<div dir="ltr"><div><div><div><div>The outbound traffic from the L1proxy instance in question connects to a public IP / DNS name of an ELB in another AWS region.<br>We need to send some traffic to a different AWS region, thus the mess below:<br><br>AWS instances (clients) -> <br>AWS internal ELB for L1 proxies -> AWS L1 proxy instances -> <br>a different AWS internal ELB for L1 proxy cluster -> a different AWS L1 proxy instance (this is where we have the problem is with 'intercept or transparent) -> <br>*One AWS region above, a different AWS region below*<br></div><div>AWS external (publicly addressable) ELB for L2 proxies in a different AWS region -> AWS L2 proxy instances -> the Internet<br><br></div>These AWS instances have both internal IPs and public IPs, and they don't really know about their own public IPs. That may be part or all of the confusion.<br><br></div>AWS ELBs are published as DNS names, they have multiple IPs, and we are using DNS to connect to them.<br><br></div>I'm not exactly certain how the ELB functions, at least I don't know enough to answer your question. <br></div><div>The healthcheck and listeners are are TCP, not HTTP.<br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 29, 2015 at 1:19 PM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 30/10/2015 8:39 a.m., John Smith wrote:<br>
> Hi Eliezer,<br>
><br>
</span><span class="">> It is entirely possible that haproxy is a better solution than squid for<br>
> what we are doing.<br>
> I have never used either solution, and inherited this 'working' squid<br>
> configuration with the task of cleaning things up and stabilizing it.<br>
> Regarding your question of 'How do the first layer of proxies send their<br>
> request to the second layer of proxies?', all I can tell you is that all<br>
> the work is done in the squid.conf, and I've posted the entire contents<br>
> with a few replacements for security reasons.<br>
<br>
</span>The LB is the first layer.<br>
Squid is the second layer.<br>
The cache_peer Squid is relaying on to are a third.<br>
<br>
<br>
The hierarchy is thus:<br>
<br>
clients --(?1?)--> LB --(?2?)--> Squid --(HTTP)--> peer(s)<br>
<br>
The "?1?" and "?2" parts are what we need to figure out.<br>
<br>
How are the clients messages getting to the LB?<br>
<br>
a) is it published in DNS as the host of some domain and clients making<br>
requests directly from it that need to be serviced by the proxies you<br>
are wrangling with?<br>
<br>
b) are the clients outboung traffic being intercepted/diverted in their<br>
travels to some other server and sent through the LB instead?<br>
<br>
<br>
How is the load blancer then relying the TCP connections and HTTP<br>
messages inside them to Squid?<br>
<br>
A) Is it using NAT to change both dst-IP and dst-port on the TCP packets?<br>
<br>
B) Is it terminating the TCP connection from clients, opening one to<br>
Squid and relaying the HTTP inside based on URL hostnames etc. ?<br>
<br>
C) Is it opening a L2 tunnel and relaying the TCP packets to the Squid<br>
machine ?<br>
<span class=""><br>
<br>
<br>
> As I've said, I've removed the word 'intercept' several times and the<br>
> requests to secondary proxies no longer work.<br>
> I just confirmed this behaviour again.<br>
> If this is as 'quiet' as I can make the logs then it is what it is.<br>
<br>
<br>
</span>"getsockopt(SO_ORIGINAL_DST) failed ...: (92) Protocol not available"<br>
<br>
Should never happen in a working proxy. Ever.<br>
<br>
It can appear because a) the NAT tables in the Squid machine kernel are<br>
overflowing, or b) the external network is configured in a broken way.<br>
Both are really bad scenarios. Your are having the (b) problem.<br>
<span class="HOEnZb"><font color="#888888"><br>
Amos<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</div></div></blockquote></div><br></div>