Re: [squid-users] Squid denying certain URL's?

From: Marius Etsebeth <[email protected]>
Date: 24 Apr 2002 11:50:11 +0200

Joe, Hendrik,

It's been two weeks since we last corresponded.

Thanks for the advice. It was correct. The problem
was of course that it handled the POST operations
incorrectly and although I had the "cache_peer" set
up correctly, squid.conf required the following lines :

acl INSIDE dstdomain mydomain.com
never_direct deny INSIDE

This of course presented another nasty, in the sense that
we have servers both internally and externally
from our firewall on the same domain!

However, I overcame this problem with a proxy script.

Thanks again!

Marius Etsebeth

On Wed, 2002-04-10 at 08:34, Joe Cooper wrote:
> Marius Etsebeth wrote:
> > Well Joe,
> >
> > What makes me think it's SQUID?
> >
> > If I bypass SQUID but still use the firewall, everything
> > is fine. Also, like I said before, I was unable to access
> > .cgi files, but when I removed the line I mentioned
> > before from the squid.conf file, it suddenly worked.
> > I.e. the line is there, I cannot access .cgi files ;
> > the lines not there, I can access .cgi files...
>
> That's fine, but Squid isn't /denying/ your request. Squid is telling
> you it can't fetch the object you're requesting because it can't connect
> to the server. A denied request will say 'Access Denied'. I'm not
> saying that Squid configuration problems aren't keeping you from
> accessing the internet. A subtle distinction perhaps, but one that
> makes a difference in how it can be solved.
>
> > That in itself proves that SQUID was denying at least
> > the .cgi files.
>
> Mildly faulty logic or a misuse of terms. ;-)
>
> > Lastly, if I visit plain .html / .htm (and now .cgi :) sites,
> > SQUID works like a charm behind the firewall. It just seem to
> > have a hassle with the .pl extension...
> >
> > I have read the firewall section, and that's why SQUID works OK
> > through it, EXCEPT for instances like the above. Perhaps you could
> > be more specific on what part I misunderstood / missed in the
> > FW section.
> >
> > I'm asking, I do not know the answers ...........
>
> It sounds like, from your problem and your solution, that you have a
> proxy running on the firewall, and this is how Squid reaches the
> internet. I also assume you have configured the firewall proxy as the
> parent proxy of Squid.
>
> So, configuring 'hierarchy_stoplist' to not bypass the 'hierarchy' for
> some requests fixes your problem...Which means that Squid can't reach
> the internet any other way. That is as it should be.
>
> So what you want is to configure Squid to /always/ use the proxy on the
> firewall for its net access, no matter what. For that you can use
> never_direct (if you haven't already configured it). I haven't spend
> much time lately on configuring parent proxies and such, so I might be
> forgetting something. But it sounds like you've basically got it
> working, and just need to adjust it so that Squid knows it always needs
> to hit that other proxy.
>
> > Joe Cooper wrote:
> >
> >>Marius Etsebeth wrote:
> >>
> >>>Hi people,
> >>>
> >>>I tried to download evaluation software from a site
> >>>and got the error below. (I'm using squid version 2.4 stable 6
> >>>on Mandrake 7.2.)
> >>>
> >>>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >>>While trying to retrieve the URL:
> >>>http://www.ipswitch.com/cgi/download_eval.pl
> >>>
> >>>The following error was encountered:
> >>>
> >>> Connection Failed
> >>>
> >>>The system returned:
> >>>
> >>> (113) No route to host
> >>>
> >>>The remote host or network may be down. Please try the request again.
> >>>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >>>
> >>>I had similar problems when I tried to access sites
> >>>where the files were CGI files with ".cgi" extensions.
> >>>However, when I removed the "hierarchy_stoplist cgi-bin ?"
> >>>entry from the squid.conf file, I could access these particular
> >>>sites.
> >>
> >>What makes you think Squid is denying your request? The error you've
> >>shown says it can't connect. Have you read the FAQ entry on running
> >>Squid behind a firewall?
> >>
> >>
> >>>I suspect if I tried to access .php sites, I may get the same error.
> >>>
> >>>Any reason for this and how do I fix it?
> >>
> >>Probably read the Squid through a firewall section of the FAQ.
> >>
> >>
> >>>A second question.
> >>>
> >>>Is it possible to set up squid inside a firewall
> >>>so that firstly squid does the authentication and then,
> >>>secondly, the firewall as well?
> >>
> >>No.
> >>
> >>
> >>>I suspect not. As far as I can figure out, HTTP is not happy
> >>>with dual authentication methods.....
> >>
> >>You suspect right.
> >>--
> >>Joe Cooper <joe@swelltech.com>
> >>http://www.swelltech.com
> >>Web Caching Appliances and Support
> >
> >
> >
>
>
>
> --
> Joe Cooper <joe@swelltech.com>
> http://www.swelltech.com
> Web Caching Appliances and Support
Received on Wed Apr 24 2002 - 03:52:32 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:40 MST