Squid proxy error cache access denied

squid proxy error cache access denied

Hi all, I am trying to configure a squid proxy to restrict access to it using NCSA, following the quick how-to founded on. This means that: The cache was not able to resolve the hostname presented in the URL. Check if the address is correct. = sprers.eu on my squid server does. How to edit the Access denied page in Squid? How to insert custom pictures and mail? How to set Squid cache manager e-mail? squid proxy error cache access denied calamaris OPTIONS > reportfile

When using more than one log file, make sure they are chronologically ordered, with older files listed first. This can be achieved by either listing the files one after the other as in the example above, or by using.

takes the following options:

output all available reports

output as HTML report

include a message or logo in report header

More information about the various options can be found in the program's manual page with.

A typical example is:

cat sprers.eu{} sprers.eu

Read these next

I am most of the way through setting up a squid proxy server on pfSense and I am having issues with NTLM authentication. The first time I open a web page I receive a error class type redefinition cannot be displayed error" but if I refresh the page loads fine. Wireshark captures on the 2 streams look like this(Page not loading on left, page loading on right)

It seems IE does not want to authenticate until the second time.

Does anybody know how to fix this?

Edit: Picture is a little hard to read so
Failed request:

CONNECT sprers.eu HTTP/
User-Agent: Mozilla/ (compatible; MSIE ; Windows NT ; Trident/)
Host: sprers.eu
Content-Length: 0
DNT: 1
Proxy-Connection: Keep-Alive
Pragma: no-cache

HTTP/ Proxy Authentication Required
Server: squid
Mime-Version:
Date: Wed, 24 Jul GMT
Content-Type: text/html
Content-Length:
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: NTLM
X-Cache: MISS from sprers.eu
X-Cache-Lookup: NONE from sprers.eu
Via: sprers.eu (squid)
Connection: close

Successful request

CONNECT sprers.eu HTTP/
User-Agent: Mozilla/ (compatible; MSIE ; Windows NT ; Trident/)
Host: sprers.eu
DNT: 1
Proxy-Connection: Keep-Alive
Pragma: no-cache
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
Content-Length: 0

HTTP/ Proxy Authentication Required
Server: squid
Mime-Version:
Date: Wed, 24 Jul GMT
Content-Type: text/html
Content-Length:
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADAAMADgAAAAFgomiURdWtMYNXhYAAAAAAAAAAH4AfgBEAAAABgEAAAAAAA9GAEkATgBGAEkAVAACAAwARgBJAE4ARgBJAFQAAQAKAFAAUgBPAFgAWQAEACQAZgBmAGEAcABhAHkAcwBtAGEAcgB0AC4AYwBvAG0ALgBhAHUAAwAwAHAAcgBvAHgAeQAuAGYAZgBhAHAAYQB5AHMAbQBhAHIAdAAuAGMAbwBtAC4AYQB1AAAAAAA=
X-Cache: MISS from sprers.eu
X-Cache-Lookup: NONE from sprers.eu
Via: sprers.eu (squid)
Connection: keep-alive

attach_sprers.eu KB

deny [!]aclname
#
# See http_access for details
#
##Allow HTCP CLR requests from trusted peers
#acl htcp_clr_peer src
#htcp_clr_access allow htcp_clr_peer
#
#Default:
# htcp_clr_access deny all

# TAG: miss_access
# Use to force your neighbors to use you as a sibling instead of
# a parent. For example:
#
# acl localclients src /16
# miss_access allow localclients
# miss_access deny !localclients
#
# This means only your squid proxy error cache access denied clients are allowed to fetch
# MISSES and all other clients can only fetch HITS.
#
# By default, allow all clients who passed the http_access rules
# to fetch MISSES from us.
#
#Default setting:
# miss_access allow all


