<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Century Gothic";
panose-1:2 11 5 2 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:541988351;
mso-list-template-ids:-173256410;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Nilesh<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Please stop replying to the digest version of the mailing lists, per repeated previous requests. You need to change your mailing list preferences so you get
them one by one. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Otherwise, its makes it impossible to understand what you are replying to.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Century Gothic","sans-serif";color:black"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> squid-users [mailto:squid-users-bounces@lists.squid-cache.org]
<b>On Behalf Of </b>Nilesh Gavali<br>
<b>Sent:</b> Tuesday, June 14, 2016 8:26 AM<br>
<b>To:</b> squid-users@lists.squid-cache.org; Antony.Stone@squid.open.source.it<br>
<b>Subject:</b> Re: [squid-users] squid-users Digest, Vol 22, Issue 62<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Hello Antony;</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">I have setup like below :-</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">end user >> LinuxProxy(3.1.10) >> External Proxy(3.4)>> Internet</span>
<o:p></o:p></p>
<ul type="disc">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">when we configure external proxy ip in end user's IE, all HTTP & HTTPS site work properly.</span>
<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">when we configure Linux proxy ip in end user's IE, HTTP works fine but none of the HTTPS site open.</span>
<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">when we access https site from LinuxProxy, below logs are appearing in access.log
</span><o:p></o:p></li></ul>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> TCP_DENIED/407 CONNECT sitename:443 - NONE/ text/html
</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> TCP_MISS/503 0 CONNECT sitename:443
<a href="mailto:username@MYDOMAIN.COM">username@MYDOMAIN.COM</a> DIRECT / - -</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> TCP_MISS/200 23456 GET
</span><a href="http://www.anysite.com/"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">http://www.anysite.com</span></a><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">
<a href="mailto:username@MYDOMAIN.COM">username@MYDOMAIN.COM</a> DEFAULT_PARENT/10.10.x.x text/html</span>
<br>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">what I making out from log is ( I might be wrong) - HTTPS request are going directly instead .</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">attached is my Linux Proxy config-</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">=================</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">#</span> <br>
<span style="font-size:10.0pt;font-family:"Courier New""># Recommended minimum configuration:</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">#</span> <br>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">#auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s
<a href="mailto:HTTP/proxy02.abcd.com@ABCD.COM">HTTP/proxy02.abcd.com@ABCD.COM</a> -d</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">auth_param negotiate children 10</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">auth_param negotiate keep_alive on</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">auth_param basic credentialsttl 2 hours</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl ad_auth proxy_auth REQUIRED</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl manager proto cache_object</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl localhost src 127.0.0.1/32 ::1</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Courier New""># Example rule allowing access from your local networks.