[squid-users] IIS error with one website
Ryan Slick
speedy_1s at yahoo.com.au
Mon Feb 29 23:09:59 UTC 2016
Hi this is not an SSL site.
Here is the config (I have stripped out the ACL's)
# WELCOME TO SQUID 2# ------------------
# NETWORK OPTIONS# -----------------------------------------------------------------------------
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM# -----------------------------------------------------------------------------
# TAG: cache_peer cache_peer proxy1.ap.webscanningservice.com parent 3128 0000 default no-query no-digest# cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default no-query no-digest# cache_peer proxy1.us.webscanningservice.com parent 3128 0000 default no-query no-digest# cache_peer proxy1.hk.webscanningservice.com parent 3128 0000 default no-query no-digest# cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default no-query no-digest
# disable local cache digest generationdigest_generation off
# TAG: hierarchy_stoplisthierarchy_stoplist cgi-bin ?
#define the all here as it will be used by the no_cacheacl all src 0.0.0.0/0.0.0.0# TAG: no_cachecache deny all
# OPTIONS WHICH AFFECT THE CACHE SIZE# -----------------------------------------------------------------------------
# TAG: maximum_object_size (bytes)maximum_object_size 0 KB
# LOGFILE PATHNAMES AND CACHE DIRECTORIES# -----------------------------------------------------------------------------
log_uses_indirect_client on
# Enable Log Rotation
logfile_rotate 7
# TAG: emulate_httpd_log on|offemulate_httpd_log on
# TAG: debug_optionsdebug_options ALL,1#debug_options ALL,9
# By default, the store and access log is disabled to avoid large size log filescache_store_log noneaccess_log noneuseragent_log none#cache_log c:/ClientSiteProxy/var/logs/cache.log#access_log C:/ClientSiteProxy/var/logs/access.logcache_log D:/SquidDefinitions/logs/cache.logaccess_log D:/SquidDefinitions/logs/access.log#useragent_log c:/ClientSiteProxy/var/logs/useragent.log
# IGNORE EXPECT 100 HTTP HEADER# -----------------------------------------------------------------------------ignore_expect_100 on
# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS# -----------------------------------------------------------------------------
# TAG: auth_paramauth_param ntlm program c:/clientsiteproxy/libexec/mswin_ntlm_auth.exeauth_param ntlm children 80auth_param ntlm keep_alive on
# auth_param negotiate program c:/clientsiteproxy/libexec/mswin_negotiate_auth.exeauth_param negotiate children 80
auth_param basic program c:/clientsiteproxy/libexec/ncsa_auth.exe C:/clientsiteproxy/etc/passwd.txt auth_param basic children 5auth_param basic realm Squid proxy-caching web serverauth_param basic credentialsttl 2 hoursauth_param basic casesensitive off
# Use this tag to specify how long the IP authentication credentials will be cached# If multiple users connect from a single IP (ie: terminal services) comment out the# following line and uncomment the next.#authenticate_ip_shortcircuit_ttl 30 secondsauthenticate_ip_shortcircuit_access none
# OPTIONS FOR TUNING THE CACHE# -----------------------------------------------------------------------------
# TAG: refresh_patternrefresh_pattern ^ftp: 1440 20% 10080refresh_pattern ^gopher: 1440 0% 1440refresh_pattern . 0 20% 4320
# TIMEOUTS# -----------------------------------------------------------------------------
read_timeout 15 minutes
# X-Saucer# ------------------------------------------------------------------------------
# TAG: fqdn_xsaucer# Turn this on if you wish to use fully qualified domain names instead of # user names in X-Saucer. To do this Squid does a DNS lookup of all# IP's connecting to it. This can (in some situations) increase# latency, which makes your cache seem slower for interactive# browsing. By default, it is off.# The FQDN will be prepended with a backslash and converted to lower case since# ClientNet only accepts custom user name with backslash. If log_fqdn is# also enabled, the FQDN will be logged in access.log.# For example, an FQDN of www.XYz.com in access.log will require specifying# a custom user "\www.xyz.com" (no quotes) in ClientNet. ## fqdn_xsaucer off
# TAG: hash_username_xsaucer# Turn this on if you wish to apply hex representative of hashed(SHA-1) # to domain name\user name (before encryption) in X-Saucer instead.## hash_username_xsaucer off
# ACCESS CONTROLS# -----------------------------------------------------------------------------
# TAG: acl# TAG: disable password on conf file#cachemgr_passwd none configacl SSL_ports port 443 563 5443acl Safe_ports port 80 # httpacl Safe_ports port 21 # ftpacl Safe_ports port 443 563 5443 # https, snews, medicareacl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling http
acl_uses_indirect_client onacl CONNECT method CONNECTacl authproxy proxy_auth REQUIRED# the IP list of "acl our_networks src" may potentially be long while the maximum number of characters supported by squid is around 500.# therefore, you should try to splite long ip list to multiple lines for readabilty and maintenability, see the following lines as an example:# acl our_networks src x.x.x.x/z x.x.x.x/x x.x.x.x/z ....# acl our_networks src y.y.y.y/z y.y.y.y/y y.y.y.y/z ....acl our_networks src 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16