# NETWORK OPTIONS
#

# TAG: http_port
# Usage: port [options]
# hostname:port [options]
# port [options]
#
# The socket addresses where Squid will listen for HTTP client
# requests. You may specify multiple socket addresses.
# There are three forms: port alone, hostname with port, and
# IP address with port. If you specify a hostname or IP
# address, Squid binds the socket to that specific
# address. This replaces the old &#;tcp_incoming_address&#;
# option. Most likely, you do not need to bind to a specific
# address, so you can use the port number alone.
#
# If you are running Squid in accelerator mode, you
# probably want to listen on port 80 also, or instead.
#
# You may specify multiple socket addresses on multiple lines.
#
# Options:
#
# transparent Support for transparent interception of
# outgoing requests without browser settings.
#
# tproxy Support Linux TPROXY for spoofing outgoing
# connections using the client IP address.
#
# accel Accelerator mode. See also the related vhost,
# vport and defaultsite directives.
#
# defaultsite=domainname
# What to use for the Host: header if it is not present
# in a request. Determines what site (not origin server)
# accelerators should consider the default.
# Defaults to visible_hostname:port if not set
# May be combined with vport=NN to override the port number.
# Implies accel.
#
# vhost Accelerator mode using Host header for virtual
# domain support. Implies accel.
#
# vport Accelerator with IP based virtual host support.
# Implies accel.
#
# vport=NN As above, but uses specified port number rather
# than the http_port number. Implies accel.
#
# urlgroup= Default urlgroup to mark requests with (see
# also acl urlgroup and url_rewrite_program)
#
# protocol= Protocol to reconstruct accelerated requests with.
# Defaults to http.
#
# no-connection-auth
# Prevent forwarding of Microsoft connection oriented
# authentication (NTLM, Negotiate and Kerberos)
#
# If you run Squid on a dual-homed machine with an internal
# and an external interface we recommend you to specify the
# internal address:port in http_port. This way Squid will only be
# visible on the internal address.
#
# Squid normally listens to port
#La siguiente linea se modifico
#http_port
http_port transparent

# TAG: https_port
# Usage: [ip:]port cert=sprers.eu [key=sprers.eu] [options]
#
# The socket address where Squid will listen for HTTPS client
# requests.
#
# This is really only useful for situations where you are running
# squid in accelerator mode and you want to do the SSL work at the
# accelerator level.
#
# You may specify multiple socket addresses on multiple lines,
# each with their own SSL certificate and/or options.
#
# Options:
#
# accel Accelerator mode. Also needs squid proxy error cache access denied least one of
# defaultsite or vhost.
#
# defaultsite= The name of the https site presented on
# this port. Implies accel.
#
# vhost Accelerator mode using Host header for virtual
# domain support. Requires a wildcard certificate
# or other certificate valid for more than one domain.
# May be combined with vport=NN to override the port
# number.
# Implies accel.
#
# urlgroup= Default urlgroup to mark requests with (see
# also acl urlgroup and url_rewrite_program).
#
# protocol= Protocol to reconstruct accelerated requests with.
# Defaults to https.
#
# cert= Path to SSL certificate (PEM format).
#
# key= Path to SSL private key file (PEM format)
# if not specified, the certificate file is
# assumed to be a combined certificate and
# key file.
#
# version= The version of SSL/TLS supported
# 1 automatic (default)
# 2 SSLv2 only
# 3 SSLv3 only
# 4 TLSv1 only
#
# cipher= Colon separated list of supported ciphers.
#
# options= Various SSL engine options. The most important
# being:
# NO_SSLv2 Disallow the use of SSLv2
# NO_SSLv3 Disallow the use of SSLv3
# NO_TLSv1 Disallow the use of TLSv1
# SINGLE_DH_USE Always create a new key when using
# temporary/ephemeral DH key exchanges
# See src/ssl_support.c or OpenSSL SSL_CTX_set_options
# documentation for a complete list of options.
#
# clientca= File containing the list of CAs to use when
# requesting a client certificate.
#
# cafile= File containing additional CA certificates to
# use when verifying client certificates. If unset
# clientca will be used.
#
# capath= Directory containing additional CA certificates
# and CRL lists to use when verifying client certificates.
#
# crlfile= File of additional CRL lists to use when verifying
# the client certificate, in addition to CRLs stored in
# the capath. Implies VERIFY_CRL flag below.
#
# dhparams= File containing DH parameters for temporary/ephemeral
# DH key exchanges.
#
# sslflags= Various flags modifying the use of SSL:
# DELAYED_AUTH
# Don&#;t request client certificates
# immediately, but wait until acl processing
# requires a certificate (not yet implemented).
# NO_DEFAULT_CA
# Don&#;t use the default CA lists built in
# to OpenSSL.
# NO_SESSION_REUSE
# Don&#;t allow for session reuse. Each connection
# will result in a new SSL session.
# VERIFY_CRL
# Verify CRL lists when accepting client
# certificates.
# VERIFY_CRL_ALL
# Verify CRL lists for all certificates in the
# client certificate chain.
#
# sslcontext= SSL session ID context identifier.
#
# vport Accelerator with IP based virtual host support.
#
# vport=NN As above, but uses specified port number rather
# than the https_port number. Implies accel.
#
#
#Default:
# none

