[squid-users] issues with amazonaws & cloudfront

Brendan Kearney bpk678 at gmail.com
Fri Sep 23 22:53:18 UTC 2016


On 09/23/2016 10:28 AM, lravelo wrote:
> Good morning!
>
> I have four squid 3.3.8 proxies load balanced behind two VIPs (in groups of
> two) using least connections load balancing.  I've been having issues with
> the .amazonaws.com and .cloudfront.com domains.  We use TCP load balancing
> and not HTTP load balancing.  Basically what happens is that these web pages
> request a keep-alive and on the browser console I'm seeing messages saying
> that proxy authentication failed and some "ERR_CACHE_ACCESS_DENIED 0" errors
> as well.  We do have kerberos authentication for SSO.  Not sure if anyone
> else has had this issue and what's been done to resolve it.
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/issues-with-amazonaws-cloudfront-tp4679665.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
what is the DNS name of the VIP you load balance behind?  does the DNS 
name match the HTTP principal you created in kerberos?  for example:

dns name: proxy.domain.tld
kerberos principal: HTTP/proxy.domain.tld at REALM

the keytabs that you created, they have to be identical for each load 
balanced pool member.  you should have made one keytab, and securely 
copied it to each pool member.  if they are not exactly identical, one 
proxy will work (the one with the latest keytab created, because the 
KVNO will be ordinally greater[use "klist -Kket /path/to/file.keytab]) 
and the other wont work.


More information about the squid-users mailing list