[squid-users] Some websites doesn't work with squid anymore
yvoinov at gmail.com
Mon Jun 27 14:38:10 UTC 2016
Yet another non-porn site: reddit.com
root @ cthulhu / # dig reddit.com
; <<>> DiG 9.6-ESV-R11-P6 <<>> reddit.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21722
;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;reddit.com. IN A
;; ANSWER SECTION:
reddit.com. 86398 IN A 22.214.171.124
reddit.com. 86398 IN A 126.96.36.199
reddit.com. 86398 IN A 188.8.131.52
reddit.com. 86398 IN A 184.108.40.206
reddit.com. 86398 IN A 220.127.116.11
reddit.com. 86398 IN A 18.104.22.168
reddit.com. 86398 IN A 22.214.171.124
reddit.com. 86398 IN A 126.96.36.199
reddit.com. 86398 IN A 188.8.131.52
reddit.com. 86398 IN A 184.108.40.206
reddit.com. 86398 IN A 220.127.116.11
reddit.com. 86398 IN A 18.104.22.168
reddit.com. 86398 IN A 22.214.171.124
reddit.com. 86398 IN A 126.96.36.199
reddit.com. 86398 IN A 188.8.131.52
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 27 20:32:22 ALMT 2016
;; MSG SIZE rcvd: 268
root @ cthulhu / # ping reddit.com
reddit.com is alive
Seems all ok, right?
Well, le'ts check TCP connectivity:
Test with telnet:
root @ cthulhu / # telnet reddit.com 443
Connected to reddit.com.
Escape character is '^]'.
I.e., tcp socket opens.
root @ cthulhu / # wget -S http://reddit.com
--2016-06-27 20:33:13-- http://reddit.com/
Connecting to 127.0.0.1:3128... connected.
Proxy request sent, awaiting response...
HTTP/1.1 301 Moved Permanently
Date: Mon, 27 Jun 2016 14:33:13 GMT
expires=Tue, 27-Jun-17 14:33:13 GMT; path=/; domain=.reddit.com; HttpOnly
Via: ICAP/1.0 cthulhu (C-ICAP/0.4.3 SquidClamav/Antivirus service )
X-Cache: MISS from cthulhu
X-Cache-Lookup: MISS from cthulhu:3128
Location: https://www.reddit.com/ [following]
--2016-06-27 20:33:13-- https://www.reddit.com/
Connecting to 127.0.0.1:3128... connected.
.... and long-long time waiting for unknown.......
Browser says: ERR_TIMED_OUT
How to explain this?
27.06.2016 20:32, Amos Jeffries пишет:
> [ Please reply to the mailing list I dont do private support except for
> paying customers. And you have not arranged for that in advance. ]
> On 28/06/2016 2:06 a.m., Adam Wright wrote:
>> - Ok, ISP will see my http traffic, but will the ISP see which websites I'm
> If anyone can see HTTP traffic they can see what the traffic is about.
>> - Browser is using the proxy. But access.log only shows the websites which
>> the browser connected successfully. For example I see cisco.com which I
>> entered minutes ago for Yuri.
>> 1467035091.072 15004 184.108.40.206 TCP_MISS/200 246 CONNECT
>> supportforums.cisco.com:443 yeni DIRECT/220.127.116.11
> The proxy log records every transaction through the proxy, at the time
> that transaction completed. Whether it succeeded or not. Anything that
> get started is prone to being logged.
> In the case above it was a CONNECT tunnel transferring some TLS wrapped
> protocol - probably HTTPS, SPDY or WebSockets on port 443. It took
> 15.004 seconds to do whatever took 246 bytes to transfer.
> So nothing in the log indicates either the browser is *not* using the
> proxy for those transactions, or they are still ongoing as far as Squid
> is concerned.
> It could be a case of browser using SPDY, QUICK or WebSockets protocols
> instead of HTTP inside a TLS tunnel, or directly without the proxy.
> Particularly if Chrome is involved.
> The case of ongoing connections is unfortunate. You can tune Squid
> timeouts somewhat to make the proxy more sensitive and do its failover
> to working destinations faster. But otherwise its a browser specific
> problem that can only be fixed by the browser.
> It might be that whatever was happening inside that tunnel above got
> stuck and timed out. To Squid the tunnel is opaque, so any type of error
> in there is strictly between the browser and server.
> The tiny size on that log entry makes me suspect its TLS handshake
> hanging and a 15sec timeout somewhere closes it down. If so the issue is
> not Squid, its whatever in the server or browser is causing the TLS to hang.
>> - Right now I'm using maxthon, it also says "Error code 101
>> (net::ERR_CONNECTION_RESET)" while I try to connect to those xxx websites.
> That seems to mean the proxy is closing the connection. But that would
> mean the proxy is aware of it ending and record in the log what
> transaction finished with aborting the connection.
> If there no log record, thats a very strong sign that the browser is not
> using the proxy for that request.
> squid-users mailing list
> squid-users at lists.squid-cache.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the squid-users