Hi Amos, Really appreciate your help. I did changes with your sugguestion. Some debug logs are here: 2012/01/11 13:21:58.167| The request GET http://ids-ams.elabs.eds.com/ is ALLOWED, because it matched 'origin_servers' 2012/01/11 13:21:58.168| client_side_request.cc(547) clientAccessCheck2: No adapted_http_access configuration. 2012/01/11 13:21:58.168| The request GET http://ids-ams.elabs.eds.com/ is ALLOWED, because it matched 'origin_servers' 2012/01/11 13:21:58.170| ipcacheMarkBadAddr: wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80 2012/01/11 13:21:58.171| TCP connection to wtestsm1.asiapacific.hpqcorp.net/80 failed 2012/01/11 13:21:58.171| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/ 2012/01/11 13:21:58.177| ipcacheMarkBadAddr: wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80 2012/01/11 13:21:58.177| TCP connection to wtestsm1.asiapacific.hpqcorp.net/80 failed 2012/01/11 13:21:58.177| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/ 2012/01/11 13:21:58.183| ipcacheMarkBadAddr: wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80 2012/01/11 13:21:58.184| TCP connection to wtestsm1.asiapacific.hpqcorp.net/80 failed 2012/01/11 13:21:58.184| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/ 2012/01/11 13:21:58.190| ipcacheMarkBadAddr: wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80 2012/01/11 13:21:58.191| TCP connection to wtestsm1.asiapacific.hpqcorp.net/80 failed 2012/01/11 13:21:58.191| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/ 2012/01/11 13:21:58.197| ipcacheMarkBadAddr: wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80 2012/01/11 13:21:58.197| TCP connection to wtestsm1.asiapacific.hpqcorp.net/80 failed 2012/01/11 13:21:58.197| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/ 2012/01/11 13:21:58.203| ipcacheMarkBadAddr: wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80 2012/01/11 13:21:58.204| TCP connection to wtestsm1.asiapacific.hpqcorp.net/80 failed 2012/01/11 13:21:58.204| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/ 2012/01/11 13:21:58.210| ipcacheMarkBadAddr: wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80 2012/01/11 13:21:58.210| TCP connection to wtestsm1.asiapacific.hpqcorp.net/80 failed 2012/01/11 13:21:58.210| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/ 2012/01/11 13:21:58.216| ipcacheMarkBadAddr: wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80 2012/01/11 13:21:58.216| TCP connection to wtestsm1.asiapacific.hpqcorp.net/80 failed 2012/01/11 13:21:58.217| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/ 2012/01/11 13:21:58.222| ipcacheMarkBadAddr: wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80 2012/01/11 13:21:58.223| TCP connection to wtestsm1.asiapacific.hpqcorp.net/80 failed 2012/01/11 13:21:58.223| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/ 2012/01/11 13:21:58.229| ipcacheMarkBadAddr: wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80 2012/01/11 13:21:58.229| TCP connection to wtestsm1.asiapacific.hpqcorp.net/80 failed 2012/01/11 13:21:58.229| Detected DEAD Parent: main 2012/01/11 13:21:58.229| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/ 2012/01/11 13:21:58.235| ipcacheMarkBadAddr: wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80 2012/01/11 13:21:58.236| TCP connection to wtestsm1.asiapacific.hpqcorp.net/80 failed 2012/01/11 13:21:58.236| TCP connection to wtestsm1.asiapacific.hpqcorp.net/80 dead 2012/01/11 13:21:58.236| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/ 2012/01/11 13:21:58.238| The reply for GET http://ids-ams.elabs.eds.com/ is ALLOWED, because it matched 'all' 2012/01/11 13:21:58.240| ConnStateData::swanSong: FD 9 2012/01/11 13:22:07.406| The request GET http://ids-ams.elabs.eds.com/ is ALLOWED, because it matched 'origin_servers' 2012/01/11 13:22:07.406| client_side_request.cc(547) clientAccessCheck2: No adapted_http_access configuration. 