[squid-users] Brief Flash of CACHE_ACCESS_DENIED on 302 (yahoo.com)

From: Jenny Lee <bodycare_5_at_live.com>
Date: Sun, 22 Nov 2009 21:07:52 +0000

Hello Squid Users,

Here is my problem: For our proxy_auth users, yahoo.com briefly flashes a CACHE_ACCESS_DENIED error before showing the page. Is there something I am not understanding about 302 Redirects? I am an old time squid users, I did not face this issue with older squids.

I tried all variations of http_access and can't get rid of CACHE_ACCESS_DENIED flashes on yahoo.com with authenticated users.

Squid: 3.1.0.14
RHEL 5.4 x86_64
IE7
proxy_auth NCSA_AUTH basic

NOTE: All acl's related to local ips / localhost, etc are removed for the sake of simplicity in testing.

Thanks in advance for your help!

Jen

./squidclient -h 127.0.0.1 -u TEST -w TEST -p 3128 http://www.yahoo.com
HTTP/1.0 302 Moved Temporarily
Date: Sun, 22 Nov 2009 20:05:51 GMT
Location: http://m.www.yahoo.com/

The document has moved here.

2009/11/23 00:07:47.587| Ready to serve requests.
2009/11/23 00:07:48.176| storeLateRelease: released 0 objects
2009/11/23 00:07:55.334| The request GET http://www.yahoo.com is DENIED, because it matched 'WANUSERS'
2009/11/23 00:07:55.336| errorpage.cc(1038) BuildContent: No existing error page language negotiated for ERR_CACHE_ACCESS_DENIED. Using default error file.
2009/11/23 00:07:55.340| The reply for GET http://www.yahoo.com is ALLOWED, because it matched 'all'
2009/11/23 00:07:55.344| ConnStateData::swanSong: FD 6
2009/11/23 00:08:33.132| authenticateAuthUserAddIp: user 'TEST' has been seen at a new IP address (127.0.0.1:5199)
2009/11/23 00:08:33.132| The request GET http://www.yahoo.com is ALLOWED, because it matched 'WANUSERS'
2009/11/23 00:08:33.172| The reply for GET http://www.yahoo.com/ is ALLOWED, because it matched 'all'

./squidclient -h 127.0.0.1 -u TEST -w TEST -p 3128 http://www.google.com
HTTP/1.0 200 OK
Date: Sun, 22 Nov 2009 20:09:22 GMT

2009/11/23 00:10:03.829| The request GET http://www.google.com is ALLOWED, because it matched 'WANUSERS'
2009/11/23 00:10:03.875| The reply for GET http://www.google.com/ is ALLOWED, because it matched 'all'

acl WANUSERS proxy_auth REQUIRED
acl BADGUYS proxy_auth "/squid/BADGUYS"
acl ERR_BADGUYS src 0.0.0.0/0.0.0.0

http_access allow WANUSERS !BADGUYS all
http_access deny BADGUYS ERR_BADGUYS
http_access deny !WANUSERS all

deny_info ERR_BADGUYS ERR_BADGUYS
_________________________________________________________________
Hotmail: Trusted email with powerful SPAM protection.
http://clk.atdmt.com/GBL/go/177141665/direct/01/
Received on Sun Nov 22 2009 - 21:07:58 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 23 2009 - 12:00:04 MST