</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New""># Adapt to list your (internal) IP networks from where browsing</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New""># should be allowed</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl localnet src 10.0.0.0/8 # RFC1918 possible internal network</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl localnet src 172.16.0.0/12 # RFC1918 possible internal network</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl localnet src 192.168.0.0/16 # RFC1918 possible internal network</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl localnet src fc00::/7 # RFC 4193 local private network range</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl SSL_ports port 443</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl Safe_ports port 80 # http</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl Safe_ports port 21 # ftp</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl Safe_ports port 443 # https</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl Safe_ports port 70 # gopher</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl Safe_ports port 210 # wais</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl Safe_ports port 1025-65535 # unregistered ports</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl Safe_ports port 280 # http-mgmt</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl Safe_ports port 488 # gss-http</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl Safe_ports port 591 # filemaker</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl Safe_ports port 777 # multiling http</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">acl CONNECT method CONNECT</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">#</span> <br>
<span style="font-size:10.0pt;font-family:"Courier New""># Recommended minimum Access Permission configuration:</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">#</span> <br>
<span style="font-size:10.0pt;font-family:"Courier New""># Only allow cachemgr access from localhost</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">http_access allow manager localhost</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">http_access deny manager</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Courier New""># Deny requests to certain unsafe ports</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">http_access deny !Safe_ports</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Courier New""># Deny CONNECT to other than secure SSL ports</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">http_access deny CONNECT !SSL_ports</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Courier New""># We strongly recommend the following be uncommented to protect innocent</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New""># web applications running on the proxy server who think the only</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New""># one who can access services on "localhost" is a local user</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">#http_access deny to_localhost</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">#</span> <br>
<span style="font-size:10.0pt;font-family:"Courier New""># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">#</span> <br>
<span style="font-size:10.0pt;font-family:"Courier New"">#</span> <br>
<span style="font-size:10.0pt;font-family:"Courier New""># Example rule allowing access from your local networks.</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New""># Adapt localnet in the ACL section to list your (internal) IP networks</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New""># from where browsing should be allowed</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">#http_access allow localnet</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">#http_access allow localhost</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">http_access deny !ad_auth</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">http_access allow ad_auth</span>
