On Wed, 30 Sep 2009 12:18:47 +0200, "Michael Grimm" <michigrimm@xxxxxx> wrote: > Hi everyone, > > I have a problem with my reverse proxy running Squid 3.0.STABLE19 in the > following scenario: > > I give customers access to one of our internal web-applications running > tomcat on port 8080 (unencrypted). > The customer accesses the reverse proxy on port 443 (certificates are in > place) > > When a customer accesses the reverse proxy for the first time he receives: > > Forwarding Denied > This cache will not forward your request because it is trying to enforce a > sibling relationship. Perhaps the client at xyz.xyz.xyz.xyz (THE > CUSTOMERS IP!) is a cache which has been misconfigured. > > The access.log of the sever contains the following message: > 1254302414.527 1 xyz.xyz.xyz.xyz TCP_MISS/403 2347 GET > https://customer.mycompany.com/ - NONE/- text/html > > When the customer does a browser refresh, the login page appears and he can > work without any further error messages. > You have a big huge problem. You wanted a reverse proxy. But you configured something else very weird instead. Also, the bug in Squid-3 which allowed this configuration to work at all has just been fixed. > My squid.conf contains the following entries: > cache_mgr info@xxxxxxxxxxxxx > access_log /var/log/squid/access.log squid > > acl manager proto cache_object > acl localhost src 127.0.0.1/32 > acl to_localhost dst 127.0.0.0/8 > > acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > acl externalnet src all > > acl SSL_ports port 443 > acl Safe_ports port 443 > acl CONNECT method CONNECT > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > > http_access allow externalnet > > http_access deny all > icp_access deny all > htcp_access deny all > > https_port 443 cert=/etc/ssl/reverse_proxy/customer.mycompany.com.cert > key=/etc/ssl/reverse_proxy/customer.mycompany.com.key > defaultsite=customer.mycompany.com options=NO_SSLv2 accel > cache_peer 192.168.1.50 parent 8080 0 no-query originserver > name=tomcatapplication # 192.168.1.50 is the internal IP of the tomcat web > application > acl reverse_tomcatapplication dst customer.mycompany.com > http_access allow reverse_tomcatapplication > cache_peer_access tomcatapplication allow reverse_tomcatapplication > cache_peer_access tomcatapplication deny all > http_access allow all > miss_access allow reverse_tomcatapplication > miss_access deny all > http_access deny all > > This error always existed since I installed the reverse proxy for the first > time. It was no problem when few customers accessed the system. Since this > number will increase a lot in the near future I have to fix this. You need to reconfigure your squid properly as a reverse proxy. http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator Note the comment at the top of the squid configuration section "This configuration MUST appear at the top ..." Assuming that the above was your whole config... Erase the contents of squid.conf and replace with only this: cache_mgr info@xxxxxxxxxxxxx access_log /var/log/squid/access.log squid https_port 443 accel cert=/etc/ssl/reverse_proxy/customer.mycompany.com.cert key=/etc/ssl/reverse_proxy/customer.mycompany.com.key defaultsite=customer.mycompany.com options=NO_SSLv2 cache_peer 192.168.1.50 parent 8080 0 originserver no-query name=tomcatapplication forcedomain=customer.mycompany.com acl reverse_tomcatapplication dstdomain customer.mycompany.com http_access allow reverse_tomcatapplication http_access deny all cache_peer_access tomcatapplication allow reverse_tomcatapplication cache_peer_access tomcatapplication deny all never_direct allow all Amos
