[squid-users] Problems with squid 3.1 to 3.3 upgrade
squid3 at treenet.co.nz
Sat Aug 10 06:47:23 UTC 2019
On 10/08/19 8:32 am, Tom Karches wrote:
> On Fri, Aug 9, 2019 at 2:37 PM Alex Rousskov wrote:
> On 8/9/19 1:37 PM, Tom Karches wrote:
> > On Fri, Aug 9, 2019 at 11:38 AM Alex Rousskov wrote:
> > Ok, here is the info from the real trace. First time with
> > on commented out, 2nd time "dns_v4_ first on" is active.
> Difference is
> > with no "dns_v4_first on" directive, I get a RR_CONNECT_FAIL 111. When
> > active, I get a RR_CONNECT_FAIL 101.
> BTW, it may be easier for you to read --trace--ascii output.
> I didn't see anything additional using the ascii option, though it is
> easier to read
> Both are ERR_CONNECT_FAIL errors ("connection reset by peer" and
> "connection refused"). Your Squid cannot connect to where it needs to
> connect in order to establish a TCP tunnel. It could be a Squid
> misconfiguration, a routing problem, insufficient capabilities, and many
> other things.
> I suggest checking cache.log for WARNINGs and ERRORs. After arriving at
> a clean cache.log, I would use a packet capture (or similar) to see
> where Squid is trying to connect (and which local address it is
> connecting from). That information may be enough to figure out why Squid
> cannot connect successfully.
> This is what I am seeing from cache.log when I attempt the proxy :
> 2019/08/09 16:19:08.127 kid1| 33,2| client_side.cc(817) swanSong:
> local=127.0.0.1:3128 <http://127.0.0.1:3128> remote=127.0.0.1:33428
> <http://127.0.0.1:33428> flags=1
> 2019/08/09 16:19:10.051 kid1| 33,2| client_side.cc(817) swanSong:
> local=126.96.36.199:3128 <http://188.8.131.52:3128>
> remote=10.50.54.21:43198 <http://10.50.54.21:43198> flags=1
> Right now my debug is set to ALL,1 33,2. Is there a better set of
> options to provide me more visibility of what might be wrong?
11,2 will show the HTTP message headers.
44,2 will show the servers Squid is finding as possible destinations for
5,6 should show the TCP connection attempts activity by Squid.
If it is not clear from that, those should give you hints about lines to
look for (skip to) for searching a much larger ALL,6 trace.
> Here is our config file, in case that helps. If it's something obvious
> I'm not seeing. We have some whitelists, but I am running with those
> turned off until this is working so I won't include them here. Thanks
> for the help.
Few bits of polish. But nothing visible there to indicate what your
problem might be.
I think it is probably a firewall or routing problem for the traffic
leaving the proxy machine.
> # squid config file - 2019-08-09
> # Timeouts
> connect_timeout 2 minutes # For CDWG Vendor
> debug_options ALL,1 33,2
> dns_v4_first on
> acl SSL_ports port 443
> acl SSL_ports port 1443 # b2b-test.apple.com:1443
> acl SSL_ports port 3079 # bci.stapleslink.com
> <http://bci.stapleslink.com> special port
> acl SSL_ports port 4443 # pascal.apple.com:4443
> acl SSL_ports port 993 # IMAP from Stat application to Gmail
> acl SSL_ports port 22 # Allow SSH and SFTP to proxy/connect
> acl SSL_ports port 8443 # redhat cap port
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
The ports below are all included in the 1024-65535 range. No need to
list them explicitly here.
> acl Safe_ports port 5228 # google services
> acl Safe_ports port 1935 # cam steamer port
> acl Safe_ports port 8443 # redhat cap port
> acl CONNECT method CONNECT
> # Recommended minimum Access Permission configuration:
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
Latest Squid recommendation is to have these manager lines after the
CONNECT !SSL_ports line.
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> # And finally deny all other access to this proxy
> http_access deny all
> icp_access deny all
ICP is off by default in modern Squid. No need for the above deny.
> # Squid normally listens to port 3128
> http_port 3128
> # Uncomment and adjust the following to add a disk cache directory.
> #cache_dir ufs /var/spool/squid 2048 16 256
> # Default configuration value for cache_mem
> #cache_mem 256 MB
> cache deny all
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> max_filedescriptors 65000
> Thomas Karches
> NCSU OIT CSI - Systems Specialist
> M.E Student - Technology Education
> Hillsborough 319 / 919.515.5508
> squid-users mailing list
> squid-users at lists.squid-cache.org
More information about the squid-users