
because it matched 'sites_server_2'
2007/05/16 19:59:44| WARNING: Forwarding loop detected for:
Client: anip http_port: an_ip.1:80
GET http://lesite.org/ HTTP/1.0
Host: lesite.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3)
Gecko/20070309 Firefox/2.0.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en,fr;q=0.8,fr-fr;q=0.5,en-us;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cookie: LangCookie=fr;
Wysistat=0.9261449444734621_1179321228414%uFFFD6%uFFFD1179321268023%uFFFD2%uFFFD1179317769%uFFFD0.5886263648254288_1179223653760;
PHPSE
SSID=b0319d53833d11da790f5868f56c32e1; TestCookie=OK
Pragma: no-cache
Via: 1.1 lesite.org:80 (squid/2.6.STABLE5)
X-Forwarded-For: unip
Cache-Control: no-cache, max-age=259200
Connection: keep-alive

2007/05/16 19:59:44| The reply for GET http://lesite.org/ is ALLOWED,
because it matched 'QUERY'
2007/05/16 19:59:44| The reply for GET http://lesite.org/ is ALLOWED,
because it matched 'all'
2007/05/16 19:59:52| Preparing for shutdown after 2 requests

Can someone tell me what is going on here? I have tried pretty much
everything I can think of with no luck, and the boss is getting mighty
impatient!
Cheers
Anton
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: browser (and access.log) says access denied but cache.log says it's ok?!?

Chris Robertson-2
Anton Melser wrote:
> Hi,
> I have searched high and low for this, and can't get anywhere!!! I am
> using 2.6.STABLE5 (standard debian etch package).
> I am trying to get squid to accelerate both a local apache and a
> distant apache (I only want accelerating, nothing else).
> If I set squid up on 3128 (with both local and distant apache on 80),
> then everything works fine. However, when I set up squid on 80 and
> local apache on either 81 (or whatever) or 127.0.0.1:80 then for the
> local site I get an access denied.

When you change what port Apache is listening on, did you just change
the http_port, or did you specify an IP as well in the squid.conf?  Did
you change the cache_peer line in Squid? Just asking because...

> 2007/05/16 19:59:44| WARNING: Forwarding loop detected for:
> Client: anip http_port: an_ip.1:80

...this looks like it could be caused by one (or both) of those.

>
> Can someone tell me what is going on here? I have tried pretty much
> everything I can think of with no luck, and the boss is getting mighty
> impatient!
> Cheers
> Anton

Have a peek at the FAQ entries on accelerator setups, if you haven't
already. http://wiki.squid-cache.org/SquidFaq/ReverseProxy/

Chris
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: browser (and access.log) says access denied but cache.log says it's ok?!?

Anton Melser
On 16/05/07, Chris Robertson <[hidden email]> wrote:

> Anton Melser wrote:
> > Hi,
> > I have searched high and low for this, and can't get anywhere!!! I am
> > using 2.6.STABLE5 (standard debian etch package).
> > I am trying to get squid to accelerate both a local apache and a
> > distant apache (I only want accelerating, nothing else).
> > If I set squid up on 3128 (with both local and distant apache on 80),
> > then everything works fine. However, when I set up squid on 80 and
> > local apache on either 81 (or whatever) or 127.0.0.1:80 then for the
> > local site I get an access denied.
>
> When you change what port Apache is listening on, did you just change
> the http_port, or did you specify an IP as well in the squid.conf?  Did
> you change the cache_peer line in Squid? Just asking because...
>
> > 2007/05/16 19:59:44| WARNING: Forwarding loop detected for:
> > Client: anip http_port: an_ip.1:80
>
> ...this looks like it could be caused by one (or both) of those.
>
> >
> > Can someone tell me what is going on here? I have tried pretty much
> > everything I can think of with no luck, and the boss is getting mighty
> > impatient!
> > Cheers
> > Anton
>
> Have a peek at the FAQ entries on accelerator setups, if you haven't
> already. http://wiki.squid-cache.org/SquidFaq/ReverseProxy/
>
> Chris

Thanks Chris, I definitely changed the port (the live sites, which I
put in my hosts file so not to cause too much trouble...), and could
access with no problems the non localhost sites. I tried both setting
a hostname and a ip with the ports - no luck, and had apache2
listening on 127.0.0.7:80 and *.81.
I had a very long look at the article mentioned (and you need the
right keywords to get to it!) but doing both local and distant reverse
proxying wasn't mentioned.
I followed the instructions on that page for one of my attempts (with
both squid and apache listening on 80 but one localhost and one
external) but alas exactly the same results.
I have seen in various places about compiling without internal dns but
the vast bulk of the literature is on <=2.5, and 2.6 seems pretty
different (particularly for http acceleration), and I didn't know
whether this was desirable or necessary. Anyway, I will try a couple
of things with /etc/hosts, and a few things, but I think it may be due
to some resolution issues.
Thanks for your input,
Anton
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: browser (and access.log) says access denied but cache.log says it's ok?!?

