[squid-users] Squid3.x have issue with some sites, squid2.x not.

Beto Moreno pamrtj at gmail.com
Tue Nov 24 00:56:54 UTC 2015 

Hi guys.

I have face some issue with Squid Cache: Version 3.4.10.

Example this site:

www.salud.gob.mx
www.issemym.gob.mx

I cannot access this site.

Now, I have a other installation running squid 2.7.x, in that network
I can access those without any issue.

With squid 3.x I got this error in logs:

The error log is: TCP_MISS_ABORTED/000.

U wait for the browser and after a while u get:

Operation timed out

I have check my squid settings but don't see any parameter that could affect:

---begin of config-----
auth_param basic
/usr/pbi/squid-amd64/local/libexec/squid/basic_ldap_auth -v 3 -b
dc=XXX,dc=local -D cn=Manager,dc=XXX,dc=local -w ???? -f uid=%s -u -P
192.168.2.24:389
auth_param basic realm Please enter your credentials to access the proxy
auth_param basic children 5 startup=0 idle=1 concurrency=0
auth_param basic credentialsttl 300 seconds
auth_param basic casesensitive off
authenticate_cache_garbage_interval 3600 seconds
authenticate_ttl 3600 seconds
authenticate_ip_ttl 1 seconds
acl SINDICATO_IPS src  192.168.2.142 192.168.2.143
acl SINDICATO_USRS proxy_auth  smartinez
acl password proxy_auth  REQUIRED
acl ext_manager src  192.168.2.4
acl blacklist dstdom_regex - -i
(.facebook.com)|(.twitter.com)|(.instagram.com)|(.mozilla.net)|(.skype.com)|(.skypeassets.com)
acl unrestricted_hosts src  192.168.2.1
acl HTTPS proto  HTTPS
acl HTTP proto  HTTP
acl connect method  CONNECT
acl purge method  PURGE
acl sslports port  443 563
acl safeports port  21 70 80 210 280 443 488 563 591 631 777 901 3128
3127 1025-65535 7653 9042 9049 9079 9080 9081 9082 10081
acl allsrc src  ::/0
acl dynamic urlpath_regex  (cgi-bin)|(\?)
acl localnet src  192.168.2.0/24
acl to_localhost dst  ::1 0.0.0.0 127.0.0.0/8
acl localhost src  ::1 127.0.0.1 192.168.2.24
acl manager url_regex - -i (^cache_object://) +i
(^https?://[^/]+/squid-internal-mgr/)
acl all src  ::/0
acl ssl::certSelfSigned ssl_error  X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
acl ssl::certUntrusted ssl_error  X509_V_ERR_INVALID_CA
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY X509_V_ERR_CERT_UNTRUSTED
acl ssl::certDomainMismatch ssl_error  SQUID_X509_V_ERR_DOMAIN_MISMATCH
acl ssl::certNotYetValid ssl_error  X509_V_ERR_CERT_NOT_YET_VALID
acl ssl::certHasExpired ssl_error  X509_V_ERR_CERT_HAS_EXPIRED
follow_x_forwarded_for deny all
 acl_uses_indirect_client on
delay_pool_uses_indirect_client on
log_uses_indirect_client on
http_access allow manager localhost
 http_access allow manager ext_manager
 http_access deny manager
 http_access allow purge localhost
 http_access deny purge
 http_access deny !safeports
 http_access deny connect !sslports
 http_access deny blacklist
 http_access allow ING_REST_USRS ING_REST_IPS ING_REST_SITES
 http_access deny ING_REST_USRS
 http_access allow REST_USRS REST_IPS REST_SITES
 http_access deny REST_USRS REST_IPS
 http_access allow NOMINA_USRS NOMINA_IPS NOMINA_SITES
 http_access deny NOMINA_USRS NOMINA_IPS
 http_access deny allsrc
 http_port 192.168.2.4:3128 name=192.168.2.4:3128 connection-auth=on
host_verify_strict off
client_dst_passthru on
ssl_unclean_shutdown off
sslproxy_version 1
sslproxy_cert_sign signUntrusted (sslproxy_cert_sign signUntrusted line)
sslproxy_cert_sign signSelf (sslproxy_cert_sign signSelf line)
sslproxy_cert_sign signTrusted (sslproxy_cert_sign signTrusted line)
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 32 startup=5 idle=1 concurrency=0
sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1
dead_peer_timeout 10 seconds
forward_max_tries 10
cache_mem 2097152000 bytes
maximum_object_size_in_memory 262144 bytes
memory_cache_shared off
memory_cache_mode always
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 bytes
maximum_object_size 4194304 bytes
cache_dir aufs /var/squid/cache 64000 16 256 IOEngine=DiskThreads
store_dir_select_algorithm least-load
max_open_disk_fds 0
cache_swap_low 96
cache_swap_high 98
access_log /var/squid/logs/access.log squid(access_log
/var/squid/logs/access.log line)
logfile_daemon /usr/local/libexec/squid/log_file_daemon
cache_store_log none
logfile_rotate 14
mime_table /usr/local/etc/squid/mime.conf
log_mime_hdrs off
pid_filename /var/run/squid/squid.pid
client_netmask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
strip_query_terms on
buffered_logs off
netdb_filename /var/squid/logs/netdb.state
cache_log /var/squid/logs/cache.log
debug_options rotate=14
coredump_dir none
ftp_user Squid@
ftp_passive on
ftp_epsv_all off
ftp_epsv on
ftp_eprt on
ftp_sanitycheck on
ftp_telnet_protocol on
diskd_program /usr/local/libexec/squid/diskd
unlinkd_program /usr/local/libexec/squid/unlinkd
pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger
pinger_enable off