<br>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Courier New""># And finally deny all other access to this proxy</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">http_access deny all</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Courier New""># Squid normally listens to port 3128</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">http_port 8080</span> <br>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">cache_peer xx.xx.2.108 parent 8080 0 default</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">#dns_nameservers ABCDNS.ABCD.COM</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">dns_nameservers xx.xx.2.108</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Courier New""># We recommend you to use at least the following line.</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">#hierarchy_stoplist cgi-bin ?</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Courier New""># Uncomment and adjust the following to add a disk cache directory.</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">cache_dir ufs /var/spool/squid 2048 16 256</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Courier New""># Leave coredumps in the first cache dir</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">coredump_dir /var/spool/squid</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New""># Log forwarding to SysLog</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">access_log syslog:local1.info</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Courier New""># Add any of your own refresh_pattern entries above these.</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">refresh_pattern ^ftp: 1440 20% 10080</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">refresh_pattern ^gopher: 1440 0% 1440</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">refresh_pattern -i (/cgi-bin/|\?) 0 0% 0</span>
<br>
<span style="font-size:10.0pt;font-family:"Courier New"">refresh_pattern . 0 20% 4320</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">-======================================</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Thanks & Regards<br>
Nilesh Suresh Gavali<br>
<br>
</span><br>
<br>
<br>
<br>
<span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F">From: </span><span style="font-size:7.5pt;font-family:"Arial","sans-serif""><a href="mailto:squid-users-request@lists.squid-cache.org">squid-users-request@lists.squid-cache.org</a></span>
<br>
<span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F">To: </span><span style="font-size:7.5pt;font-family:"Arial","sans-serif""><a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a></span>
<br>
<span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F">Date: </span><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">14/06/2016 13:00</span>
<br>
<span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F">Subject: </span><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">squid-users Digest, Vol 22, Issue 62</span>
<br>
<span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F">Sent by: </span><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">"squid-users" <<a href="mailto:squid-users-bounces@lists.squid-cache.org">squid-users-bounces@lists.squid-cache.org</a>></span>
<o:p></o:p></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" noshade="" style="color:#A0A0A0" align="center">
</div>
<p class="MsoNormal"><br>
<br>
<br>
<tt><span style="font-size:10.0pt">Send squid-users mailing list submissions to</span></tt><span style="font-size:10.0pt;font-family:"Courier New""><br>
<tt> <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a></tt><br>
<br>
<tt>To subscribe or unsubscribe via the World Wide Web, visit</tt><br>
<tt> </tt></span><a href="http://lists.squid-cache.org/listinfo/squid-users"><tt><span style="font-size:10.0pt">http://lists.squid-cache.org/listinfo/squid-users</span></tt></a><span style="font-size:10.0pt;font-family:"Courier New""><br>
