>> I'm not an http/proxy guru. What I think is happening is that the >> local Squid proxy receives the X-Cache MISS from upstream, and simply >> halts the response as if it were a peer. > > > You say that BUT... the entire information about the failure consists of: > " > > curl -vhttp://keyserver.ubuntu.com > > ...output here is the squid access denied error message page... > " My bad. Here's the failing request through 3.1.19: curl -v http://keyserver.ubuntu.com * About to connect() to proxy 10.10.10.10 port 3128 (#0) * Trying 10.10.10.10... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0connected > GET http://keyserver.ubuntu.com HTTP/1.1 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Host: keyserver.ubuntu.com > Accept: */* > Proxy-Connection: Keep-Alive > * HTTP 1.0, assume close after body < HTTP/1.0 403 Forbidden < Server: squid/3.1.19 < Mime-Version: 1.0 < Date: Sun, 07 Apr 2013 14:24:54 GMT < Content-Type: text/html < Content-Length: 3408 < X-Squid-Error: ERR_ACCESS_DENIED 0 < Vary: Accept-Language < Content-Language: en < X-Cache-Lookup: MISS from localhost:11371 < X-Cache-Lookup: MISS from localhost:3128 < Via: 1.0 localhost (squid/3.1.19), 1.0 localhost (squid/3.1.19) * HTTP/1.0 connection set to keep alive! < Connection: keep-alive and the trimmed down html returned form the local proxy: </head><body id=ERR_ACCESS_DENIED> <div id="titles"> <h1>ERROR</h1> <h2>The requested URL could not be retrieved</h2> </div> <hr> <div id="content"> <p>The following error was encountered while trying to retrieve the URL: <a href="http://keyserver.ubuntu.com/";>http://keyserver.ubuntu.com/</a></p> <blockquote id="error"> <p><b>Access Denied.</b></p> </blockquote> <p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p> <p>Your cache administrator is <a href="mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_ACCESS_DENIED&body=CacheHost%3A%20localhost%0D%0AErrPage%3A%20ERR_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Sun,%2007%20Apr%202013%2014%3A24%3A54%20GMT%0D%0A%0D%0AClientIP%3A%2076.244.155.139%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20curl%2F7.22.0%20(x86_64-pc-linux-gnu)%20libcurl%2F7.22.0%20OpenSSL%2F1.0.1%20zlib%2F1.2.3.4%20libidn%2F1.23%20librtmp%2F2.3%0D%0AHost%3A%20keyserver.ubuntu.com%0D%0AAccept%3A%20*%2F*%0D%0AVia%3A%201.1%20localhost%20(squid%2F3.1.19)%0D%0AX-Forwarded-For%3A%2010.10.10.20%0D%0ACache-Control%3A%20max-age%3D259200%0D%0AConnection%3A%20keep-alive%0D%0A%0D%0A%0D%0A">webmaster</a>.</p> <br> </div> <hr> <div id="footer"> <p>Generated Sun, 07 Apr 2013 14:24:54 GMT by localhost (squid/3.1.19)</p> <!-- ERR_ACCESS_DENIED --> </div> </body></html> This is the stock squid.conf with the exception that I've added an acl for my local 10.10. network toe access it. (acl localnet src 10.0.0.0/8 + http_access allow localnet) and I've toggled strip_query_terms off so I could see the full uri in the log. I've also tried setting the last http_access deny all to allow all with no effect. Thanks! -=Chris