url_rewrite_children 20 startup=0 idle=1 concurrency=0
url_rewrite_host_header on
url_rewrite_bypass off

store_id_children 20 startup=0 idle=1 concurrency=0
store_id_bypass on
cache deny dynamic
 cache allow all
 max_stale 604800 seconds
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
read_ahead_gap 16384 bytes
negative_ttl 0 seconds
positive_dns_ttl 21600 seconds
negative_dns_ttl 15 seconds
minimum_expiry_time 60 seconds
store_avg_object_size 13312 bytes
store_objects_per_bucket 20
request_header_max_size 65536 bytes
reply_header_max_size 65536 bytes
request_body_max_size 0 bytes
client_request_buffer_max_size 524288 bytes
chunked_request_body_max_size 65536 bytes
adaptation_uses_indirect_client on
via on
ie_refresh off
vary_ignore_expire off
request_entities off
relaxed_header_parser on
forward_timeout 240 seconds
connect_timeout 60 seconds
peer_connect_timeout 30 seconds
read_timeout 900 seconds
write_timeout 900 seconds
request_timeout 300 seconds
client_idle_pconn_timeout 120 seconds
client_lifetime 86400 seconds
half_closed_clients off
server_idle_pconn_timeout 60 seconds
ident_timeout 10 seconds
shutdown_lifetime 3 seconds
cache_mgr XXXX at XXXX . com
mail_program mail
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string on
visible_hostname fw XX XX local
umask 23
announce_period 31536000 seconds
announce_host tracker.ircache.net
announce_port 3131
httpd_accel_surrogate_id fw XXX  local
http_accel_surrogate_remote off
delay_pools 1
delay_class 1 2
delay_access 1 allow allsrc
 delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
client_delay_initial_bucket_level 50
wccp_router ::
wccp_version 4
wccp2_rebuild_wait on
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_assignment_method hash
wccp2_service standard 0
wccp2_weight 10000
wccp_address 0.0.0.0
wccp2_address 0.0.0.0
client_persistent_connections on
server_persistent_connections on
persistent_connection_after_error on
detect_broken_pconn off
digest_generation on
digest_bits_per_entry 5
digest_rebuild_period 3600 seconds
digest_rewrite_period 3600 seconds
digest_swapout_chunk_size 4096 bytes
digest_rebuild_chunk_percentage 10
snmp_port 0
snmp_incoming_address ::
snmp_outgoing_address ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
icp_port 0
htcp_port 0
log_icp_queries off
udp_incoming_address ::
udp_outgoing_address ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
icp_hit_stale off
minimum_direct_hops 4
minimum_direct_rtt 400
netdb_low 900
netdb_high 1000
netdb_ping_period 300 seconds
query_icmp off
test_reachability off
icp_query_timeout 0
maximum_icp_query_timeout 2000
minimum_icp_query_timeout 5
background_ping_rate 10 seconds
mcast_icp_query_timeout 2000
icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons
global_internal_static on
short_icon_urls on
error_default_language en
error_log_languages on
err_page_stylesheet /usr/local/etc/squid/errorpage.css
err_html_text
email_err_data on
nonhierarchical_direct on
prefer_direct off
cache_miss_revalidate on
incoming_udp_average 6
incoming_tcp_average 4
incoming_dns_average 4
min_udp_poll_cnt 8
min_dns_poll_cnt 8
min_tcp_poll_cnt 8
client_ip_max_connections -1
tcp_recv_bufsize 0 bytes
icap_enable off
icap_connect_timeout 0 seconds
icap_io_timeout 0 seconds
icap_service_failure_limit 10
icap_service_revival_delay 180
icap_preview_enable on
icap_preview_size -1
icap_206_enable on
icap_default_options_ttl 60
icap_persistent_connections on
adaptation_send_client_ip off
adaptation_send_username off
icap_client_username_header X-Client-Username
icap_client_username_encode off
ecap_enable off
adaptation_service_iteration_limit 16
icap_retry deny all
 icap_retry_limit 0
check_hostnames off
allow_underscore on
dns_retransmit_interval 5 seconds
dns_timeout 30 seconds
dns_packet_max 0 bytes
dns_defnames off
dns_multicast_local off
hosts_file /etc/hosts
ignore_unknown_nameservers on
dns_v4_first on
ipcache_size 8192
ipcache_low 96
ipcache_high 98
fqdncache_size 8192
configuration_includes_quoted_values off
memory_pools on
memory_pools_limit 5242880 bytes
forwarded_for on
cachemgr_passwd none all
client_db on
refresh_all_ims off
reload_into_ims off
connect_retries 0
retry_on_error off
as_whois_server whois.ra.net
offline_mode off
uri_whitespace strip
balance_on_multiple_ip off
pipeline_prefetch 0
high_response_time_warning 0
high_page_fault_warning 0
sleep_after_fork 0
eui_lookup on
max_filedescriptors 0
workers 1
----------end of config------

Can someone help debuging this issue?
Any help will be appreciated, thanks.

More information about the squid-users mailing list