>>> Chris Robertson <crobertson_at_gci.net> 5/28/2008 5:03 PM >>>
> Proxies. Plural. How are you spreading the traffic among the proxies.
> A number of authentication requiring websites associate login
> credentials with a source IP. Using a round robin load balancer
> (without source NATing the outgoing requests from the multiple proxies)
> can cause issues with such sites. As well, using authentication on a
> intercepting (also called a transparent) proxy can cause issues such as
> this.
The traffic isn't being balanced among the proxies. I have multiple locations, 4 to be exact, all trying to access the same site with the same results. Each location uses it's own proxy. None of them are transparent and they all require authentication back to a single central LDAP server.
> TCP_MISS/401 indicates the website returned a "Not Authorized" response,
> which should cause your browser to prompt for authentication.
With IE7, I get one prompt and then the "cannot display the webpage" message. With FF2, the prompt keeps popping up even with a valid login entry for the site until it's canceled.
> Wow. Not a single TCP_MISS/200 or TCP_HIT/200. The only requests that
> succeeded were cached content (TCP_MISS/304, with a parent of NONE).
> So, from the evidence given, the machine that is "working" only appears
> to be working because it is able to wrest a response from the cache that
> allows it to use its locally cached copy...
OK.....here's another bit from access.log with the TCP_MISS/200 from the "working" machine. My fault on the previous one in that all I visited was things that I'd already been to and cached. There are a lot of 401's in this but I only had to authenticate to the proxy itself and then once for the site.
[root_at_phs-proxy squid]# tail -f access.log | grep www.k12.ar.us
1212065905.682 182 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1212065923.714 699 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1212065923.738 24 170.211.125.31 TCP_MISS/304 414 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher NONE/- -
1212065923.793 54 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065923.818 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065923.856 38 170.211.125.31 TCP_MISS/404 1991 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065924.027 41 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
1212065924.051 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
1212065924.064 39 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 text/html
1212065924.073 21 170.211.125.31 TCP_MISS/304 413 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher NONE/- -
1212065924.088 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 text/html
1212065924.105 38 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html
1212065924.109 21 170.211.125.31 TCP_MISS/304 412 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher NONE/- -
1212065924.128 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- text/html
1212065924.154 26 170.211.125.31 TCP_MISS/304 413 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- -
1212065933.702 855 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher DIRECT/165.29.214.2 text/html
1212065933.726 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher NONE/- text/html
1212065936.319 2593 170.211.125.31 TCP_MISS/200 96327 GET http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher NONE/- application/pdf
1212065961.927 79 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html
1212065961.952 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher DIRECT/165.29.214.2 text/html
1212065962.164 212 170.211.125.31 TCP_MISS/200 48057 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- application/pdf
1212065962.236 71 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html
1212065962.260 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html
1212065962.661 400 170.211.125.31 TCP_MISS/206 176993 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- multipart/byteranges
If you have any suggestions on what else to look for, I'm willing to try about anything. I captured some of the headers in FF on both the working and a nonworking machine but I can't make any sense of them. Also, if running tcpdump would help, I'm game to try that as well?
Thanks,
Rob
-- This message has been scanned for viruses and dangerous content by The MailScanner at the Paragould School District, http://paragould.k12.ar.us, and is believed to be clean. ------------------------------------- Rob Asher Network Systems Technician Paragould School District (870)236-7744 Ext. 169Received on Thu May 29 2008 - 13:19:03 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:14 MDT