# TAG: tcp_outgoing_tos
# Allows you to select a TOS/Diffserv value to mark outgoing
# connections with, based on the username or source address
# squid proxy error cache access denied the request.
#
# tcp_outgoing_tos ds-field [!]aclname
#
# Example where normal_service_net uses the TOS value 0x00
# and good_service_net uses 0x20
#
# acl normal_service_net src /
# acl good_service_net src /
# tcp_outgoing_tos 0x00 normal_service_net
# tcp_outgoing_tos 0x20 good_service_net
#
# TOS/DSCP values really only have local significance - so you should
# know what you&#;re specifying. For more information, see RFC and
# RFC
#
# The TOS/DSCP byte must be exactly that - a octet value 0 -or
# "default" to use whatever default your host has. Note that in
# practice often only values 0 - 63 is usable as the two highest bits
# have been redefined for use by ECN (RFC).
#
# Processing proceeds in the order specified, and stops at first fully
# matching line.
#
# Note: The use of this directive using client dependent ACLs is
# incompatible with the use of server side persistent connections. To
# ensure correct results it is best to set server_persisten_connections
# to off when using this directive in such configurations.
#
#Default:
# none

# TAG: tcp_outgoing_address
# Allows you to map requests to different outgoing IP addresses
# based on the username or source address of the user making
# the request.
#
# tcp_outgoing_address ipaddr [[!]aclname]
#
# Example where requests from /24 will be forwarded
# with source address/24 forwarded with
# source address and the rest will be forwarded with
# source address
#
# acl normal_service_net src /24
# acl good_service_net src /24 /24
# tcp_outgoing_address normal_service_net
# tcp_outgoing_address good_service_net
# tcp_outgoing_address
#
# Processing proceeds in the order specified, and stops at first fully
# matching line.
#
# Note: The use of this directive using client dependent ACLs is
# incompatible with the use of server side persistent connections. To
# ensure correct results it is best to set server_persistent_connections
# to off when using this directive in such configurations.
#
#Default:
# none


# SSL OPTIONS
#

# TAG: ssl_unclean_shutdown
# Some browsers (especially MSIE) bugs out on SSL shutdown
# messages.
#
#Default:
# ssl_unclean_shutdown off

# TAG: ssl_engine
# The OpenSSL engine to use. You will need to set this if you
# would like to use hardware SSL acceleration for example.
#
#Default:
# none

# TAG: sslproxy_client_certificate
# Client SSL Certificate to use when proxying https:// URLs
#
#Default:
# none

# TAG: sslproxy_client_key
# Client SSL Key to use when proxying https:// URLs
#
#Default:
# none

# TAG: sslproxy_version
# SSL version level to use when proxying https:// URLs
#
#Default:
# sslproxy_version 1

# TAG: sslproxy_options
# SSL engine options to use when proxying https:// URLs
#
#Default:
# none

# Squid proxy error cache access denied sslproxy_cipher
# SSL cipher list to use when proxying https:// URLs
#
#Default:
# none

# TAG: sslproxy_cafile
# file containing CA certificates to use when verifying server
# certificates while proxying https:// URLs
#
#Default:
# none

# TAG: sslproxy_capath
# directory containing CA certificates to use when verifying
# server certificates while proxying https:// URLs
#
#Default:
# none

# TAG: sslproxy_flags
# Various flags modifying the use of SSL while proxying https:// URLs:
# DONT_VERIFY_PEER Accept certificates even if they fail to
# verify.
# NO_DEFAULT_CA Don&#;t use the default CA list built in
# to OpenSSL.
#
#Default:
# none

