[squid-users] Two connections per client

Chris Nighswonger cnighswonger at foundations.edu
Wed Mar 16 15:56:52 UTC 2016 

On Wed, Mar 16, 2016 at 10:44 AM, Amos Jeffries <squid3 at treenet.co.nz>
wrote:

> On 17/03/2016 3:03 a.m., Chris Nighswonger wrote:
> > On Wed, Mar 16, 2016 at 9:07 AM, Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
> >
> >> On 17/03/2016 1:57 a.m., Amos Jeffries wrote:
> >>> On 17/03/2016 1:25 a.m., Chris Nighswonger wrote:
> >>>> On Wed, Mar 16, 2016 at 1:03 AM, Amos Jeffries wrote:
> >>>>
> >>>>> On 16/03/2016 12:38 p.m., Chris Nighswonger wrote:
> >>>>>> Why does netstat show two connections per client connection to
> Squid:
> >>>>>>
> >>>>>> tcp        0      0 127.0.0.1:3128          127.0.0.1:34167
> >>>>>> ESTABLISHED
> >>>>>> tcp        0      0 127.0.0.1:34167         127.0.0.1:3128
> >>>>>> ESTABLISHED
> >>>>>>
> >>>>>> In this case, there is a content filter running in front of Squid on
> >> the
> >>>>>> same box. The same netstat command filtered on the content filter
> port
> >>>>>> shows only one connection per client:
> >>>>>>
> >>>>>> tcp        0      0 192.168.x.x:8080      192.168.x.y:1310
> >>>>>  ESTABLISHED
> >>>>>>
> >>>>>
> >>>>> Details of your Squid configuration are needed to answer that.
> >>>>>
> >>>>
> >>>>
> >>>> Here it is. I've stripped out all of the acl lines to reduce the
> length:
> >>>>
> >>>> tcp_outgoing_address 184.x.x.x
> >>>> http_port 127.0.0.1:3128
> >>>
> >>> It would seem that it is not Squid making those connections outbound
> >>> from 127.0.0.1:3128. Squid uses that 184.x.x.x address with random
> >>> source ports for *all* its outbound connections.
> >>
> >>
> >> Ah, just had an idea. Do you have IDENT protocol in those ACLs you
> elided?
> >>
> >> IDENT makes a reverse connection back to the client to find the
> identity.
> >>
> >>
> > So I have this acl in the list:
> >
> > acl AuthorizedUsers proxy_auth REQUIRED
> >
> > Might that be the one?
>
> No, if existing it would have 'ident' or 'ident_regex' type.
>
> Log formats would be the other way to hit ident. But I didn't notice
> anything fancy like that in the config you posted.
>

Sorry for the direct reply on the last iteration. Silly g-mail does not
support reply to list apparently.

I've cleaned up the config based on your suggestions.

I'm not super concerned about the two connection issue. I was mostly
wondering what was up. Perhaps I should be. Ignorance is not always bliss.

WRT follow_x_forwarded_for allow all, I've changed "all" to "localhost." I
don't know if that tightens things up maybe? I need this enabled so that
the client IPs show up in the Squid log. At least I think I do.

Thanks for the help. We've run Squid for over 16 years and it mostly just
works.

Kind regards,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160316/1bbd85e0/attachment.html>

More information about the squid-users mailing list