[squid-users] No failover when default parent proxy fails (Squid 3.5.12)

Jens Offenbach wolle5050 at gmx.de
Thu Mar 16 05:23:40 UTC 2017 

Failover does not seem to work properly in case of HTTPS. When the primary parent proxy fails, it takes minutes until the download starts and in some cases it never starts.

Is there anything that must be configured specifially in case of HTTPS and timeouts for failover?

This is my squid.conf:
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
  # Local Networks
  acl localnet src 139.2.0.0/16
  acl localnet src 193.96.112.0/21
  acl localnet src 192.109.216.0/24
  acl localnet src 100.1.4.0/22
  acl localnet src 10.0.0.0/8
  acl localnet src 172.16.0.0/12
  acl localnet src 192.168.0.0/16

  # mycompany Networks
  acl to_matnet dst 139.2.0.0/16
  acl to_matnet dst 193.96.112.0/21
  acl to_matnet dst 192.109.216.0/24
  acl to_matnet dst 100.1.4.0/22
  acl to_matnet dst 10.0.0.0/8
  acl to_matnet dst 172.16.0.0/12
  acl to_matnet dst 192.168.0.0/16

  # SSL-Ports
  acl SSL_ports port 443 # https
  acl SSL_ports port 563 # snews
  acl SSL_ports port 873 # rsync

  # Safe-Ports
  acl Safe_ports port 80  # http
  acl Safe_ports port 21  # ftp
  acl Safe_ports port 443 # https
  acl Safe_ports port 70  # gopher
  acl Safe_ports port 210 # wais
  acl Safe_ports port 1025-65535 # unregistered ports
  acl Safe_ports port 280 # http-mgmt
  acl Safe_ports port 488 # gss-http
  acl Safe_ports port 591 # filemaker
  acl Safe_ports port 777 # multiling http
  acl Safe_ports port 631 # cups
  acl Safe_ports port 873 # rsync
  acl Safe_ports port 901 # SWAT

  # HTTPS
  acl CONNECT method CONNECT

  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports
  http_access allow manager localhost
  http_access deny  manager
  http_access allow localnet
  http_access allow localhost
  http_access deny all

# NETWORK OPTIONS
# -----------------------------------------------------------------------------
  http_port 3128

# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------
  cache_peer proxy.mycompany.de parent 8080 0 no-digest no-query connect-timeout=5 connect-fail-limit=3 default
  cache_peer  roxy.mycompany.de parent 8080 0 no-digest no-query connect-timeout=5 connect-fail-limit=3

# MEMORY CACHE OPTIONS
# -----------------------------------------------------------------------------
  maximum_object_size_in_memory 8 MB
  memory_replacement_policy heap LFUDA
  cache_mem 256 MB

# DISK CACHE OPTIONS
# -----------------------------------------------------------------------------
  maximum_object_size 10 GB
  cache_replacement_policy heap GDSF
  cache_dir ufs /var/cache/squid 88894 16 256 max-size=10737418240

# LOGFILE OPTIONS
# -----------------------------------------------------------------------------
  access_log daemon:/var/log/squid/access.log squid

# OPTIONS FOR TROUBLESHOOTING
# -----------------------------------------------------------------------------
  cache_log /var/log/squid/cache.log
  coredump_dir /var/log/squid

# OPTIONS FOR TUNING THE CACHE
# -----------------------------------------------------------------------------
  max_stale 6 days
  shutdown_lifetime 5 seconds

# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------
  visible_hostname proxy.mycompany.com

# OPTIONS INFLUENCING REQUEST FORWARDING 
# -----------------------------------------------------------------------------
  always_direct allow to_matnet
  never_direct  allow all

# DNS OPTIONS
# -----------------------------------------------------------------------------
  dns_nameservers 139.2.34.171
  dns_nameservers 139.2.34.37

# MISCELLANEOUS
# -----------------------------------------------------------------------------
  memory_pools off

Regards,
Jens
 

Gesendet: Mittwoch, 15. März 2017 um 15:38 Uhr
Von: "Amos Jeffries" <squid3 at treenet.co.nz>
An: squid-users at lists.squid-cache.org
Betreff: Re: [squid-users] No failover when default parent proxy fails (Squid 3.5.12)
On 15/03/2017 7:06 p.m., Jens Offenbach wrote:
> Hi,
> I have two parent proxies configured, but Squid seems to stick to the default proxy even when the proxy cannot be reached:
> 2017/03/15 06:40:13 kid1| TCP connection to proxy.mycompany.de/8080 failed
> 2017/03/15 06:40:13 kid1| Detected DEAD Parent: proxy.mycompany.de
> 2017/03/15 06:40:13 kid1| TCP connection to proxy.mycompany.de/8080 failed
> 2017/03/15 06:40:13 kid1| TCP connection to proxy.mycompany.de/8080 failed
> 2017/03/15 06:40:13 kid1| TCP connection to proxy.mycompany.de/8080 failed
> 2017/03/15 06:40:13 kid1| TCP connection to proxy.mycompany.de/8080 failed
> 2017/03/15 06:40:13 kid1| TCP connection to proxy.mycompany.de/8080 failed
> 2017/03/15 06:40:13 kid1| TCP connection to proxy.mycompany.de/8080 failed
> 2017/03/15 06:40:43 kid1| TCP connection to proxy.mycompany.de/8080 failed
> 2017/03/15 06:40:43 kid1| TCP connection to proxy.mycompany.de/8080 failed
> 2017/03/15 06:40:43 kid1| TCP connection to proxy.mycompany.de/8080 failed
> 2017/03/15 06:40:43 kid1| TCP connection to proxy.mycompany.de/8080 failed
> 2017/03/15 06:40:43 kid1| TCP connection to proxy.mycompany.de/8080 failed
> 2017/03/15 06:40:43 kid1| TCP connection to proxy.mycompany.de/8080 failed
> 2017/03/15 06:40:43 kid1| TCP connection to proxy.mycompany.de/8080 failed


Appearances can be deceiving at times. This shows that several "a
connections were attempted but does not specify if that was the orider
they were initiated or not.
It also does not indicate whether that was HTTP or probe for
ressurected peer.

You have disabled the probes though (no-query no-digest) so it is
unlikely Squid will ever detect a DEAD peer as coming alive again. This
makes me suspect that the "roxy" peer was also detected dead some time
earlier. If that has happened then the "FIRST_AVAILABLE" peer selection
algorithm will produce no possible routes and Squid falls back to the
DEFAULT peer ... which happens to be that one you see in the log and
will try that peer until it works again.

If you want to see the exact route selection results add this to your
squid.conf:
debug_options 44,2


Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list