2012/01/11 13:22:07.406| The request GET http://ids-ams.elabs.eds.com/ is ALLOWED, because it matched 'origin_servers' 2012/01/11 13:22:07.407| ipcacheMarkBadAddr: wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80 2012/01/11 13:22:07.408| Failed to select source for 'http://ids-ams.elabs.eds.com/' 2012/01/11 13:22:07.408| always_direct = 0 2012/01/11 13:22:07.408| never_direct = 0 2012/01/11 13:22:07.408| timedout = 0 2012/01/11 13:22:07.410| The reply for GET http://ids-ams.elabs.eds.com/ is ALLOWED, because it matched 'all' 2012/01/11 13:22:07.410| TCP connection to wtestsm1.asiapacific.hpqcorp.net/80 dead 2012/01/11 13:22:07.412| ConnStateData::swanSong: FD 9 2012/01/11 13:22:09.381| The request GET http://ids-ams.elabs.eds.com/ is ALLOWED, because it matched 'origin_servers' 2012/01/11 13:22:09.381| client_side_request.cc(547) clientAccessCheck2: No adapted_http_access configuration. 2012/01/11 13:22:09.381| The request GET http://ids-ams.elabs.eds.com/ is ALLOWED, because it matched 'origin_servers' 2012/01/11 13:22:09.383| ipcacheMarkBadAddr: wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80 2012/01/11 13:22:09.384| Failed to select source for 'http://ids-ams.elabs.eds.com/' 2012/01/11 13:22:09.384| always_direct = 0 2012/01/11 13:22:09.384| never_direct = 0 2012/01/11 13:22:09.384| timedout = 0 2012/01/11 13:22:09.386| The reply for GET http://ids-ams.elabs.eds.com/ is ALLOWED, because it matched 'all' 2012/01/11 13:22:09.386| TCP connection to wtestsm1.asiapacific.hpqcorp.net/80 dead 2012/01/11 13:22:09.387| ConnStateData::swanSong: FD 9 My squid environment information: RHEL6.0 64bit. squid v 3.1.4 Thanks, ~Kimi On 11/01/2012, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 11/01/2012 8:46 p.m., kimi ge(巍俊葛) wrote: >> Thanks Amos. >> >> I did the lynx test on back-end web site on squid system like this: >> sudo lynx http://wtestsm1.asiapacific.hpqcorp.net >> >> First, it show the message: >> Alert!: Invalid header 'WWW-Authenticate: NTLM' >> >> Then it show the following message. >> Show the 401 message body? (y/n) > > Aha. NTLM authentication. Very probaby that login=PASS then. > >> >> For the domain auth, I mean the back-end web site need corp domain >> user to be accessed. >> I put this in this way, if I log on with my corp domain on my laptop, >> then I could acces IIS Share Point without any credentials window pop >> up. If not, I have to input my domain account on credentials window to >> access the Share Point Site. >> >> >> The following is my squid configuration about this case which I ignore >> some default sections. >> #added by kimi >> acl hpnet src 16.0.0.0/8 # RFC1918 possible internal network >> #added by kimi >> acl origin_servers dstdomain ids-ams.elabs.eds.com >> http_access allow origin_servers >> http_access allow hpnet >> >> http_port 192.85.142.88:80 accel defaultsite=ids-ams.elabs.eds.com >> connection-auth=on >> >> forwarded_for on >> >> request_header_access WWW-Authenticate allow all > > This is not needed. The Squid default is to relay www-auth headers > through. www-authenticate is a reply header anyway, to inform the client > agent what types of auth it can use. > >> >> cache_peer wtestsm1.asiapacific.hpqcorp.net parent 80 0 no-query >> no-digest originserver name=main connection-auth=on login=PASS > > "connection-auth=on" should be enough. Try without login=PASS. > >> >> cache_peer_domain main .elabs.eds.com >> >> hierarchy_stoplist cgi-bin ? >> >> coredump_dir /var/spool/squid >> >> # Add any of your own refresh_pattern entries above these. >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >> refresh_pattern . 0 20% 4320 >> >> cache_dir aufs /data/squid/cache 12000 64 256 >> cache_mem 1024 MB >> maximum_object_size_in_memory 1024 KB >> maximum_object_size 51200 KB >> >> visible_hostname ids-ams.elabs.eds.com >> debug_options ALL,5 >> http_access deny all >> >> While let squid be running, I do test like this >> http://ids-ams.elabs.eds.com >> >> The 404 error page is shown. > > Okay. Which error page? Squid sends three different ones with that > status code. Invalid request or Invalid URL or something else? > >> That's why I am wondering squid could be as reverse-proxy with IIS >> SharePoint as back-end? > > It can be. There is normally no trouble. But the newer features MS have > been adding for IPv6 and cloud support recently are not widely tested yet. > > Amos >
