Joe, Hendrik,
It's been two weeks since we last corresponded.
Thanks for the advice. It was correct. The problem
was of course that it handled the POST operations
incorrectly and although I had the "cache_peer" set
up correctly, squid.conf required the following lines :
acl INSIDE dstdomain mydomain.com
never_direct deny INSIDE
This of course presented another nasty, in the sense that
we have servers both internally and externally
from our firewall on the same domain!
However, I overcame this problem with a proxy script.
Thanks again!
Marius Etsebeth
On Wed, 2002-04-10 at 08:34, Joe Cooper wrote:
> Marius Etsebeth wrote:
> > Well Joe,
> >
> > What makes me think it's SQUID?
> >
> > If I bypass SQUID but still use the firewall, everything
> > is fine. Also, like I said before, I was unable to access
> > .cgi files, but when I removed the line I mentioned
> > before from the squid.conf file, it suddenly worked.
> > I.e. the line is there, I cannot access .cgi files ;
> > the lines not there, I can access .cgi files...
>
> That's fine, but Squid isn't /denying/ your request. Squid is telling
> you it can't fetch the object you're requesting because it can't connect
> to the server. A denied request will say 'Access Denied'. I'm not
> saying that Squid configuration problems aren't keeping you from
> accessing the internet. A subtle distinction perhaps, but one that
> makes a difference in how it can be solved.
>
> > That in itself proves that SQUID was denying at least
> > the .cgi files.
>
> Mildly faulty logic or a misuse of terms. ;-)
>
> > Lastly, if I visit plain .html / .htm (and now .cgi :) sites,
> > SQUID works like a charm behind the firewall. It just seem to
> > have a hassle with the .pl extension...
> >
> > I have read the firewall section, and that's why SQUID works OK
> > through it, EXCEPT for instances like the above. Perhaps you could
> > be more specific on what part I misunderstood / missed in the
> > FW section.
> >
> > I'm asking, I do not know the answers ...........
>
> It sounds like, from your problem and your solution, that you have a
> proxy running on the firewall, and this is how Squid reaches the
> internet. I also assume you have configured the firewall proxy as the
> parent proxy of Squid.
>
> So, configuring 'hierarchy_stoplist' to not bypass the 'hierarchy' for
> some requests fixes your problem...Which means that Squid can't reach
> the internet any other way. That is as it should be.
>
> So what you want is to configure Squid to /always/ use the proxy on the
> firewall for its net access, no matter what. For that you can use
> never_direct (if you haven't already configured it). I haven't spend
> much time lately on configuring parent proxies and such, so I might be
> forgetting something. But it sounds like you've basically got it
> working, and just need to adjust it so that Squid knows it always needs
> to hit that other proxy.
>
> > Joe Cooper wrote:
> >
> >>Marius Etsebeth wrote:
> >>
> >>>Hi people,
> >>>
> >>>I tried to download evaluation software from a site
> >>>and got the error below. (I'm using squid version 2.4 stable 6
> >>>on Mandrake 7.2.)
> >>>
> >>>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >>>While trying to retrieve the URL:
> >>>http://www.ipswitch.com/cgi/download_eval.pl
> >>>
> >>>The following error was encountered:
> >>>
> >>> Connection Failed
> >>>
> >>>The system returned:
> >>>
> >>> (113) No route to host
> >>>
> >>>The remote host or network may be down. Please try the request again.
> >>>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >>>
> >>>I had similar problems when I tried to access sites
> >>>where the files were CGI files with ".cgi" extensions.
> >>>However, when I removed the "hierarchy_stoplist cgi-bin ?"
> >>>entry from the squid.conf file, I could access these particular
> >>>sites.
> >>
> >>What makes you think Squid is denying your request? The error you've
> >>shown says it can't connect. Have you read the FAQ entry on running
> >>Squid behind a firewall?
> >>
> >>
> >>>I suspect if I tried to access .php sites, I may get the same error.
> >>>
> >>>Any reason for this and how do I fix it?
> >>
> >>Probably read the Squid through a firewall section of the FAQ.
> >>
> >>
> >>>A second question.
> >>>
> >>>Is it possible to set up squid inside a firewall
> >>>so that firstly squid does the authentication and then,
> >>>secondly, the firewall as well?
> >>
> >>No.
> >>
> >>
> >>>I suspect not. As far as I can figure out, HTTP is not happy
> >>>with dual authentication methods.....
> >>
> >>You suspect right.
> >>--
> >>Joe Cooper <joe@swelltech.com>
> >>http://www.swelltech.com
> >>Web Caching Appliances and Support
> >
> >
> >
>
>
>
> --
> Joe Cooper <joe@swelltech.com>
> http://www.swelltech.com
> Web Caching Appliances and Support
Received on Wed Apr 24 2002 - 03:52:32 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:40 MST