[squid-users] reverse proxy - sporadic TCP_MISS/403

Wed, 30 Sep 2009 03:59:15 -0700 

Hi everyone,

I have a problem with my reverse proxy running Squid 3.0.STABLE19 in the 
following scenario:

I give customers access to one of our internal web-applications running tomcat 
on port 8080 (unencrypted).
The customer accesses the reverse proxy on port 443 (certificates are in place)

When a customer accesses the reverse proxy for the first time he receives:

        Forwarding Denied
        This cache will not forward your request because it is trying to 
enforce a sibling relationship.  Perhaps the client at xyz.xyz.xyz.xyz (THE 
CUSTOMERS IP!) is a cache which has been misconfigured.

The access.log of the sever contains the following message:
        1254302414.527      1 xyz.xyz.xyz.xyz TCP_MISS/403 2347 GET 
https://customer.mycompany.com/ - NONE/- text/html

When the customer does a browser refresh, the login page appears and he can 
work without any further error messages.

My squid.conf contains the following entries:
        cache_mgr [email protected]
        access_log /var/log/squid/access.log squid
        
        acl manager proto cache_object
        acl localhost src 127.0.0.1/32
        acl to_localhost dst 127.0.0.0/8
        
        acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
        acl externalnet src all
        
        acl SSL_ports port 443
        acl Safe_ports port 443
        acl CONNECT method CONNECT
        
        http_access deny !Safe_ports
        http_access deny CONNECT !SSL_ports
        
        http_access allow externalnet
        
        http_access deny all
        icp_access deny all
        htcp_access deny all
        
        https_port 443 cert=/etc/ssl/reverse_proxy/customer.mycompany.com.cert 
key=/etc/ssl/reverse_proxy/customer.mycompany.com.key 
defaultsite=customer.mycompany.com options=NO_SSLv2 accel
        cache_peer 192.168.1.50 parent 8080 0 no-query originserver 
name=tomcatapplication # 192.168.1.50 is the internal IP of the tomcat web 
application
        acl reverse_tomcatapplication dst customer.mycompany.com
        http_access allow reverse_tomcatapplication
        cache_peer_access tomcatapplication allow reverse_tomcatapplication
        cache_peer_access tomcatapplication deny all
        http_access allow all
        miss_access allow reverse_tomcatapplication
        miss_access deny all
        http_access deny all

This error always existed since I installed the reverse proxy for the first 
time. It was no problem when few customers accessed the system. Since this 
number will increase a lot in the near future I have to fix this.

Thanks in advance for your help

Michael

-- 
Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 -
sicherer, schneller und einfacher! http://portal.gmx.net/de/go/atbrowser

Reply via email to