# __________________________________________________________________________acl HEAD method HEADfollow_x_forwarded_for allow f5lb_prxy# TAG: http_access
http_access allow manager localhosthttp_access deny managerhttp_access deny !Safe_ports# __________________________________________________________________________#http_access allow CONNECT SSL_ports# __________________________________________________________________________http_access deny CONNECT !SSL_ports#Allow the header as IE does not process the Head authenticationhttp_access allow HEADhttp_access deny !our_networkshttp_access allow Smartconnect# __________________________________________________________________________
# __________________________________________________________________________# NTLM bypasses and specific domain bypass come after this comment block.# http_access = NTLM bypass. always_direct = bypasses the MessageLabs proxy # and sends the connection directly. The first sample below creates a bypass # named 'uniqueBypass1' which bypasses NTLM and sends the connection directly# for sample.com. The second sample will bypass NTLM authentication for # connections to sample.com.# Begin Sample 1:#acl uniqueBypass1 dstdomain sample.com# http_access allow uniqueBypass1 # always_direct allow uniqueBypass1# Begin Sample 2:#acl NTLMBypass dstdomain sample.com#http_access allow NTLMBypass
http_access allow authproxyhttp_access deny all
# TAG: icp_accessicp_access allow all
# TAG: httpd_suppress_version_string on|off# Suppress Squid version string info in HTTP headers and HTML error pages.#httpd_suppress_version_string on
# ADMINISTRATIVE PARAMETERS# -----------------------------------------------------------------------------
# TAG: visible_hostnamevisible_hostname ClientSiteProxy
# OPTIONS FOR THE CACHE REGISTRATION SERVICE# -----------------------------------------------------------------------------
# HTTPD-ACCELERATOR OPTIONS# -----------------------------------------------------------------------------
# MISCELLANEOUS# -----------------------------------------------------------------------------
# Forwarding proxy client IP addresses in X-Forwarded-For header. # Disabled to prevent leakage of internal network configuration details.forwarded_for truncate
# Do not reveal CSP version in "Via" HTTP headerheader_access Via deny all
# TAG: never_directnever_direct allow all
# DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)# -----------------------------------------------------------------------------
# TAG: coredump_dir# completely disable checks for cache consistency (and/or garbage collection) and # there will be no need to initialize cache dirs which amount to be over 2000 dir.cache_dir null c:/ClientSiteProxycoredump_dir c:/clientsiteproxy/var/cache
http_port 80http_port 8080
On Tuesday, 1 March 2016 11:49 AM, Eliezer Croitoru <eliezer at ngtech.co.il> wrote:
Can you send me or the list your squid.conf?
Also are you using SSl-BUMP? is this a https site?
Eliezer
On 01/03/2016 00:36, Ryan Slick wrote:
> Hi Guys,
>
> So here is an issue I am having,
>
> there is a external website some of our users need to access. When
> accessing via the Squid proxy, the site throws this error on the page:
>
> iisnode encountered an error when processing the request.
> HRESULT: 0xb
> HTTP status: 500
> HTTP reason: Internal Server Error
> You are receiving this HTTP 200 response because
> system.webServer/iisnode/@devErrorsEnabled
> <mailto:system.webServer/iisnode/@devErrorsEnabled> configuration
> setting is 'true'.
>
> We configured on a pc that goes directly to the internet the page loads
> fine, when going via a bluecoat proxy on a different network it loads
> fine, When I put in a direct access rule on squid the error is still thrown.
>
> I am convinced the issue is on the external webserver, however it would
> appear squid is not playing nice with it, is there anything I can do to
> attempt to fix it? Now the users have tested on their remote devices and
> from home they are convinced the issue lies on the proxy.
>
> regards
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160229/97078235/attachment-0001.html>
More information about the squid-users
mailing list