[squid-users] Some websites doesn't work with squid anymore

Yuri yvoinov at gmail.com
Mon Jun 27 14:38:10 UTC 2016 

Yet another non-porn site: reddit.com

Let's check.

root @ cthulhu / # dig reddit.com

; <<>> DiG 9.6-ESV-R11-P6 <<>> reddit.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21722
;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;reddit.com.                    IN      A

;; ANSWER SECTION:
reddit.com.             86398   IN      A       198.41.209.143
reddit.com.             86398   IN      A       198.41.208.138
reddit.com.             86398   IN      A       198.41.209.136
reddit.com.             86398   IN      A       198.41.209.139
reddit.com.             86398   IN      A       198.41.208.141
reddit.com.             86398   IN      A       198.41.208.137
reddit.com.             86398   IN      A       198.41.208.139
reddit.com.             86398   IN      A       198.41.208.143
reddit.com.             86398   IN      A       198.41.208.140
reddit.com.             86398   IN      A       198.41.209.137
reddit.com.             86398   IN      A       198.41.209.138
reddit.com.             86398   IN      A       198.41.209.140
reddit.com.             86398   IN      A       198.41.209.141
reddit.com.             86398   IN      A       198.41.208.142
reddit.com.             86398   IN      A       198.41.209.142

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 27 20:32:22 ALMT 2016
;; MSG SIZE  rcvd: 268

root @ cthulhu / # ping reddit.com
reddit.com is alive

Seems all ok, right?

Well, le'ts check TCP connectivity:

Test with telnet:
root @ cthulhu / # telnet reddit.com 443
Trying 198.41.208.142...
Connected to reddit.com.
Escape character is '^]'.
^C^]
telnet>

I.e., tcp socket opens.

root @ cthulhu / # wget -S http://reddit.com
--2016-06-27 20:33:13--  http://reddit.com/
Connecting to 127.0.0.1:3128... connected.
Proxy request sent, awaiting response...
   HTTP/1.1 301 Moved Permanently
   Date: Mon, 27 Jun 2016 14:33:13 GMT
   Set-Cookie: __cfduid=d486371096ba68bc7f5ba663e5d723bf21467037993; 
expires=Tue, 27-Jun-17 14:33:13 GMT; path=/; domain=.reddit.com; HttpOnly
   Location: https://www.reddit.com/
   X-Content-Type-Options: nosniff
   Server: cloudflare-nginx
   CF-RAY: 2b999ce3a5854f08-DME
   Via: ICAP/1.0 cthulhu (C-ICAP/0.4.3 SquidClamav/Antivirus service )
   X-Cache: MISS from cthulhu
   X-Cache-Lookup: MISS from cthulhu:3128
   Transfer-Encoding: chunked
   Connection: keep-alive
Location: https://www.reddit.com/ [following]
--2016-06-27 20:33:13--  https://www.reddit.com/
Connecting to 127.0.0.1:3128... connected.

.... and long-long time waiting for unknown.......


Browser says: ERR_TIMED_OUT


How to explain this?

27.06.2016 20:32, Amos Jeffries пишет:
> [ Please reply to the mailing list I dont do private support except for
> paying customers. And you have not arranged for that in advance. ]
>
> On 28/06/2016 2:06 a.m., Adam Wright wrote:
>> - Ok, ISP will see my http traffic, but will the ISP see which websites I'm
>> surfing?
> If anyone can see HTTP traffic they can see what the traffic is about.
>
>
>> - Browser is using the proxy. But access.log only shows the websites which
>> the browser connected successfully. For example I see cisco.com which I
>> entered minutes ago for Yuri.
>>
>> 1467035091.072  15004 85.107.208.29 TCP_MISS/200 246 CONNECT
>> supportforums.cisco.com:443 yeni DIRECT/141.101.115.192
> The proxy log records every transaction through the proxy, at the time
> that transaction completed. Whether it succeeded or not. Anything that
> get started is prone to being logged.
>
> In the case above it was a CONNECT tunnel transferring some TLS wrapped
> protocol - probably HTTPS, SPDY or WebSockets on port 443. It took
> 15.004 seconds to do whatever took 246 bytes to transfer.
>
> So nothing in the log indicates either the browser is *not* using the
> proxy for those transactions, or they are still ongoing as far as Squid
> is concerned.
>
> It could be a case of browser using SPDY, QUICK or WebSockets protocols
> instead of HTTP inside a TLS tunnel, or directly without the proxy.
> Particularly if Chrome is involved.
>
> The case of ongoing connections is unfortunate. You can tune Squid
> timeouts somewhat to make the proxy more sensitive and do its failover
> to working destinations faster. But otherwise its a browser specific
> problem that can only be fixed by the browser.
>
> It might be that whatever was happening inside that tunnel above got
> stuck and timed out. To Squid the tunnel is opaque, so any type of error
> in there is strictly between the browser and server.
>
> The tiny size on that log entry makes me suspect its TLS handshake
> hanging and a 15sec timeout somewhere closes it down. If so the issue is
> not Squid, its whatever in the server or browser is causing the TLS to hang.
>
>> - Right now I'm using maxthon, it also says "Error code 101
>> (net::ERR_CONNECTION_RESET)" while I try to connect to those xxx websites.
>>
> That seems to mean the proxy is closing the connection. But that would
> mean the proxy is aware of it ending and record in the log what
> transaction finished with aborting the connection.
>
> If there no log record, thats a very strong sign that the browser is not
> using the proxy for that request.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160627/ce190e22/attachment.html>

More information about the squid-users mailing list