[squid-users] 2.7.STABLE9 & Error with option deny_info from local requests

Mark Riede m.riede at babiel.com
Fri Nov 28 13:40:25 UTC 2014 

Hello,

I have a strange behavior with Squid 2.7.STABLE9 and local requests which should be intercept by the option deny_info.

I am using Squid as a reverse proxy.
I have configured a list of subdomains (i.e. subdomain.domain.tld) in a file via the option dstdomain, which will be forwarded to the defined cache peer.
There is an additional list of domains (i.e. *.domain.tld) which match via wildcard to all other domains, which are not absolutely defined yet and will be forwarded to a custom error page via the option deny_info.

The problem is that requests forwarded to the ip of the server, i.e. 192.168.0.1, will be catched up by the option deny_info.
But, when the request is forwarded to the ip of the localhost (127.0.0.1), the option deny_info will not match.
Now the strange behaviour is that requests to the ip of the localhost but with the destination domain subdomain.domain.tld will be answered successfully.
I need a fix because clients get the custom error page for requests via http (NAT to 192.168.0.1) but not the same response via https (nginx to 127.0.0.1). 
I donĀ“t know where or how I can fix this problem or do more debugging.


# Config
http_access allow localhost
acl foo dstdomain "/file"
acl foo_deny dstdom_regex "/ file _deny"
http_access allow foo
cache_peer 127.0.0.1 parent 8080 0 no-query originserver name=srv1 login=PASS
cache_peer_access srv1 allow foo
cache_peer_access srv1 deny all
deny_info ERR_FOO foo_deny
http_access deny foo_deny
http_access deny all


# Error via curl
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>ERROR: The requested URL could not be retrieved</title> <style type="text/css"><!--   %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=ERR_CANNOT_FORWARD> <div id="titles"> <h1>ERROR</h1> <h2>The requested URL could not be retrieved</h2> </div> <hr>  <div id="content"> <p>The following error was encountered while trying to retrieve the URL: <a href="http://subdomain.domain.tld/">http://subdomain.domain.tld/</a></p>  <blockquote id="error"> <p><b>Unable to forward this request at this time.</b></p> </blockquote>  <p>This request could not be forwarded to the origin server or to any parent caches.</p>  <p>Some possible problems are:</p> <ul> <li id="network-down">An Internet connection needed to access this domains origin servers may be down.</li> <li id="no-peer">All configured parent caches may be currently unreachable.</li> <li id="permission-denied">The administrator may not allow this cache to make direct connections to origin servers.</li> </ul>  <p>Your cache administrator is <a href="mailto:service at babiel.com">service at babiel.com</a>.</p>  <br> </div>  <hr> <div id="footer"> <p>Generated Fri, 28 Nov 2014 13:29:22 GMT by squid (squid)</p> <!-- ERR_CANNOT_FORWARD -->

# Error from log
1417181439.852 RELEASE -1 FFFFFFFF B41394C6D2C0281301E5137947DE34E0  504 1417181439        -1        -1 text/html 1509/1509 GET http://subdomain.domain.tld/

Best regards,
Mark

More information about the squid-users mailing list