Marius Etsebeth wrote:
> Well Joe,
>
> What makes me think it's SQUID?
>
> If I bypass SQUID but still use the firewall, everything
> is fine. Also, like I said before, I was unable to access
> .cgi files, but when I removed the line I mentioned
> before from the squid.conf file, it suddenly worked.
> I.e. the line is there, I cannot access .cgi files ;
> the lines not there, I can access .cgi files...
That's fine, but Squid isn't /denying/ your request. Squid is telling
you it can't fetch the object you're requesting because it can't connect
to the server. A denied request will say 'Access Denied'. I'm not
saying that Squid configuration problems aren't keeping you from
accessing the internet. A subtle distinction perhaps, but one that
makes a difference in how it can be solved.
> That in itself proves that SQUID was denying at least
> the .cgi files.
Mildly faulty logic or a misuse of terms. ;-)
> Lastly, if I visit plain .html / .htm (and now .cgi :) sites,
> SQUID works like a charm behind the firewall. It just seem to
> have a hassle with the .pl extension...
>
> I have read the firewall section, and that's why SQUID works OK
> through it, EXCEPT for instances like the above. Perhaps you could
> be more specific on what part I misunderstood / missed in the
> FW section.
>
> I'm asking, I do not know the answers ...........
It sounds like, from your problem and your solution, that you have a
proxy running on the firewall, and this is how Squid reaches the
internet. I also assume you have configured the firewall proxy as the
parent proxy of Squid.
So, configuring 'hierarchy_stoplist' to not bypass the 'hierarchy' for
some requests fixes your problem...Which means that Squid can't reach
the internet any other way. That is as it should be.
So what you want is to configure Squid to /always/ use the proxy on the
firewall for its net access, no matter what. For that you can use
never_direct (if you haven't already configured it). I haven't spend
much time lately on configuring parent proxies and such, so I might be
forgetting something. But it sounds like you've basically got it
working, and just need to adjust it so that Squid knows it always needs
to hit that other proxy.
> Joe Cooper wrote:
>
>>Marius Etsebeth wrote:
>>
>>>Hi people,
>>>
>>>I tried to download evaluation software from a site
>>>and got the error below. (I'm using squid version 2.4 stable 6
>>>on Mandrake 7.2.)
>>>
>>>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>While trying to retrieve the URL:
>>>http://www.ipswitch.com/cgi/download_eval.pl
>>>
>>>The following error was encountered:
>>>
>>> Connection Failed
>>>
>>>The system returned:
>>>
>>> (113) No route to host
>>>
>>>The remote host or network may be down. Please try the request again.
>>>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>
>>>I had similar problems when I tried to access sites
>>>where the files were CGI files with ".cgi" extensions.
>>>However, when I removed the "hierarchy_stoplist cgi-bin ?"
>>>entry from the squid.conf file, I could access these particular
>>>sites.
>>
>>What makes you think Squid is denying your request? The error you've
>>shown says it can't connect. Have you read the FAQ entry on running
>>Squid behind a firewall?
>>
>>
>>>I suspect if I tried to access .php sites, I may get the same error.
>>>
>>>Any reason for this and how do I fix it?
>>
>>Probably read the Squid through a firewall section of the FAQ.
>>
>>
>>>A second question.
>>>
>>>Is it possible to set up squid inside a firewall
>>>so that firstly squid does the authentication and then,
>>>secondly, the firewall as well?
>>
>>No.
>>
>>
>>>I suspect not. As far as I can figure out, HTTP is not happy
>>>with dual authentication methods.....
>>
>>You suspect right.
>>--
>>Joe Cooper <joe@swelltech.com>
>>http://www.swelltech.com
>>Web Caching Appliances and Support
>
>
>
-- Joe Cooper <joe@swelltech.com> http://www.swelltech.com Web Caching Appliances and SupportReceived on Wed Apr 10 2002 - 00:37:06 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:31 MST