Shulou(Shulou.com)06/02 Report--

Favorites (0) failure questions:

ERROR

The requested URL could not be retrieved

The following error was encountered when trying to retrieve the URL: http://news.163.com/

Access denied.

Access

Control configuration prevents your request from being allowed at this

Time. Please contact your service provider if you feel this is

Incorrect.

The administrator of the cache server root.

Sat has been generated by localhost (squid/3.1.10), 14 Feb 2015 03:59:43 GMT

Failure time and environment:

The failure environment is iptables+squid+windows domain user authentication built by centos 6.6. No transparent proxy is set.

The failure time is 10:00 in the morning. Any website that suddenly opens the whitelist will prompt this error.

The way to solve the problem.

This server was built by the last engineer, and I took over temporarily. For various reasons, the handover takes only two or three hours. As a result, the problem is solved for a long time.

The server has not done anything during this period of time, and this server has been working steadily for half a year. Troubleshoot network problems, squid hosts connect to external websites (normal ~! ) Domain dns parsing (normal troubleshooting of dns problems) ~!

The server lost power due to the power outage in the computer room the week before. It is suspected that which service failure did not start normally, the smb nmb ntp squid winbind iptables krb5kdc service that Baidu needs to start is found to be started.

Checked all the configuration files and found that there were no previous changes but occasionally added some whitelist URLs. Everything's fine.

Continue Baidu, found that some netizens' solution, add a few more dns. It still doesn't solve the problem.

Because it is the company's rush hour that does not dare to delay everyone's work, temporarily in the configuration file of squid.conf, comment out http_access deny all and join http_access allow all. Reload squid allows everyone to work normally first.

Continue to analyze, release and verify that all users can surf the Internet normally, indicating that there is no problem with the setting configuration. It may be that there is something wrong with the verification account. Query / var/log/squid/access.log and cache.log compared the following previous log and found nothing unusual, and then got into a stalemate all the way to Baidu, looking for a solution. As a matter of fact, it is my unfamiliarity with the system that leads to most of the time. Finally, it is found that the log is not stored in squid alone. It exists in / var/log/message. Find and find that the error has been reported since 10:00.

Error keyword:

Libads/kerberos_utils.c:101 (ads_kinit_password)

Kerberos kinit_password your domain name failed ticket is ineligible for postdating

Http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Unable-to-join-CPPM-to-a-domain/ta-p/192619 this page to find and solve the problem.

Cause of failure

Because the time of the squid server is not consistent with that of the domain server, the error is 4-5 minutes, which leads to an error, which can explain why it is used normally, suddenly fails, and the number of connections is not very high. Calibrate time and check again after 10 minutes / var/log/message error disappears. Log out of the http_access allow all in the squid configuration file and change it to http_access deny all, reload squid service, and everything is normal.

Fault solution

Correct the time of squid servers and domain servers, so the production environment still corrects all servers to a uniform time server.

Over

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.