<tt>or, via email, send a message with subject or body 'help' to</tt><br>
<tt> <a href="mailto:squid-users-request@lists.squid-cache.org">squid-users-request@lists.squid-cache.org</a></tt><br>
<br>
<tt>You can reach the person managing the list at</tt><br>
<tt> <a href="mailto:squid-users-owner@lists.squid-cache.org">squid-users-owner@lists.squid-cache.org</a></tt><br>
<br>
<tt>When replying, please edit your Subject line so it is more specific</tt><br>
<tt>than "Re: Contents of squid-users digest..."</tt><br>
<br>
<br>
<tt>Today's Topics:</tt><br>
<br>
<tt> 1. Re: Excessive TCP memory usage (Eliezer Croitoru)</tt><br>
<tt> 2. Re: Squid not allowing HTTPS access (Nilesh Gavali)</tt><br>
<tt> 3. Re: Squid not allowing HTTPS access (Antony Stone)</tt><br>
<br>
<br>
<tt>----------------------------------------------------------------------</tt><br>
<br>
<tt>Message: 1</tt><br>
<tt>Date: Tue, 14 Jun 2016 13:21:32 +0300</tt><br>
<tt>From: "Eliezer Croitoru" <<a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a>></tt><br>
<tt>To: "'Deniz Eren'" <<a href="mailto:denizlist@denizeren.net">denizlist@denizeren.net</a>>,</tt><br>
<tt> <<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>></tt><br>
<tt>Subject: Re: [squid-users] Excessive TCP memory usage</tt><br>
<tt>Message-ID: <<a href="mailto:05c801d1c626$85a97ff0$90fc7fd0$@ngtech.co.il">05c801d1c626$85a97ff0$90fc7fd0$@ngtech.co.il</a>></tt><br>
<tt>Content-Type: text/plain; charset="utf-8"</tt><br>
<br>
<tt>Hey,</tt><br>
<br>
<tt>Steps to reproduce are not exactly everything since squid works fine in many other scenarios.</tt><br>
<tt>I do not know this specific system but if you are talking about 1-4k open connections it should not be a big problem for many servers.</tt><br>
<tt>The issue in hands is a bit different.</tt><br>
<tt>Have you tried tuning the ipv4\net using sysctl to see if it affects anything?</tt><br>
<tt>What I can offer is to build a tiny ICAP service that will use a 204 on every request and then moves on.</tt><br>
<tt>If the same happens with the dummy service it's probably a very bad scenario and if not then we can try to think</tt><br>
<tt>if there is something unique about your setup.</tt><br>
<br>
<tt>I have not seen this issue in my current testing setup which includes 3.5.19 + ICAP url filtering service.</tt><br>
<br>
<tt>Eliezer</tt><br>
<br>
<tt>----</tt><br>
<tt>Eliezer Croitoru</tt><br>
<tt>Linux System Administrator</tt><br>
<tt>Mobile: +972-5-28704261</tt><br>
<tt>Email: <a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a></tt><br>
<br>
<br>
<tt>-----Original Message-----</tt><br>
<tt>From: squid-users [</tt></span><a href="mailto:squid-users-bounces@lists.squid-cache.org"><tt><span style="font-size:10.0pt">mailto:squid-users-bounces@lists.squid-cache.org</span></tt></a><tt><span style="font-size:10.0pt">] On Behalf Of Deniz Eren</span></tt><span style="font-size:10.0pt;font-family:"Courier New""><br>
<tt>Sent: Tuesday, June 14, 2016 11:07 AM</tt><br>
<tt>To: <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a></tt><br>
<tt>Subject: Re: [squid-users] Excessive TCP memory usage</tt><br>
<br>
<tt>Little bump :)</tt><br>
<br>
<tt>I have posted bug report with steps to reproduce. The problem still exists and I am curious whether anyone else is having the same problem, too.</tt><br>
<br>
</span><a href="http://bugs.squid-cache.org/show_bug.cgi?id=4526"><tt><span style="font-size:10.0pt">http://bugs.squid-cache.org/show_bug.cgi?id=4526</span></tt></a><span style="font-size:10.0pt;font-family:"Courier New""><br>
<br>
<tt>On Wed, May 25, 2016 at 1:18 PM, Deniz Eren <<a href="mailto:denizlist@denizeren.net">denizlist@denizeren.net</a>> wrote:</tt><br>
<tt>> When I listen to connections between squid and icap using tcpdump I </tt><br>
<tt>> saw that after a while icap closes the connection but squid does not </tt><br>
<tt>> close, so connection stays in CLOSE_WAIT state:</tt><br>
