[squid-users] Two connections per client

Amos Jeffries squid3 at treenet.co.nz
Wed Mar 16 12:57:37 UTC 2016


On 17/03/2016 1:25 a.m., Chris Nighswonger wrote:
> On Wed, Mar 16, 2016 at 1:03 AM, Amos Jeffries wrote:
> 
>> On 16/03/2016 12:38 p.m., Chris Nighswonger wrote:
>>> Why does netstat show two connections per client connection to Squid:
>>>
>>> tcp        0      0 127.0.0.1:3128          127.0.0.1:34167
>>> ESTABLISHED
>>> tcp        0      0 127.0.0.1:34167         127.0.0.1:3128
>>> ESTABLISHED
>>>
>>> In this case, there is a content filter running in front of Squid on the
>>> same box. The same netstat command filtered on the content filter port
>>> shows only one connection per client:
>>>
>>> tcp        0      0 192.168.x.x:8080      192.168.x.y:1310
>>  ESTABLISHED
>>>
>>
>> Details of your Squid configuration are needed to answer that.
>>
> 
> 
> Here it is. I've stripped out all of the acl lines to reduce the length:
> 
> tcp_outgoing_address 184.x.x.x
> http_port 127.0.0.1:3128

It would seem that it is not Squid making those connections outbound
from 127.0.0.1:3128. Squid uses that 184.x.x.x address with random
source ports for *all* its outbound connections.

You don't seem to have NAT involved anywhere, which was my main
suspicion. Forwarding loops via NAT rules can show up as this type of thing.


> hierarchy_stoplist cgi-bin ?

stoplist is obsolete. You can remove it.

> cache_mem 4 GB
> maximum_object_size 32768 KB
> maximum_object_size_in_memory 200 KB
> cache_dir aufs /var/cache/squid3 375000 65 256
> access_log /var/log/squid3/access.log
> cache_log /var/log/squid3/cache.log
> cache_store_log none
> cachemgr_passwd SuperSecretPW all
> debug_options ALL,1
> auth_param basic program /usr/lib/squid3/basic_ldap_auth <connection
> parameters go here>
> auth_param basic children 60
> auth_param basic realm Campus Proxy Server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> refresh_pattern ^ftp:        1440    20%    10080
> refresh_pattern ^gopher:    1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
> refresh_pattern .        0    20%    4320
> quick_abort_min 0 KB
> quick_abort_max 0 KB
> forwarded_for truncate
> follow_x_forwarded_for allow all

This is bad. It allows any of your clients to forge XFF headers and get
data of their choice added to your logs.

follow_x_forwarded_for should *only* allow your frontend softwares IPs
to be 'followed'.


> log_uses_indirect_client on
> http_reply_access allow all
> icp_access allow all
> cache_mgr support at organization.tld
> store_avg_object_size 20 KB
> coredump_dir /var/spool/squid3
> client_persistent_connections on
> server_persistent_connections on
> persistent_connection_after_error on
> visible_hostname gateway.intranet.organization.tld
> negative_ttl 5 minutes
> negative_dns_ttl 1 minutes
> cache_effective_user proxy
> cache_effective_group proxy
> 

Quite a few of the above settings are defaults and defaults do not need
to be configured for Squid-3. If you have some time you might want to go
through and remove the unnecessary ones.

Amos


More information about the squid-users mailing list