I'm running V1.1.11 with icp_hit_stale on.
When the siblings don't have miss-access "FTP-requests" can result in an
Access-Denied error. (Very annoying for the users because another proxy
outside their domain denies them access)
Tests showed that only FTP produces this behavior (Gopher not tested). When
"FTP-files" are stale a TCP_MISS is produced (apparently) and this is denied
for the siblings.
A work-around can be allowing MISS-ACCESS to siblings but this might not be
desirable (as in our case where I have a sibling without any relation to our
agency except for my personal one but also a few under my control)
I decided to patch the source to produce only a UDP_HIT on a stale file is
PROT_HTTP. This seems to work. Denied errors are gone and HTTP still gets
UDP_HITS on stale files without any errors.
icp.c:
static int icpCheckUdpHit(StoreEntry * e, request_t * request)
{
if (e == NULL)
return 0;
if (!storeEntryValidToSend(e))
return 0;
/* if (Config.Options.icp_hit_stale)
* only icp_hit_stale for http
* Marc van Selm <selm@nc3a.nato.int>
*/
if (Config.Options.icp_hit_stale && request->protocol== PROTO_HTTP)
return 1;
if (refreshCheck(e, request, 30))
return 0;
return 1;
}
It might be useful to be able to enable icp_hit_stale per sibling_host. This
way I can only grant this service to proxies in the domain under my control
and grant other siblings only access to fresh files.
Marc
---------------------------------------------------------------------
Marc van Selm
NATO C3 Agency
Communication Systems Division, A-Branch
E-Mail: marc.van.selm@nc3a.nato.int
---------------------------------------------------------------------
Private: selm@cistron.nl, selm@het.net, http://www.cistron.nl/~selm
....UNIX IS THE ONLY ANSWER....LINUX IS ALSO FREE....
Received on Mon Jul 28 1997 - 03:58:30 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:51 MST