<tt>></tt><br>
<tt>> [root@test ~]# tcpdump -i any -n port 34693</tt><br>
<tt>> tcpdump: WARNING: Promiscuous mode not supported on the "any" device</tt><br>
<tt>> tcpdump: verbose output suppressed, use -v or -vv for full protocol </tt><br>
<tt>> decode listening on any, link-type LINUX_SLL (Linux cooked), capture </tt><br>
<tt>> size 96 bytes</tt><br>
<tt>> 13:07:31.802238 IP 127.0.0.1.icap > 127.0.0.1.34693: F</tt><br>
<tt>> 2207817997:2207817997(0) ack 710772005 win 395 <nop,nop,timestamp</tt><br>
<tt>> 104616992 104016968></tt><br>
<tt>> 13:07:31.842186 IP 127.0.0.1.34693 > 127.0.0.1.icap: . ack 1 win 3186 </tt>
<br>
<tt>> <nop,nop,timestamp 104617032 104616992></tt><br>
<tt>></tt><br>
<tt>> [root@test ~]# netstat -tulnap|grep 34693</tt><br>
<tt>> tcp 215688 0 127.0.0.1:34693 127.0.0.1:1344</tt><br>
<tt>> CLOSE_WAIT 19740/(squid-1)</tt><br>
<tt>></tt><br>
<tt>> These CLOSE_WAIT connections do not timeout and stay until squid </tt><br>
<tt>> process is killed.</tt><br>
<tt>></tt><br>
<tt>> 2016-05-25 10:37 GMT+03:00 Deniz Eren <<a href="mailto:denizlist@denizeren.net">denizlist@denizeren.net</a>>:</tt><br>
<tt>>> 2016-05-24 21:47 GMT+03:00 Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>>:</tt><br>
<tt>>>> On 25/05/2016 5:50 a.m., Deniz Eren wrote:</tt><br>
<tt>>>>> Hi,</tt><br>
<tt>>>>></tt><br>
<tt>>>>> After upgrading to squid 3.5.16 I realized that squid started using </tt>
<br>
<tt>>>>> much of kernel's TCP memory.</tt><br>
<tt>>>></tt><br>
<tt>>>> Upgrade from which version?</tt><br>
<tt>>>></tt><br>
<tt>>> Upgrading from squid 3.1.14. I started using c-icap and ssl-bump.</tt><br>
<tt>>></tt><br>
<tt>>>>></tt><br>
<tt>>>>> When squid was running for a long time TCP memory usage is like below:</tt><br>
<tt>>>>> test@test:~$ cat /proc/net/sockstat</tt><br>
<tt>>>>> sockets: used *</tt><br>
<tt>>>>> TCP: inuse * orphan * tw * alloc * mem 200000</tt><br>
<tt>>>>> UDP: inuse * mem *</tt><br>
<tt>>>>> UDPLITE: inuse *</tt><br>
<tt>>>>> RAW: inuse *</tt><br>
<tt>>>>> FRAG: inuse * memory *</tt><br>
<tt>>>>></tt><br>
<tt>>>>> When I restart squid the memory usage drops dramatically:</tt><br>
<tt>>>></tt><br>
<tt>>>> Of course it does. By restarting you just erased all of the </tt><br>
<tt>>>> operational state for an unknown but large number of active network connections.</tt><br>
<tt>>>></tt><br>
<tt>>> That's true but what I mean was squid's CLOSE_WAIT connections are </tt><br>
<tt>>> using too much memory and they are not timing out.</tt><br>
<tt>>></tt><br>
<tt>>>> Whether many of those should have been still active or not is a </tt><br>
<tt>>>> different question. the answer to which depends on how you have your </tt>
<br>
<tt>>>> Squid configured, and what the traffic through it has been doing.</tt><br>
<tt>>>></tt><br>
<tt>>>></tt><br>
<tt>>>>> test@test:~$ cat /proc/net/sockstat</tt><br>
<tt>>>>> sockets: used *</tt><br>
<tt>>>>> TCP: inuse * orphan * tw * alloc * mem 10</tt><br>
<tt>>>>> UDP: inuse * mem *</tt><br>
<tt>>>>> UDPLITE: inuse *</tt><br>
<tt>>>>> RAW: inuse *</tt><br>
<tt>>>>> FRAG: inuse * memory *</tt><br>
<tt>>>>></tt><br>
<tt>>>></tt><br>
<tt>>>> The numbers you replaced with "*" are rather important for context.</tt><br>
<tt>>>></tt><br>
<tt>>>></tt><br>
<tt>>> Today again I saw the problem:</tt><br>
<tt>>></tt><br>
<tt>>> test@test:~$ cat /proc/net/sockstat</tt><br>
<tt>>> sockets: used 1304</tt><br>
<tt>>> TCP: inuse 876 orphan 81 tw 17 alloc 906 mem 29726</tt><br>
<tt>>> UDP: inuse 17 mem 8</tt><br>
<tt>>> UDPLITE: inuse 0</tt><br>
<tt>>> RAW: inuse 1</tt><br>
<tt>>> FRAG: inuse 0 memory 0</tt><br>
<tt>>></tt><br>
<tt>>>>> I'm using Squid 3.5.16.</tt><br>
<tt>>>>></tt><br>
<tt>>>></tt><br>
<tt>>>> Please upgrade to 3.5.19. Some important issues have been resolved. </tt>
<br>
<tt>>>> Some of them may be related to your TCP memory problem.</tt><br>
<tt>>>></tt><br>
<tt>>>></tt><br>
<tt>>> I have upgraded now and problem still exists.</tt><br>
