[squid-users] Some websites doesn't work with squid anymore

Yuri yvoinov at gmail.com
Mon Jun 27 14:38:10 UTC 2016

Yet another non-porn site: reddit.com

Let's check.

root @ cthulhu / # dig reddit.com

; <<>> DiG 9.6-ESV-R11-P6 <<>> reddit.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21722
;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 0, ADDITIONAL: 0

;reddit.com.                    IN      A

reddit.com.             86398   IN      A
reddit.com.             86398   IN      A
reddit.com.             86398   IN      A
reddit.com.             86398   IN      A
reddit.com.             86398   IN      A
reddit.com.             86398   IN      A
reddit.com.             86398   IN      A
reddit.com.             86398   IN      A
reddit.com.             86398   IN      A
reddit.com.             86398   IN      A
reddit.com.             86398   IN      A
reddit.com.             86398   IN      A
reddit.com.             86398   IN      A
reddit.com.             86398   IN      A
reddit.com.             86398   IN      A

;; Query time: 0 msec
;; WHEN: Mon Jun 27 20:32:22 ALMT 2016
;; MSG SIZE  rcvd: 268

root @ cthulhu / # ping reddit.com
reddit.com is alive

Seems all ok, right?

Well, le'ts check TCP connectivity:

Test with telnet:
root @ cthulhu / # telnet reddit.com 443
Connected to reddit.com.
Escape character is '^]'.

I.e., tcp socket opens.

root @ cthulhu / # wget -S http://reddit.com
--2016-06-27 20:33:13--  http://reddit.com/
Connecting to connected.
Proxy request sent, awaiting response...
   HTTP/1.1 301 Moved Permanently
   Date: Mon, 27 Jun 2016 14:33:13 GMT
   Set-Cookie: __cfduid=d486371096ba68bc7f5ba663e5d723bf21467037993; 
expires=Tue, 27-Jun-17 14:33:13 GMT; path=/; domain=.reddit.com; HttpOnly
   Location: https://www.reddit.com/
   X-Content-Type-Options: nosniff
   Server: cloudflare-nginx
   CF-RAY: 2b999ce3a5854f08-DME
   Via: ICAP/1.0 cthulhu (C-ICAP/0.4.3 SquidClamav/Antivirus service )
   X-Cache: MISS from cthulhu
   X-Cache-Lookup: MISS from cthulhu:3128
   Transfer-Encoding: chunked
   Connection: keep-alive
Location: https://www.reddit.com/ [following]
--2016-06-27 20:33:13--  https://www.reddit.com/
Connecting to connected.

.... and long-long time waiting for unknown.......

Browser says: ERR_TIMED_OUT

How to explain this?

27.06.2016 20:32, Amos Jeffries пишет:
> [ Please reply to the mailing list I dont do private support except for
> paying customers. And you have not arranged for that in advance. ]
> On 28/06/2016 2:06 a.m., Adam Wright wrote:
>> - Ok, ISP will see my http traffic, but will the ISP see which websites I'm
>> surfing?
> If anyone can see HTTP traffic they can see what the traffic is about.
>> - Browser is using the proxy. But access.log only shows the websites which
>> the browser connected successfully. For example I see cisco.com which I
>> entered minutes ago for Yuri.
>> 1467035091.072  15004 TCP_MISS/200 246 CONNECT
>> supportforums.cisco.com:443 yeni DIRECT/
> The proxy log records every transaction through the proxy, at the time
> that transaction completed. Whether it succeeded or not. Anything that
> get started is prone to being logged.
> In the case above it was a CONNECT tunnel transferring some TLS wrapped
> protocol - probably HTTPS, SPDY or WebSockets on port 443. It took
> 15.004 seconds to do whatever took 246 bytes to transfer.
> So nothing in the log indicates either the browser is *not* using the
> proxy for those transactions, or they are still ongoing as far as Squid
> is concerned.
> It could be a case of browser using SPDY, QUICK or WebSockets protocols
> instead of HTTP inside a TLS tunnel, or directly without the proxy.
> Particularly if Chrome is involved.
> The case of ongoing connections is unfortunate. You can tune Squid
> timeouts somewhat to make the proxy more sensitive and do its failover
> to working destinations faster. But otherwise its a browser specific
> problem that can only be fixed by the browser.
> It might be that whatever was happening inside that tunnel above got
> stuck and timed out. To Squid the tunnel is opaque, so any type of error
> in there is strictly between the browser and server.
> The tiny size on that log entry makes me suspect its TLS handshake
> hanging and a 15sec timeout somewhere closes it down. If so the issue is
> not Squid, its whatever in the server or browser is causing the TLS to hang.
>> - Right now I'm using maxthon, it also says "Error code 101
>> (net::ERR_CONNECTION_RESET)" while I try to connect to those xxx websites.
> That seems to mean the proxy is closing the connection. But that would
> mean the proxy is aware of it ending and record in the log what
> transaction finished with aborting the connection.
> If there no log record, thats a very strong sign that the browser is not
> using the proxy for that request.
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160627/ce190e22/attachment.html>

More information about the squid-users mailing list