[squid-users] Squid display garbage character.
Amos Jeffries
squid3 at treenet.co.nz
Sun May 27 08:30:13 UTC 2018
On 27/05/18 19:20, Willsz.net Support wrote:
>> This display happens when the browser is being told the response object
>> is or one type (eg HTML/XML text), but it is actually binary content (eg
>> an image, or compressed object). Usually when fetching the main HTML
>> index object, images, or video content - things which are displayed
>> directly to the user.
>>
>>
>> It usually occurs because:
>>
>> A) an admin forces things to be cached by a proxy and served from cache
>> despite instructions from the website author on the HTTP response that
>> caching is not permitted for that object.
>> - check your squid.conf for any refresh_pattern directives with
>> override-* or ignore-* options which might be forcing things to be
>> cached when they are not supposed to. BE VERY careful and conservative
>> with your use of regex patterns.
>> - current Squid versions "squid -k parse" command should provide you
>> nice loud WARNING messages about any of these options if it is possibly
>> going to cause the types of issue you can see. The text will mention
>> violating HTTP and you being responsible for the issues cased (if any).
>
> Thank you, Amos
>
> Not much modification in my Squid.conf, this output of squid -k parse:
>
> root:~# squid -k parse
> 2018/05/27 13:53:42| Startup: Initializing Authentication Schemes ...
> 2018/05/27 13:53:42| Startup: Initialized Authentication Scheme 'basic'
> 2018/05/27 13:53:42| Startup: Initialized Authentication Scheme 'digest'
> 2018/05/27 13:53:42| Startup: Initialized Authentication Scheme 'ntlm'
> 2018/05/27 13:53:42| Startup: Initialized Authentication.
> 2018/05/27 13:53:42| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
> 2018/05/27 13:53:42| Processing: acl proxyserv dst 192.168.100.250
> 2018/05/27 13:53:42| Processing: acl pccl03 src 192.168.100.3/32
> 2018/05/27 13:53:42| Processing: acl pccl04 src 192.168.100.4/32
> 2018/05/27 13:53:42| Processing: acl pccl05 src 192.168.100.5/32
> 2018/05/27 13:53:42| Processing: acl pccl08 src 192.168.100.8/32
> 2018/05/27 13:53:42| Processing: acl pccl22 src 192.168.100.22/32
> 2018/05/27 13:53:42| Processing: acl pccl23 src 192.168.100.23/32
> 2018/05/27 13:53:42| Processing: acl pccl24 src 192.168.100.24/32
> 2018/05/27 13:53:42| Processing: acl pccl25 src 192.168.100.25/32
> 2018/05/27 13:53:42| Processing: acl pccl26 src 192.168.100.26/32
> 2018/05/27 13:53:42| Processing: acl tvbox src 192.168.100.50/32
> 2018/05/27 13:53:42| Processing: acl wicl80 src 192.168.100.80/32
> 2018/05/27 13:53:42| Processing: acl wicl81 src 192.168.100.81/32
> 2018/05/27 13:53:42| Processing: acl wicl82 src 192.168.100.82/32
> 2018/05/27 13:53:42| Processing: acl wicl83 src 192.168.100.83/32
> 2018/05/27 13:53:42| Processing: acl wicl84 src 192.168.100.84/32
> 2018/05/27 13:53:42| Processing: acl wicl85 src 192.168.100.85/32
> 2018/05/27 13:53:42| Processing: acl wicl86 src 192.168.100.86/32
> 2018/05/27 13:53:42| Processing: acl wicl87 src 192.168.100.87/32
> 2018/05/27 13:53:42| Processing: acl wicl88 src 192.168.100.88/32
> 2018/05/27 13:53:42| Processing: acl wicl89 src 192.168.100.89/32
> 2018/05/27 13:53:42| Processing: acl wicl90 src 192.168.100.90/32
> 2018/05/27 13:53:42| Processing: acl wicl91 src 192.168.100.91/32
> 2018/05/27 13:53:42| Processing: acl wicl92 src 192.168.100.92/32
> 2018/05/27 13:53:42| Processing: acl wicl93 src 192.168.100.93/32
> 2018/05/27 13:53:42| Processing: acl wicl94 src 192.168.100.94/32
> 2018/05/27 13:53:42| Processing: acl wicl95 src 192.168.100.95/32
> 2018/05/27 13:53:42| Processing: acl wicl96 src 192.168.100.96/32
> 2018/05/27 13:53:42| Processing: acl wicl97 src 192.168.100.97/32
> 2018/05/27 13:53:42| Processing: acl wicl98 src 192.168.100.98/32
> 2018/05/27 13:53:42| Processing: acl wicl99 src 192.168.100.99/32
> 2018/05/27 13:53:42| Processing: acl pcbill src 192.168.100.100/32
There is nothing special being done for all the above wicl80 - wicl99
and pcbill ACLs. They are all being either allowed or denied by rules at
the same time(s). So it seems a pointless waste of config lines.
