Occasional redirector failure - gives a DENIED in the logs

From: Armistead, Jason <[email protected]>
Date: Sun, 08 Mar 1998 17:46:00 -0500

Hi

Scenario is Squid 1.1.11 (yes it's old I know, but it works), with
Proxy-Auth patch installed. Solaris 2.5.1 with GNU C 2.7.2.1. 600Mb
cache size and 256Mb RAM. No other applications running on the box,
just a bit of NFS from time to time and a VERY lightly loaded Apache
server (< 100 hits / day).

We're running 5 redirectors, written in Perl, as follows:

#!/usr/local/bin/perl
 $|=1;
 while (<>) {
     s@http://153.14.7.127@http://alpha@;
     s@http://153.14.7.5@http://ozm05@;
     s@http://153.14.79.13/@http://netra/@;
     s@http://153.14.79.129/@http://netra/@;
     print;
 }

As most readers will figure out, we're just changing certain IP
addresses to their well-known host names. This means that we can simply
use a local_domain rather than a local_ip entry in the configuration
file (the local domain suffix xxx.yyy.zzz gets added on OK as the
"default" domain). Use of non-local-domain hosts requires that the user
enter a username and password (proxy-auth patch running)

From time to time, users browsing from links on other INTRAnet sites
will occasionally click on a link back to our local servers which has
the IP address. So, the redirector SHOULD then convert it to a host
name (which is logged in the access.log file), and thus avoid needing a
username & password (or so the theory goes).

Most of the time it works brilliantly, but occasionally, it still pops
up the username/password box, as if the proxy wants authentication (the
dialog box does NOT ask for authentication at the server specified in
the requested URL - that is certain).

I looked at the redirector stats

                       stats/redirector: OZM06:8080
    
   dated Thu Mar 5 11:32:31 1998

Redirector Statistics:
requests: 169307
replies: 169306
queue length: 0
avg service time: 1 msec
number of redirectors: 5
use histogram:
    redirector #1: 159079 (159079 rewrites)
    redirector #2: 7794 (7794 rewrites)
    redirector #3: 1760 (1760 rewrites)
    redirector #4: 506 (506 rewrites)
    redirector #5: 168 (168 rewrites)

Which looks OK to me. I'm not sure why there's a discrepancy of one
between the requests and the replies (presumably this is because the
cachemgr "cache_object" query is still in progress and thus not fully
replied to - anyone comment / is this a minor bug that could be fixed ?)

Since redirector 5 is getting a bit of a work out, should I increase the
numbers a bit, so that there are always a few "spare" redirectors for
when there are more than 5 concurrent requests needing redirectors to
respond. Is there a FAQ / rule of thumb on how to "size" the number of
redirect_children in squid.conf ? Anyone want to share there
experiences with me ?

Is it necessary for the redirector to return just the URL, or the URL
plus the rest of the information that is passed to it (i.e the full 4
parameters of URL ip/fqdn ident method).

Can I enable just redirector debugging ?

Are the access rules checked BEFORE or AFTER the redirection (common
sense would presume AFTER, so that the check is on the rewritten URL)

Regards

Jason
Received on Sun Mar 08 1998 - 14:50:20 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:39:12 MST