On Sun, 22 Nov 2009 21:07:52 +0000, Jenny Lee <bodycare_5@xxxxxxxx> wrote: > Hello Squid Users, > > Here is my problem: For our proxy_auth users, yahoo.com briefly flashes a > CACHE_ACCESS_DENIED error before showing the page. Is there something I am > not understanding about 302 Redirects? I am an old time squid users, I did > not face this issue with older squids. I suspect something to do with the browser. All squid does is send back a 4xx auth challenge. Same as always. > > I tried all variations of http_access and can't get rid of > CACHE_ACCESS_DENIED flashes on yahoo.com with authenticated users. > > Squid: 3.1.0.14 > RHEL 5.4 x86_64 > IE7 > proxy_auth NCSA_AUTH basic > > NOTE: All acl's related to local ips / localhost, etc are removed for the > sake of simplicity in testing. > > Thanks in advance for your help! > > Jen > > > ./squidclient -h 127.0.0.1 -u TEST -w TEST -p 3128 http://www.yahoo.com > HTTP/1.0 302 Moved Temporarily > Date: Sun, 22 Nov 2009 20:05:51 GMT > Location: http://m.www.yahoo.com/ > > The document has moved here. > > 2009/11/23 00:07:47.587| Ready to serve requests. > 2009/11/23 00:07:48.176| storeLateRelease: released 0 objects > 2009/11/23 00:07:55.334| The request GET http://www.yahoo.com is DENIED, > because it matched 'WANUSERS' > 2009/11/23 00:07:55.336| errorpage.cc(1038) BuildContent: No existing > error page language negotiated for ERR_CACHE_ACCESS_DENIED. Using default > error file. > 2009/11/23 00:07:55.340| The reply for GET http://www.yahoo.com is > ALLOWED, because it matched 'all' > 2009/11/23 00:07:55.344| ConnStateData::swanSong: FD 6 > 2009/11/23 00:08:33.132| authenticateAuthUserAddIp: user 'TEST' has been > seen at a new IP address (127.0.0.1:5199) > 2009/11/23 00:08:33.132| The request GET http://www.yahoo.com is ALLOWED, > because it matched 'WANUSERS' > 2009/11/23 00:08:33.172| The reply for GET http://www.yahoo.com/ is > ALLOWED, because it matched 'all' > > > ./squidclient -h 127.0.0.1 -u TEST -w TEST -p 3128 http://www.google.com > HTTP/1.0 200 OK > Date: Sun, 22 Nov 2009 20:09:22 GMT > > > 2009/11/23 00:10:03.829| The request GET http://www.google.com is ALLOWED, > because it matched 'WANUSERS' > 2009/11/23 00:10:03.875| The reply for GET http://www.google.com/ is > ALLOWED, because it matched 'all' > > > > acl WANUSERS proxy_auth REQUIRED > acl BADGUYS proxy_auth "/squid/BADGUYS" > acl ERR_BADGUYS src 0.0.0.0/0.0.0.0 acl ERR_BADGUYS src all or if you are trying to match just the IPv4 clients: acl ERR_BADGUYS src !ipv6 > > http_access allow WANUSERS !BADGUYS all same as: http_access allow WANUSERS !0.0.0.0/0 all ... so only IPv6 users who are logged in can use Squid. > http_access deny BADGUYS ERR_BADGUYS > http_access deny !WANUSERS all > > deny_info ERR_BADGUYS ERR_BADGUYS Amos
