Rob Asher wrote:
Chris Robertson <crobertson@xxxxxxx> 5/28/2008 5:03 PM
The traffic isn't being balanced among the proxies. I have multiple locations, 4 to be exact, all trying to access the same site with the same results. Each location uses it's own proxy. None of them are transparent and they all require authentication back to a single central LDAP server.
Fair enough. Two possibilities out of the way.
TCP_MISS/401 indicates the website returned a "Not Authorized" response,
which should cause your browser to prompt for authentication.
With IE7, I get one prompt and then the "cannot display the webpage" message. With FF2, the prompt keeps popping up even with a valid login entry for the site until it's canceled.
Further investigation shows that the site in question is requesting NTLM
authentication, which any version of Squid 2.6 should handle. Hmmm...
Perhaps this is related to the broken-ness of IIS passing chunked
encoding to non HTTP1.1 compliant clients. But it looks like the fixes
for that were added in 2.6S8 and 2.6S10. Given you have at least one
2.6S13 server (and not all clients using it work) the fix might not be
enough. Well, you can try adding the following lines in your squid.conf
(on any of the servers) and see if it helps...
acl chunked dstdomain .k12.ar.us
header_access Accept-Encoding deny chunked
Wow. Not a single TCP_MISS/200 or TCP_HIT/200. The only requests that
succeeded were cached content (TCP_MISS/304, with a parent of NONE).
So, from the evidence given, the machine that is "working" only appears
to be working because it is able to wrest a response from the cache that
allows it to use its locally cached copy...
OK.....here's another bit from access.log with the TCP_MISS/200 from the "working" machine. My fault on the previous one in that all I visited was things that I'd already been to and cached. There are a lot of 401's in this but I only had to authenticate to the proxy itself and then once for the site.
[root@phs-proxy squid]# tail -f access.log | grep www.k12.ar.us
1212065905.682 182 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1212065923.714 699 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1212065923.738 24 170.211.125.31 TCP_MISS/304 414 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher NONE/- -
1212065923.793 54 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065923.818 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065923.856 38 170.211.125.31 TCP_MISS/404 1991 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065924.027 41 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
SNIP
1212065933.726 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher NONE/- text/html
1212065936.319 2593 170.211.125.31 TCP_MISS/200 96327 GET http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher NONE/- application/pdf
Huh? This line doesn't make sense. It's a TCP_MISS/200, which means
the request was successful, but the parent server is NONE. Color me
confused.
1212065961.927 79 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html
1212065961.952 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher DIRECT/165.29.214.2 text/html
1212065962.164 212 170.211.125.31 TCP_MISS/200 48057 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- application/pdf
1212065962.236 71 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html
1212065962.260 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html
1212065962.661 400 170.211.125.31 TCP_MISS/206 176993 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- multipart/byteranges
If you have any suggestions on what else to look for, I'm willing to try about anything. I captured some of the headers in FF on both the working and a nonworking machine but I can't make any sense of them. Also, if running tcpdump would help, I'm game to try that as well?
Well, Squid 2.7 Stable 1 is out, which appears to have more support for
HTTP 1.1. You could set it up on one of your machines (instructions for
running multiple instances of Squid on one box are at
http://wiki.squid-cache.org/MultipleInstances) and see if that helps as
well.
Thanks,
Rob
Chris