# TAG: sslpassword_program
# Specify a program used for entering SSL key passphrases
# when using encrypted SSL certificate keys. If not specified
# keys must either be unencrypted, or Squid started with the -N
# option to allow it to query interactively for the passphrase.
#
#Default:
# none


# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
#

# TAG: cache_peer
# To specify other caches in a hierarchy, use the format:
#
# cache_peer hostname type http-port icp-port [options]
#
# For example,
#
# # proxy icp
# # hostname type port port options
# #
# cache_peer sprers.eu parent proxy-only default
# cache_peer sprers.eu sibling proxy-only
# cache_peer sprers.eu sibling proxy-only
#
# type: either &#;parent&#;, &#;sibling&#;, or &#;multicast&#.
#
# proxy-port: The port number where the cache listens for proxy
# requests.
#
# icp-port: Used for querying neighbor caches about
# objects. To have a non-ICP neighbor
# specify &#;7&#; for the ICP port and make sure the
# neighbor machine has the UDP echo port
# enabled in its /etc/sprers.eu file.
# NOTE: Also requires icp_port option enabled to send/receive
# requests via this method.
#
# options: proxy-only
# weight=n
# ttl=n
# no-query
# default
# round-robin
# carp
# multicast-responder
# closest-only
# no-digest
# no-netdb-exchange
# no-delay
# login=user:password

Permission Denied in Squid Proxy Server

Rajath Ratnakaran Asks: How to find the maximum revenue generated in SQL from a given table?
An interviewer gave me a table with 4 columns(Director name, actor name, movie name, revenue generated). The database had movies between director and actor which generated different revenues, also the same director did movies with different actors, which generated different revenues.

I was asked to fetch the best director actor combo as per the sum of the revenue generated together. Say director A has made 10 movies each with actors X,Y and Z, similarly director B has made 10 movies each with actors X,Y,Z. With which actor, the director X and Y made maximum revenue (in total).

I used self join and ended up not able to fetch the result and eventually losing the interview :(

Please help

sprers.eu may not be responsible for the answers or solutions given to any question asked by the users. All Answers or responses are user generated answers and we do not have proof of its validity or correctness. Please vote for the answer that helped you in order to help others find out which is the most helpful answer. Questions labeled as solved may be solved or may not be solved depending on the type of question and the date posted for some posts may be squid proxy error cache access denied to be deleted periodically. Do not hesitate to share your thoughts here to help others.

Click to expand

./dnsserver Should produce something like: $name sprers.eu $h_name sprers.eu $h_len 4 $ipcount 1 $aliascount 0 $ttl $end

Sending in Squid bug reports

Bug reports for Squid should be sent to the squid-bugs alias. Any bug report must include

  • The Squid version
  • Your Operating System type and version

crashes and core dumps

There are two conditions under which squid will exit abnormally and generate a coredump, squid proxy error cache access denied. First, a SIGSEGV or SIGBUS signal will cause Squid to exit and dump core. Second, many functions include consistency checks. If one of those checks fail, Squid calls abort() to generate a core dump.

Many people report that Squid doesn't leave a coredump anywhere. This is likely because of ``resource limits.'' These limits can usually be changed in shell scripts. The command to change the resource squid proxy error cache access denied is usually either limit or limits. Sometimes it is a shell-builtin function, and sometimes it is a regular program. Also note that you can set resource limits in the /etc/sprers.eu file on FreeBSD and maybe other BSD systems.

To change the coredumpsize limit you might use a command like:

limit coredumpsize unlimited or limits coredump unlimited

The core dump file will be left in either one of two locations:

  1. The current directory when Squid was started
  2. The first cache_dir directory if you have used the cache_effective_user option.
If you cannot find a core file, then either Squid does not have permission to write in its current directory, or perhaps your shell limits (csh and clones) are preventing the core file from being written. If you suspect the current directory is not writable, you can add cd /tmp to your script which starts Squid (e.g. RunCache).