You could replace wicl80 with:
acl wicl80-99 src 192.168.100.80-192.168.100.100
then delete all config lines mentioning wicl81 thru wicl99, and pcbill.
> 2018/05/27 13:53:42| Processing: acl pchome src 192.168.100.101/32
> 2018/05/27 13:53:42| Processing: acl domaindeny dstdom_regex -i "/usr/local/etc/squid/domain.deny"
> 2018/05/27 13:53:42| Processing: acl domainrdr dstdom_regex -i "/usr/local/etc/squid/domain.rdr"
> 2018/05/27 13:53:42| Processing: acl ipaddrdeny dst -n "/usr/local/etc/squid/ipaddr.deny"
> 2018/05/27 13:53:42| Processing: acl urlpathdeny urlpath_regex -i "/usr/local/etc/squid/urlpath.deny"
> 2018/05/27 13:53:42| Processing: acl windowsupdate dstdom_regex -i download\.windowsupdate\.com
> 2018/05/27 13:53:42| Processing: acl domainnocache dstdomain .garenanow.com .garena.co.id
> 2018/05/27 13:53:42| Processing: deny_info 302:http://ip.fo-ont-lo.willsz.net/null.png ipaddrdeny domaindeny urlpathdeny windowsupdate
> 2018/05/27 13:53:42| Processing: deny_info 302:http://unyil.willsz.net/index.html domainrdr
> 2018/05/27 13:53:42| Processing: always_direct allow domainnocache
You do not have any cache_peer configured. So always_direct has no meaning.
> 2018/05/27 13:53:42| Processing: cache deny domainnocache
> 2018/05/27 13:53:42| Processing: acl SSL_ports port 443
> 2018/05/27 13:53:42| Processing: acl Safe_ports port 80
> 2018/05/27 13:53:42| Processing: acl Safe_ports port 8080
> 2018/05/27 13:53:42| Processing: acl Safe_ports port 8081
> 2018/05/27 13:53:42| Processing: acl CONNECT method CONNECT
> 2018/05/27 13:53:42| Processing: http_access deny !Safe_ports
> 2018/05/27 13:53:42| Processing: http_access deny CONNECT !SSL_ports
> 2018/05/27 13:53:42| Processing: http_access deny domaindeny
> 2018/05/27 13:53:42| Processing: http_access deny domainrdr
> 2018/05/27 13:53:42| Processing: http_access deny ipaddrdeny
> 2018/05/27 13:53:42| Processing: http_access deny urlpathdeny
> 2018/05/27 13:53:42| Processing: http_access allow wicl80 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl81 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl82 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl83 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl84 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl85 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl86 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl87 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl88 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl89 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl90 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl91 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl92 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl93 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl94 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl95 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl96 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl97 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl98 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow wicl99 windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow pcbill windowsupdate
> 2018/05/27 13:53:42| Processing: http_access deny windowsupdate
> 2018/05/27 13:53:42| Processing: http_access allow proxyserv
> 2018/05/27 13:53:42| Processing: http_access allow pccl03