<tt>>></tt><br>
<tt>>>>> When I look with "netstat" and "ss" I see lots of CLOSE_WAIT </tt><br>
<tt>>>>> connections from squid to ICAP or from squid to upstream server.</tt><br>
<tt>>>>></tt><br>
<tt>>>>> Do you have any idea about this problem?</tt><br>
<tt>>>></tt><br>
<tt>>>> Memory use by the TCP system of your kernel has very little to do </tt><br>
<tt>>>> with Squid. Number of sockets in CLOSE_WAIT does have some relation </tt>
<br>
<tt>>>> to Squid or at least to how the traffic going through it is handled.</tt><br>
<tt>>>></tt><br>
<tt>>>> If you have disabled persistent connections in squid.conf then lots </tt>
<br>
<tt>>>> of closed sockets and FD are to be expected.</tt><br>
<tt>>>></tt><br>
<tt>>>> If you have persistent connections enabled, then fewer closures </tt><br>
<tt>>>> should happen. But some will so expectations depends on how high the </tt>
<br>
<tt>>>> traffic load is.</tt><br>
<tt>>>></tt><br>
<tt>>> Persistent connection parameters are enabled in my conf, the problem </tt>
<br>
<tt>>> occurs especially with connections to c-icap service.</tt><br>
<tt>>></tt><br>
<tt>>> My netstat output is like this:</tt><br>
<tt>>> netstat -tulnap|grep squid|grep CLOSE</tt><br>
<tt>>></tt><br>
<tt>>> tcp 211742 0 127.0.0.1:55751 127.0.0.1:1344</tt><br>
<tt>>> CLOSE_WAIT 17076/(squid-1)</tt><br>
<tt>>> tcp 215700 0 127.0.0.1:55679 127.0.0.1:1344</tt><br>
<tt>>> CLOSE_WAIT 17076/(squid-1)</tt><br>
<tt>>> tcp 215704 0 127.0.0.1:55683 127.0.0.1:1344</tt><br>
<tt>>> CLOSE_WAIT 17076/(squid-1)</tt><br>
<tt>>> ...(hundreds)</tt><br>
<tt>>> Above ones are connections to c-icap service.</tt><br>
<tt>>></tt><br>
<tt>>> netstat -tulnap|grep squid|grep CLOSE Active Internet connections </tt><br>
<tt>>> (servers and established)</tt><br>
<tt>>> Proto Recv-Q Send-Q Local Address Foreign Address</tt><br>
<tt>>> State PID/Program name</tt><br>
<tt>>> tcp 1 0 192.168.2.1:8443 192.168.6.180:45182</tt><br>
<tt>>> CLOSE_WAIT 15245/(squid-1)</tt><br>
<tt>>> tcp 1 0 192.168.2.1:8443 192.168.2.177:50020</tt><br>
<tt>>> CLOSE_WAIT 15245/(squid-1)</tt><br>
<tt>>> tcp 1 0 192.168.2.1:8443 192.168.2.172:60028</tt><br>
<tt>>> CLOSE_WAIT 15245/(squid-1)</tt><br>
<tt>>> tcp 1 0 192.168.2.1:8443 192.168.6.180:44049</tt><br>
<tt>>> CLOSE_WAIT 15245/(squid-1)</tt><br>
<tt>>> tcp 1 0 192.168.2.1:8443 192.168.6.180:55054</tt><br>
<tt>>> CLOSE_WAIT 15245/(squid-1)</tt><br>
<tt>>> tcp 1 0 192.168.2.1:8443 192.168.2.137:52177</tt><br>
<tt>>> CLOSE_WAIT 15245/(squid-1)</tt><br>
<tt>>> tcp 1 0 192.168.2.1:8443 192.168.6.180:43542</tt><br>
<tt>>> CLOSE_WAIT 15245/(squid-1)</tt><br>
<tt>>> tcp 1 0 192.168.2.1:8443 192.168.6.155:39489</tt><br>
<tt>>> CLOSE_WAIT 15245/(squid-1)</tt><br>
<tt>>> tcp 1 0 192.168.2.1:8443 192.168.0.147:38939</tt><br>
<tt>>> CLOSE_WAIT 15245/(squid-1)</tt><br>
<tt>>> tcp 1 0 192.168.2.1:8443 192.168.6.180:38754</tt><br>
<tt>>> CLOSE_WAIT 15245/(squid-1)</tt><br>
<tt>>> tcp 1 0 192.168.2.1:8443 192.168.0.164:39602</tt><br>
<tt>>> CLOSE_WAIT 15245/(squid-1)</tt><br>
<tt>>> tcp 1 0 192.168.2.1:8443 192.168.0.147:54114</tt><br>
<tt>>> CLOSE_WAIT 15245/(squid-1)</tt><br>
<tt>>> tcp 1 0 192.168.2.1:8443 192.168.6.180:57857</tt><br>
<tt>>> CLOSE_WAIT 15245/(squid-1)</tt><br>
<tt>>> tcp 1 0 192.168.2.1:8443 192.168.0.156:43482</tt><br>
<tt>>> CLOSE_WAIT 15245/(squid-1)</tt><br>
<tt>>> ...(about 50)</tt><br>
<tt>>> Above ones are connections from https port to client.</tt><br>
<tt>>></tt><br>
<tt>>> As you can see recv-q for icap connections allocate more memory but </tt><br>
<tt>>> connections from https_port to upstream server connections allocate </tt><br>
<tt>>> only one byte.</tt><br>
<tt>>></tt><br>
<tt>>> What can be done to close these unused connections?</tt><br>
<tt>>></tt><br>
<tt>>> The problem in this thread seems similar:</tt><br>
