Re: [squid-users] Apache ProxyPass -> Squid -> Zope but TCP_DENIED/403

Wed, 14 Jun 2006 14:26:47 -0700 

Peter Bengtsson wrote:


This is getting frustrating. I've set up Apache with ProxyPass to
redirect all requests of mobile.peterbe.com -> Squid (with squidGuard)
-> Zope.
The requests seem to reach Zope if I look at the log file but they are
all HTTP 1.1 403 and the users who go to mobile.peterbe.com see a
squid error message page where it says Access Denied.

I don't care to use Squid for proxying outbound access. Only as a http
accelerator to speed up cachable web pages.

Before, when I was proxypassing from Apache into Zope everything was
working fine. Now I want to add Squid to improve performance.

Apache runs on 80
Squid  runs on 3128
Zope   runs on 9080

The /var/log/squid/access.log spits out stuff like this:
1150291833.853      0 127.0.0.1 TCP_DENIED/403 1572 GET
http://80.68.212.7:3128/VirtualHostBase/http/mobile.peterbe.com:80/www/VirtualHostRoot/plog/better-select-boxes 
- NONE/- text/html


My apache2 stanza looks like this:
<VirtualHost 80.68.212.7>
 ServerAdmin [EMAIL PROTECTED]
 ServerName mobile.peterbe.com
ProxyPass / http://localhost:3128/VirtualHostBase/http/mobile.peterbe.com:80/$ ProxyPassReverse / http://localhost:3128/VirtualHostBase/http/mobile.peterbe.$ 
 ProxyPass /misc_ http://localhost:3128/misc_
 ProxyPass /p_ http://localhost:3128/p_
 ErrorLog /var/log/apache2/mobile.peterbe.error_log
 CustomLog /var/log/apache2/mobile.peterbe.access_log combined
</VirtualHost>

My squid.conf looks like this (strippped down and sorted):


Stripped down and sorted?  Order is of paramount importance.

SNIP



httpd_accel_host virtual
httpd_accel_port 0
I'm a bit confused here. All of this is hosted on a single server. Why are you using httpd_accel_host virtual and a redirector? That seems to me to be adding unneeded complexity. Values of... 

httpd_accel_host moble.peterbe.com # or perhaps localhost
http_accel_port 9080
httpd_accel_single_host on

...seem like they would be a better fit.


icp_access allow all
no_cache deny QUERY
redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
refresh_pattern .               0       20%     4320
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
visible_hostname www.peterbe.com


My squidGuard.conf looks like this:
acl {
       default {
               redirect http://localhost:9080/%p
       }
}
I can give more info but I don't know what matters to anybody who can help me.
As for the source of the 403 errors... That's a good question. Given the order of the http_access lines given, I don't see anything that would cause problems. You might peruse the FAQ section on ACLs (http://www.squid-cache.org/Doc/FAQ/FAQ-10.html) and see if you find solace there (the subsection on debugging ACLs might give some clue). 

Chris

Reply via email to