> 2018/05/27 13:53:42| Processing: http_access allow pccl04
> 2018/05/27 13:53:42| Processing: http_access allow pccl05
> 2018/05/27 13:53:42| Processing: http_access allow pccl08
> 2018/05/27 13:53:42| Processing: http_access allow pccl22
> 2018/05/27 13:53:42| Processing: http_access allow pccl23
> 2018/05/27 13:53:42| Processing: http_access allow pccl24
> 2018/05/27 13:53:42| Processing: http_access allow pccl25
> 2018/05/27 13:53:42| Processing: http_access allow pccl26
> 2018/05/27 13:53:42| Processing: http_access allow tvbox
> 2018/05/27 13:53:42| Processing: http_access allow wicl80
> 2018/05/27 13:53:42| Processing: http_access allow wicl81
> 2018/05/27 13:53:42| Processing: http_access allow wicl82
> 2018/05/27 13:53:42| Processing: http_access allow wicl83
> 2018/05/27 13:53:42| Processing: http_access allow wicl84
> 2018/05/27 13:53:42| Processing: http_access allow wicl85
> 2018/05/27 13:53:42| Processing: http_access allow wicl86
> 2018/05/27 13:53:42| Processing: http_access allow wicl87
> 2018/05/27 13:53:42| Processing: http_access allow wicl88
> 2018/05/27 13:53:42| Processing: http_access allow wicl89
> 2018/05/27 13:53:42| Processing: http_access allow wicl90
> 2018/05/27 13:53:42| Processing: http_access allow wicl91
> 2018/05/27 13:53:42| Processing: http_access allow wicl92
> 2018/05/27 13:53:42| Processing: http_access allow wicl93
> 2018/05/27 13:53:42| Processing: http_access allow wicl94
> 2018/05/27 13:53:42| Processing: http_access allow wicl95
> 2018/05/27 13:53:42| Processing: http_access allow wicl96
> 2018/05/27 13:53:42| Processing: http_access allow wicl97
> 2018/05/27 13:53:42| Processing: http_access allow wicl98
> 2018/05/27 13:53:42| Processing: http_access allow wicl99
> 2018/05/27 13:53:42| Processing: http_access allow pcbill
> 2018/05/27 13:53:42| Processing: http_access allow pchome
> 2018/05/27 13:53:42| Processing: http_access deny all
> 2018/05/27 13:53:42| Processing: always_direct deny all
> 2018/05/27 13:53:42| Processing: icp_port 0
> 2018/05/27 13:53:42| Processing: icp_access deny all
Remove the icp_port and icp_access lines. You do not need them. ICP is
disabled by default in all Squid-3 and later versions.
> 2018/05/27 13:53:42| Processing: http_port 127.0.0.1:3128
> 2018/05/27 13:53:42| Processing: http_port 192.168.100.250:7080 transparent
> 2018/05/27 13:53:42| Starting Authentication on port 192.168.100.250:7080
> 2018/05/27 13:53:42| Disabling Authentication on port 192.168.100.250:7080 (interception enabled)
> 2018/05/27 13:53:42| Processing: cache_mem 32 MB
> 2018/05/27 13:53:42| Processing: cache_swap_low 90
> 2018/05/27 13:53:42| Processing: cache_swap_high 95
These cache_swap_* settings are the defaults. No need to configure them.
> 2018/05/27 13:53:42| Processing: cache_dir ufs /var/cache/squid 2048 16 256
> 2018/05/27 13:53:42| Processing: store_dir_select_algorithm round-robin
> 2018/05/27 13:53:42| Processing: access_log daemon:/var/log/squid/access.log squid
> 2018/05/27 13:53:42| Processing: cache_log /var/log/squid/cache.log
> 2018/05/27 13:53:42| Processing: cache_store_log none
> 2018/05/27 13:53:42| Processing: pid_filename /var/run/squid.pid
> 2018/05/27 13:53:42| Processing: logfile_rotate 1
> 2018/05/27 13:53:42| Processing: log_icp_queries off
With ICP disabled there are no queries to log. No need to disable
logging of non-existant things.