<tt>>> </tt></span><a href="http://www.squid-cache.org/mail-archive/squid-users/201301/0092.html"><tt><span style="font-size:10.0pt">http://www.squid-cache.org/mail-archive/squid-users/201301/0092.html</span></tt></a><span style="font-size:10.0pt;font-family:"Courier New""><br>
<tt>>></tt><br>
<tt>>>> Amos</tt><br>
<tt>>>></tt><br>
<tt>>>> _______________________________________________</tt><br>
<tt>>>> squid-users mailing list</tt><br>
<tt>>>> <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a></tt><br>
<tt>>>> </tt></span><a href="http://lists.squid-cache.org/listinfo/squid-users"><tt><span style="font-size:10.0pt">http://lists.squid-cache.org/listinfo/squid-users</span></tt></a><span style="font-size:10.0pt;font-family:"Courier New""><br>
<tt>_______________________________________________</tt><br>
<tt>squid-users mailing list</tt><br>
<tt><a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a></tt><br>
</span><a href="http://lists.squid-cache.org/listinfo/squid-users"><tt><span style="font-size:10.0pt">http://lists.squid-cache.org/listinfo/squid-users</span></tt></a><span style="font-size:10.0pt;font-family:"Courier New""><br>
<br>
<br>
<br>
<tt>------------------------------</tt><br>
<br>
<tt>Message: 2</tt><br>
<tt>Date: Tue, 14 Jun 2016 11:36:30 +0100</tt><br>
<tt>From: Nilesh Gavali <<a href="mailto:nilesh.gavali@tcs.com">nilesh.gavali@tcs.com</a>></tt><br>
<tt>To: <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a></tt><br>
<tt>Subject: Re: [squid-users] Squid not allowing HTTPS access</tt><br>
<tt>Message-ID:</tt><br>
<tt> <<a href="mailto:OF83BE7BF7.92EBA289-ON80257FD2.003A3940-80257FD2.003A455E@tcs.com">OF83BE7BF7.92EBA289-ON80257FD2.003A3940-80257FD2.003A455E@tcs.com</a>></tt><br>
<tt>Content-Type: text/plain; charset="utf-8"</tt><br>
<br>
<tt>Team;</tt><br>
<tt>kindly help on below issue.</tt><br>
<br>
<tt>Thanks & Regards</tt><br>
<tt>Nilesh Suresh Gavali</tt><br>
<br>
<br>
<br>
<tt>From: Nilesh Gavali/MUM/TCS</tt><br>
<tt>To: <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a></tt><br>
<tt>Date: 13/06/2016 14:00</tt><br>
<tt>Subject: Squid not allowing HTTPS access</tt><br>
<br>
<br>
<br>
<tt>Hello All;</tt><br>
<tt>Facing issue while accessing HTTPS via squid, normal http traffic working </tt>
<br>
<tt>fine. I have squid 3.1.10 on RHEL.6.0</tt><br>
<br>
<tt>attached is my squid .conf for your reference,..help will be much </tt><br>
<tt>appreciated.</tt><br>
<br>
<br>
<br>
<tt>Thanks & Regards</tt><br>
<tt>Nilesh Suresh Gavali</tt><br>
<tt>=====-----=====-----=====</tt><br>
<tt>Notice: The information contained in this e-mail</tt><br>
<tt>message and/or attachments to it may contain </tt><br>
<tt>confidential or privileged information. If you are </tt><br>
<tt>not the intended recipient, any dissemination, use, </tt><br>
<tt>review, distribution, printing or copying of the </tt><br>
<tt>information contained in this e-mail message </tt><br>
<tt>and/or attachments to it are strictly prohibited. If </tt><br>
<tt>you have received this communication in error, </tt><br>
<tt>please notify us by reply e-mail or telephone and </tt><br>
<tt>immediately and permanently delete the message </tt><br>
<tt>and any attachments. Thank you</tt><br>
<br>
<br>
<tt>-------------- next part --------------</tt><br>
<tt>An HTML attachment was scrubbed...</tt><br>
<tt>URL: <</tt></span><a href="http://lists.squid-cache.org/pipermail/squid-users/attachments/20160614/79185c58/attachment-0001.html"><tt><span style="font-size:10.0pt">http://lists.squid-cache.org/pipermail/squid-users/attachments/20160614/79185c58/attachment-0001.html</span></tt></a><tt><span style="font-size:10.0pt">></span></tt><span style="font-size:10.0pt;font-family:"Courier New""><br>
<tt>-------------- next part --------------</tt><br>
<tt>A non-text attachment was scrubbed...</tt><br>
<tt>Name: squid.conf</tt><br>
<tt>Type: application/octet-stream</tt><br>
<tt>Size: 3149 bytes</tt><br>
<tt>Desc: not available</tt><br>