Once you have located the core dump file, use a debugger such as dbx or gdb to generate a stack trace:

tirana-wessels squid/src % gdb squid /T2/Cache/core GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions. There is absolutely no warranty for GDB; type "show warranty" for details. GDB (hppahp-hpux), Copyright Free Software Foundation, Inc Core was generated by `squid'. Program terminated with signal 6, Aborted. [] (gdb) where #0 0xca8 in _kill () #1 0xc00b in _raise () squid proxy error cache access denied 0xcbb08 in abort () #3 0x53f5c in __eprintf (string=0x7b "", expression=0x5f <Address 0x5f out of bounds>, line=8, filename=0x6b <Address 0x6b out of bounds>) #4 0x in fd_open (fd=, type=, desc=0x95e4 "HTTP Request") at fd.c #5 0x24f40 in comm_accept (fd=, peer=0x7bb0, me=0x6b) at comm.c #6 0x in httpAccept (sock=33, notused=0xca6) at client_side.c #7 0x in comm_select_incoming () at comm.c #8 0x in comm_select (sec=29) at comm.c #9 0x3b04c in main (argc=, argv=0xdd8) at main.c

If possible, you might keep the coredump file around for a day or two. It is often helpful if we can ask you to send additional debugger output, such as the contents of some variables.

Debugging Squid

If you believe you have found a non-fatal bug (such as incorrect HTTP processing) please send us a section of your sprers.eu with debugging to demonstrate the problem. The sprers.eu file can become very large, squid proxy error cache access denied, so alternatively, you may want to copy it to an FTP or HTTP server where we can download it.

It is very simple to enable full debugging on a running squid process. Simply use the -k debug command line option:

% ./squid -k debug This causes every debug() statement in the source code to write a line in the sprers.eu file. You also use the same command to restore Squid to normal debugging.

To enable selective debugging (e.g. for one source file only), you need to edit sprers.eu and add to the debug_options line. Every Squid source file is assigned a different debugging section. The debugging section assignments can be found by looking at the top of individual source files, or by reading the file doc/sprers.eu (correctly renamed to sprers.eu for Squid-2). You also specify the debugging level to control the amount of debugging. Higher levels result in more debugging messages. For example, to enable full debugging of Access Control functions, you would use

debug_options ALL,1 28,9 Then you have to restart or reconfigure Squid.

Once you have the debugging captured to sprers.eu, take a look at it yourself and see if you can make sense of the behaviour which you see. If not, please feel free to send your debugging output to the squid-users or squid-bugs lists.

FATAL: ipcache_init: DNS name lookup tests failed

Squid normally tests your system's DNS configuration before it starts server requests. Squid tries to resolve some common DNS names, as defined in the dns_testnames configuration directive. If Squid cannot resolve these names, it could mean:

  1. your DNS nameserver is unreachable or not running.
  2. your /etc/sprers.eu file may contain incorrect information.
  3. your /etc/sprers.eu file may squid proxy error cache access denied incorrect permissions, and may be unreadable by Squid.

To disable this feature, squid proxy error cache access denied, use the -D command line option.

Note, Squid does NOT use the dnsservers to test the DNS. The test is performed internally, before the dnsservers start.

FATAL: Failed to make swap directory /var/spool/cache: (13) Permission denied

Starting with versionwe have required that you first run

squid -z to create the swap directories on your filesystem. If you have set the cache_effective_user option, squid proxy error cache access denied, then the Squid process takes on the given userid before making the directories. If the cache_dir directory (e.g, squid proxy error cache access denied. /var/spool/cache) does not exist, and the Squid userid does not have permission to create it, then you will get the ``permission denied'' error. This can be simply fixed by manually creating the cache directory. # mkdir /var/spool/cache # chown <userid> <groupid> /var/spool/cache # squid -z

Alternatively, squid proxy error cache access denied, if the directory already exists, then your operating system may be returning ``Permission Denied'' instead of ``File Exists'' on the mkdir() system call. This patch by Miquel van Smoorenburg should fix it.

FATAL: Cannot open HTTP Port

Either (1) the Squid userid does not have permission to bind to the port, or (2) some other process has bound itself to the port. Remember that root privileges are required to open port numbers less than If you see this message when using a high port number, or even when starting Squid as root, then the port has already been opened by another process. Maybe you are running in the HTTP Accelerator mode and there is already a HTTP server running on port 80? If you're really stuck, install the way cool lsof utility to show you which process has your port in use.