> 2018/05/27 13:53:42| Processing: buffered_logs off
> 2018/05/27 13:53:42| Processing: minimum_object_size 0 KB
> 2018/05/27 13:53:42| Processing: maximum_object_size 10 MB
> 2018/05/27 13:53:42| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> 2018/05/27 13:53:42| Processing: refresh_pattern . 0 100% 10080
> 2018/05/27 13:53:42| Processing: memory_replacement_policy heap GDSF
> 2018/05/27 13:53:42| Processing: cache_replacement_policy heap LFUDA
> 2018/05/27 13:53:42| Processing: shutdown_lifetime 5 seconds
> 2018/05/27 13:53:42| Processing: half_closed_clients off
> 2018/05/27 13:53:42| Processing: client_persistent_connections off
You are turning "client_persistent_connections on" near the end of the
config file. This is not a directive that affects things in the config
file itself - so the later ON setting is what Squid will actually use.
I'm not sure whether this above line or the one later is what you
actually want. One of them should be removed to clarify that.
> 2018/05/27 13:53:42| Processing: server_persistent_connections on
> 2018/05/27 13:53:42| Processing: pconn_timeout 15 seconds
> 2018/05/27 13:53:42| Processing: request_timeout 1 minute
> 2018/05/27 13:53:42| Processing: tcp_outgoing_tos 0x30 all
> 2018/05/27 13:53:42| Processing: retry_on_error on
> 2018/05/27 13:53:42| Processing: buffered_logs on
> 2018/05/27 13:53:42| Processing: global_internal_static off
> 2018/05/27 13:53:42| Processing: max_stale 10 years
> 2018/05/27 13:53:42| Processing: quick_abort_min -1 KB
> 2018/05/27 13:53:42| Processing: vary_ignore_expire on
The above option may be the source of your problems. Notice the warning
message in its documentation:
<http://www.squid-cache.org/Doc/config/vary_ignore_expire/>
> 2018/05/27 13:53:42| Processing: ie_refresh on
Do you really need to support MSIE older than 5.5?
(aka Windows machines *older* than XP).
If not, please try removing this option now. It is deprecated and
removed from Squid-4.
> 2018/05/27 13:53:42| Processing: cache_mgr cachemaster at willsz.net
> 2018/05/27 13:53:42| Processing: visible_hostname ip.proxy-cache.willsz.net
> 2018/05/27 13:53:42| Processing: cache_effective_user squid
> 2018/05/27 13:53:42| Processing: cache_effective_group squid
Your build has " --with-default-user=squid ", so no need for the
cache_effective_* settings to override that with "squid".
> 2018/05/27 13:53:42| Processing: check_hostnames on
> 2018/05/27 13:53:42| Processing: dns_retransmit_interval 2 seconds
> 2018/05/27 13:53:42| Processing: dns_timeout 1 minutes
> 2018/05/27 13:53:42| Processing: memory_pools off
> 2018/05/27 13:53:42| Processing: forwarded_for off
"delete" or "transparent" are slightly better settings available in
current Squid. If you must fiddle with that headers contents at all
please consider those instead.
<http://www.squid-cache.org/Doc/config/forwarded_for/>
> 2018/05/27 13:53:42| Processing: client_persistent_connections on
> 2018/05/27 13:53:42| Processing: coredump_dir /tmp
> 2018/05/27 13:53:42| Processing: httpd_suppress_version_string on
>
>> B) the web server is not sending Vary headers consistently and the proxy
>> cache ends up thinking that a compressed object is possible to be sent
>> to clients only accepting plain-text objects.
>> - this one there is not much you can do except to prevent these
>> particular URLs not to be cashed by your own proxy.
>> Both cases result in the client sometimes displaying binary octets as if
>> they were plain text, as you can see in that demo image. More often they
>> occur with scripts and nothing gets displayed - just parts of the
>> website dont work properly (no scrolling, missing content, or
>> unclickable buttons, etc).
>
> I am more suspicious because of this, many of gambling site hosting will get the same problem.
> I tested for http://www.bolaliga88.com/ with the same result https://redbot.org/?uri=http%3A%2F%2Fwww.bolaliga88.com%2F
>
I am currently suspecting it is a combination of these broken Vary
headers usage by the web servers and your use of "vary_ignore_expire on"
which enables those broken objects to be cached.
Amos
More information about the squid-users
mailing list