Chris Robertson-2
Anton Melser wrote:
>
> Thanks Chris, I definitely changed the port (the live sites, which I
> put in my hosts file so not to cause too much trouble...), and could
> access with no problems the non localhost sites. I tried both setting
> a hostname and a ip with the ports

Using an IP will be more explicit, and therefore is what I would
recommend.  Use the hostname for the defaultsite argument to http_port.

> - no luck, and had apache2
> listening on 127.0.0.7:80 and *.81.
> I had a very long look at the article mentioned (and you need the
> right keywords to get to it!) but doing both local and distant reverse
> proxying wasn't mentioned.

But should just be a matter of putting two of the FAQs ((5 and 6) or (9
and 6)*) together.

Assuming:
* The external IP of the Squid server is 4.5.6.
* Local apache is listening on 127.0.0.7:80 (and possibly *:81) and is
hosting local.my.domain
* The remote host's IP is 1.2.3.4 and is hosting remote.my.domain
the following should do what you want...

# Define the HTTP port
http_port 4.5.6.7:80 accel defaultsite=local.my.domain
# Specify the local and remote peers
cache_peer 127.0.0.7 parent 80 0 no-query originserver name=local
cache_peer 1.2.3.4 parent 80 0 no-query originserver name=remote
#Define ACLs to direct traffic to the correct servers
# Local
acl sites_local dstdomain local.my.domain
cache_peer_access local allow sites_local
# Remote
acl sites_remote dstdomain remote.my.domain
cache_peer_access remote allow sites_remote
# Make sure that access to your accelerated sites is allowed
acl mysites dstdomain .my.domain
http_access allow mysites
# Deny everything else
http_access deny all

> I followed the instructions on that page for one of my attempts (with
> both squid and apache listening on 80 but one localhost and one
> external) but alas exactly the same results.

A forwarding loop?  That would indicate to me that your cache_peer line
was not adjusted to reflect the originserver listening on localhost.  No
forwarding loop, but an access denied?  Check your ACLs in Apache, and
make sure that localhost can access pages.  Otherwise verify you have
not uncommented the http_access deny to_localhost line in your
squid.conf.  It's present and commented by default.

> I have seen in various places about compiling without internal dns but
> the vast bulk of the literature is on <=2.5, and 2.6 seems pretty
> different (particularly for http acceleration), and I didn't know
> whether this was desirable or necessary.

In a forwarding setup, where you are setting your cache_peers by IP, it
should be mostly* irrelevant.  In a normal proxy setup, you probably
don't want to disable the internal DNS.

> Anyway, I will try a couple
> of things with /etc/hosts, and a few things, but I think it may be due
> to some resolution issues.

Again, given the setup above (all peers are designated using IP
addresses) DNS has a negligible effect on an acceleration setup.

> Thanks for your input,
> Anton

Chris

* If someone surfs to your site by IP, a dstdomain ACL will try a
reverse DNS lookup.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: browser (and access.log) says access denied but cache.log says it's ok?!?

Henrik Nordström
In reply to this post by Anton Melser
ons 2007-05-16 klockan 19:45 +0200 skrev Anton Melser:

> In the access.log I get :
>
> 1179338384.598      0 ip_address_of_machine TCP_DENIED/403 1568 GET
> http://lesite.org/ - NONE/- text/html
> 1179338384.598      9 firwall_ip TCP_MISS/403 1766 GET
> http://lesite.org/ - DIRECT/172.16.116.1 text/html

Your Squid is not using the cache_peer.

If you use that Squid as proxy then make sure to use never_direct for
your accelerated sites.

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: browser (and access.log) says access denied but cache.log says it's ok?!?

Anton Melser
On 17/05/07, Henrik Nordstrom <[hidden email]> wrote:

> ons 2007-05-16 klockan 19:45 +0200 skrev Anton Melser:
>
> > In the access.log I get :
> >
> > 1179338384.598      0 ip_address_of_machine TCP_DENIED/403 1568 GET
> > http://lesite.org/ - NONE/- text/html
> > 1179338384.598      9 firwall_ip TCP_MISS/403 1766 GET
> > http://lesite.org/ - DIRECT/172.16.116.1 text/html
>
> Your Squid is not using the cache_peer.
>
> If you use that Squid as proxy then make sure to use never_direct for
> your accelerated sites.

Anton make big stupid booboo! I had put the external IP + domainname
in /etc/hosts... and I guess this is the reason it was borking.
Putting 127.0.0.1 solved everything.
Thanks for you help!
Cheers
Anton
Loading...