FATAL: All redirectors have exited!

This is explained in the Redirector section.

You've run out of swap file numbers.

Squid keeps an in-memory bitmap of disk files that are available for use, or are being used. The size of this bitmap is determined at run name, based on two things: the size of your cache, and the average (mean) cache object size.

The size of your cache is specified in sprers.eu, on the cache_dir lines. The mean object size can also be specified in sprers.eu, with the 'store_avg_object_size' directive. By default, Squid uses 13 Kbytes as the average size.

When allocating the bitmaps, Squid allocates this many bits:

2 * cache_size / store_avg_object_size

So, if you exactly specify the correct average object size, Squid should have 50% filemap bits free when the cache is full. You can see how many filemap bits are being used by looking at the 'storedir' cache manager page. It looks like this:

Store Directory #0: /usr/local/squid/cache First level subdirectories: 4 Second level subdirectories: 4 Maximum Size: KB Current Size: KB Percent Used: % Filemap bits in use: of (49%) Flags:

Now, if you see the ``You've run out of swap file numbers'' message, then it means one of two things:

  1. You've found a Squid bug.
  2. Your cache's average file size is much smaller than the 'store_avg_object_size' value.

To check the average file size of object currently in your cache, look at the cache manager 'info' page, and you will find a line like:

Mean Object Size: KB

To make the warning message go away, set 'store_avg_object_size' to that value (or lower) and then restart Squid.

When using a username and password, I can not access some files.

If I try by way of a test, squid proxy error cache access denied, to access

ftp://username:[email protected]/somewhere/sprers.eu I get somewhere/sprers.eu: Not a directory.

Use this URL instead:

ftp://username:[email protected]/%2fsomewhere/sprers.eu

pingerOpen: openstack glance index error (13) Permission denied

This means your pinger program does not have root priveleges. You should either do this:

% su # make install-pinger or # chown root /usr/local/squid/bin/pinger # chmod /usr/local/squid/bin/pinger

What is a forwarding loop?

A forwarding loop is when a request passes through one proxy more than once. You can get a forwarding loop if

  • a cache forwards requests to itself. This might happen with transparent caching (or server acceleration) configurations.
  • a pair or group of caches forward requests to each other. This can happen when Squid uses ICP, Cache Digests, or the ICMP RTT database to select a next-hop cache.

Forwarding loops are detected by examining the Via request header. Each cache which "touches" a request must add its hostname to the Via header. If a cache notices its own hostname in this header for an incoming request, it knows there is a forwarding loop somewhere. NOTE: A pair of caches squid proxy error cache access denied have the same visible_hostname value will report forwarding loops.

When Squid detects a forwarding loop, it is logged to the sprers.eu file with the recieved Via header. From this header you can determine which cache (the last in the list) forwarded the request to you.

One way to reduce forwarding loops is to change a parent relationship to a sibling relationship.

Another way is to use cache_host_acl rules. For example: squid proxy error cache access denied # Our parent caches cache_peer sprers.eu parent cache_peer sprers.eu parent cache_peer sprers.eu parent # An ACL list acl PEERS src sprers.eu acl PEERS src sprers.eu acl PEERS src sprers.eu # Prevent forwarding loops cache_host_acl sprers.eu !PEERS cache_host_acl sprers.eu !PEERS cache_host_acl sprers.eu !PEERS The above configuration instructs reservation link error to NOT forward a request to parents A, B, or C when a request is received from any one of those caches.

accept failure: (71) Protocol error

This error message is seen mostly on Solaris systems. Mark Kennedy gives a great explanation:

Error 71 [EPROTO] is an obscure way of reporting that clients made it onto your server's TCP incoming connection queue but the client tore down the connection before the server could accept it. I.e. your server ignored its clients for too long. We've seen this happen when we ran out of file descriptors. I guess it could also happen if something made squid block for a long time.

storeSwapInFileOpened: Size mismatch

Got these messages in my cache log - I guess it means that the index contents do not match the contents on disk.

/09/23

0 Comments

Leave a Comment