<tt>URL: <</tt></span><a href="http://lists.squid-cache.org/pipermail/squid-users/attachments/20160614/79185c58/attachment-0001.obj"><tt><span style="font-size:10.0pt">http://lists.squid-cache.org/pipermail/squid-users/attachments/20160614/79185c58/attachment-0001.obj</span></tt></a><tt><span style="font-size:10.0pt">></span></tt><span style="font-size:10.0pt;font-family:"Courier New""><br>
<br>
<tt>------------------------------</tt><br>
<br>
<tt>Message: 3</tt><br>
<tt>Date: Tue, 14 Jun 2016 12:40:14 +0200</tt><br>
<tt>From: Antony Stone <<a href="mailto:Antony.Stone@squid.open.source.it">Antony.Stone@squid.open.source.it</a>></tt><br>
<tt>To: <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a></tt><br>
<tt>Subject: Re: [squid-users] Squid not allowing HTTPS access</tt><br>
<tt>Message-ID: <<a href="mailto:201606141240.15034.Antony.Stone@squid.open.source.it">201606141240.15034.Antony.Stone@squid.open.source.it</a>></tt><br>
<tt>Content-Type: Text/Plain; charset="iso-8859-15"</tt><br>
<br>
<tt>On Tuesday 14 June 2016 at 12:36:30, Nilesh Gavali wrote:</tt><br>
<br>
<tt>> Team;</tt><br>
<tt>> kindly help on below issue.</tt><br>
<br>
<tt>Nilesh:</tt><br>
<tt>kindly respond to my reply below.</tt><br>
<br>
<tt>On Monday 13 June 2016 at 15:26:22, Antony Stone wrote:</tt><br>
<br>
<tt>> On Monday 13 June 2016 at 15:01:02, Nilesh Gavali wrote:</tt><br>
<tt>> > Facing issue while accessing HTTPS via squid, normal http traffic working</tt><br>
<tt>> > fine.</tt><br>
<tt>> </tt><br>
<tt>> Please define "issue", with as much detail as possible:</tt><br>
<tt>> </tt><br>
<tt>> - what exactly are you trying to do when a problem occurs?</tt><br>
<tt>> </tt><br>
<tt>> - have you previously been able to do this without the problem occurring? </tt>
<br>
<tt>> If so, what has changed between then and now (different squid config,</tt><br>
<tt>> different squid version, different browser...)?</tt><br>
<tt>> </tt><br>
<tt>> - what is the actual problem (what error message is displayed, if there is</tt><br>
<tt>> one)?</tt><br>
<tt>> </tt><br>
<tt>> - what appears in your access.log when the problem occurs?</tt><br>
<tt>> </tt><br>
<tt>> - any other information you think might be relevant to us in working out</tt><br>
<tt>> what's happening on your network?</tt><br>
<tt>> </tt><br>
<tt>> > I have squid 3.1.10 on RHEL.6.0</tt><br>
<tt>> </tt><br>
<tt>> For HTTPS traffic in particular you are strongly advised to upgrade.</tt><br>
<tt>> </tt><br>
<tt>> </tt><br>
<tt>> Regards,</tt><br>
<tt>> </tt><br>
<tt>> Antony.</tt><br>
<br>
<tt>-- </tt><br>
<tt>All generalisations are inaccurate.</tt><br>
<br>
<tt> Please reply to the list;</tt><br>
<tt> please *don't* CC me.</tt><br>
<br>
<br>
<tt>------------------------------</tt><br>
<br>
<tt>Subject: Digest Footer</tt><br>
<br>
<tt>_______________________________________________</tt><br>
<tt>squid-users mailing list</tt><br>
<tt><a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a></tt><br>
</span><a href="http://lists.squid-cache.org/listinfo/squid-users"><tt><span style="font-size:10.0pt">http://lists.squid-cache.org/listinfo/squid-users</span></tt></a><span style="font-size:10.0pt;font-family:"Courier New""><br>
<br>
<br>
<tt>------------------------------</tt><br>
<br>
<tt>End of squid-users Digest, Vol 22, Issue 62</tt><br>
<tt>*******************************************</tt><br>
</span><br>
<br>
______________________________________________________________________<br>
This email has been scanned by the Symantec Email Security.cloud service.<br>
For more information please visit <a href="http://www.symanteccloud.com">http://www.symanteccloud.com</a><br>
______________________________________________________________________<o:p></o:p></p>
</div>
<br clear="both">
______________________________________________________________________<BR>
This email has been scanned by the Symantec Email Security.cloud service.<BR>
For more information please visit http://www.symanteccloud.com<BR>
______________________________________________________________________<BR>
</body>
</html>