[squid-users] Strange error to load http web pages in parents servers.

Amos Jeffries squid3 at treenet.co.nz
Tue Jul 24 10:42:40 UTC 2018 

On 24/07/18 06:16, Darvin Rivera Aguilar wrote:
> 
> In all Machines
> 
> OS: Debian
> Version: 9.5
> Squid Cache: Version 3.5.23
> 
> I have one private ip address for public squid (10.20.0.183) and two
> parents squid: one for facebook and other for *.ch domain
> 
>                                       ----> Parent1 (10.20.0.41) (Only
> Facebook)
>                                      |
> Client -> Public Squid (10.20.0.183) -----> All other traffic
>                                      |
>                                       ----> Parent2 (10.20.0.42) (Only
> *.ch domain)
> 
> Parent1 and parent2 configuration are the same.
> 
> 
> The Problem:
> 
> Browser Url: http://films.server.ch/Ingles/Baby Daddy/
> 
> Client Error:
> 
> ERROR
> The requested URL could not be retrieved
> 
> The following error was encountered while trying to retrieve the URL:
> /Ingles/Baby%20Daddy/
> 
>     Invalid URL
> 
> Some aspect of the requested URL is incorrect.
> 
> Some possible problems are:
> 
>     Missing or incorrect access protocol (should be "http://" or similar)
> 

That.

>     Missing hostname
> 

... and that.


This is an origin-form URL for use only on port 80 or 443 message types.
Not for use between proxies. So where is it coming from?

eg. Is there something like NAT at the network level diverting outbound
port 80 traffic into this Parent2 proxy?

eg. Is the public proxy receiving an HTTP message with a domain that is
not in *.ch and which resolves to the IP address of the parent2 proxy?


You can see what each of the proxies is sending and receiving by setting
"debug_options 11,2" in squid.conf and reloading/reconfiguring Squid.



>     Illegal double-escape in the URL-Path
> 
>     Illegal character in hostname; underscores are not allowed.
> 
> Your cache administrator is webmaster.
> 
> 
> Log Public Squid (10.20.0.183)
> 1531925462.144    525 10.20.1.12 TCP_MISS/400 3875 GET
> http://films.server.ch/Ingles/Baby%20Daddy/ username
> FIRSTUP_PARENT/10.20.0.42 text/html
> 
> Log Squid Parrent2 (10.520.0.42)
> 1531928082.425      0 10.20.0.183 TAG_NONE/400 3586 GET
> /Ingles/Baby%20Daddy/ - HIER_NONE/- text/html

Notice that these requests are 2620 seconds (43 minutes) apart. So they
are almost certainly not the same transaction, even though they resulted
in the same status code - it _may_ have been for different reasons.

> 
> 
> Nota: I user parent1 for facebook and never give this error. Facebook
> use https and the error is only in parent2 with http.
> 
> How the client solve this error:
> When i push F5 in browser the the page reload with out problem,
> sometimes i need to push 5 or 8 times F5 to page reload.
> 
> Parent2 Full config:
> 
> http_port 3128
> httpd_suppress_version_string on
> visible_hostname parent2.localhost
> dns_nameservers 10.20.0.61
> acl proxy src 0.20.0.183/32

Is that "0." just a typo in your mail here? If its in the config that
could be the cause.

Otherwise I'm not seeing anything that could lead to your problem in
these two config files. The notes below are just some polishing things
you could maybe do better.


> http_access allow proxy
> http_access deny all
> cache_access_log /var/log/squid/access.log

This directive name is access_log in 3.x, no "cache_" part.

And it should have either "stdio:" or "daemon:" as prefix on the
filename depending on whether you expect low or high traffic volumes
(daemon is higher performance than stdio).


> 
> Public Squid Basic config
> 
> http_port 10.20.0.183:3128
> http_port 127.0.0.1:3128
> httpd_suppress_version_string on
> 
> #====================================================================================
> 
> # TAG: Recommended minimum configuration
> #====================================================================================
> 
> acl port_80 port 80
> acl port_443 port 443
> 
> acl Safe_method method CONNECT GET HEAD POST
> acl CONNECT     method CONNECT
> 
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny !Safe_method
> http_access deny CONNECT !SSL_ports
> 
> #====================================================================================
> 
> # TAG: PARENT
> #====================================================================================
> 
> acl redir_facebook      dstdom_regex    -i
> "/etc/squid/acl/cache_peer_facebook"
> acl db_domain           dstdom_regex    -i
> "/etc/squid/acl/cache_peer_domain"

You said this peer only services .ch domains.
That implies you can use something like:
  acl db_domain dstdomain .ch


> 
> cache_peer 10.20.0.41 parent 3128 0 default
> cache_peer 10.20.0.42 parent 3128 0 default
> 

"
==== PEER SELECTION METHODS ====

default

  This is a parent cache which can be used as a "last-resort"
  if a peer cannot be located by any of the peer-selection methods.

 *** If specified more than once, only the first is used. ***
"

Given what you described the purpose of these parents to be I don't
think either of them should have "default" option set.


> cache_peer_access 10.20.0.41 allow redir_facebook
> cache_peer_access 10.20.0.42 allow db_domain
> 
> never_direct allow redir_facebook
> never_direct allow db_domain
> 



Amos

More information about the squid-users mailing list