<div dir="auto">What version of amazon linux are you using? 1 or 2?<div dir="auto">2 has support for squid 4.17.</div><div dir="auto">There are couple options regarding these resets and not all of them are squid side.</div><div dir="auto"><br></div><div dir="auto">Eliezer </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">בתאריך יום ה׳, 27 בינו׳ 2022, 5:59, מאת Usama Mehboob <<a href="mailto:musamamehboob@gmail.com">musamamehboob@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi I have squid 3.5 running on amazon linux and it works fine for
the most part but sometime I see the logs of my clients from webapp
saying that connection timeout etc. Upon checking the cache logs, I see
these statements. <br></div><div><br></div><div><br></div>2022/01/23 03:10:01| Set Current Directory to /var/spool/squid<br>2022/01/23 03:10:01| storeDirWriteCleanLogs: Starting...<br>2022/01/23 03:10:01| Finished. Wrote 0 entries.<br>2022/01/23 03:10:01| Took 0.00 seconds ( 0.00 entries/sec).<br>2022/01/23 03:10:01| logfileRotate: daemon:/var/log/squid/access.log<br>2022/01/23 03:10:01| logfileRotate: daemon:/var/log/squid/access.log<br>2022/01/23 10:45:52| Error negotiating SSL connection on FD 170: (104) Connection reset by peer<br>2022/01/23 12:14:07| Error negotiating SSL on FD 139: error:00000000:lib(0):func(0):reason(0) (5/-1/104)<br>2022/01/23 12:14:07| Error negotiating SSL connection on FD 409: (104) Connection reset by peer<br><div>2022/01/25 01:12:04| Error negotiating SSL connection on FD 24: (104) Connection reset by peer</div><div><br></div><div><br></div><div><br></div><div>I
am not sure what is causing it, is it because squid is running out of
gas? my instance has 16gb of Ram and 4VCPU. I am using SSL BUMP to use
squid as a transparent proxy within AWS Vpc.<br><br></div><div>Below is the config file<br></div><div>--------------ConfigFile-----------------------------------------<br><br>visible_hostname squid <br><br>#<br># Recommended minimum configuration:<br>#<br><br># Example rule allowing access from your local networks.<br># Adapt to list your (internal) IP networks from where browsing<br># should be allowed<br>acl localnet src <a href="http://10.0.0.0/8" target="_blank" rel="noreferrer">10.0.0.0/8</a> # RFC1918 possible internal network<br>acl localnet src <a href="http://172.16.0.0/12" target="_blank" rel="noreferrer">172.16.0.0/12</a> # RFC1918 possible internal network<br>acl localnet src <a href="http://192.168.0.0/16" target="_blank" rel="noreferrer">192.168.0.0/16</a> # RFC1918 possible internal network<br>acl localnet src fc00::/7 # RFC 4193 local private network range<br>acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br><br>acl SSL_ports port 443<br>acl Safe_ports port 80 # http<br>###acl Safe_ports port 21 # ftp testing after blocking itp<br>acl Safe_ports port 443 # https<br>acl Safe_ports port 70 # gopher<br>acl Safe_ports port 210 # wais<br>acl Safe_ports port 1025-65535 # unregistered ports<br>acl Safe_ports port 280 # http-mgmt<br>acl Safe_ports port 488 # gss-http<br>acl Safe_ports port 591 # filemaker<br>acl Safe_ports port 777 # multiling http<br>acl CONNECT method CONNECT<br><br>#<br># Recommended minimum Access Permission configuration:<br>#<br># Deny requests to certain unsafe ports<br>http_access deny !Safe_ports<br><br># Deny CONNECT to other than secure SSL ports<br>http_access deny CONNECT !SSL_ports<br>#http_access allow CONNECT SSL_ports<br><br># Only allow cachemgr access from localhost<br>http_access allow localhost manager<br>http_access deny manager<br><br># We strongly recommend the following be uncommented to protect innocent<br># web applications running on the proxy server who think the only<br># one who can access services on "localhost" is a local user<br>#http_access deny to_localhost<br><br>#<br># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS<br>#<br><br># Example rule allowing access from your local networks.<br># Adapt localnet in the ACL section to list your (internal) IP networks<br># from where browsing should be allowed<br><br># And finally deny all other access to this proxy<br><br># Squid normally listens to port 3128<br>#http_port 3128<br>http_port 3129 intercept<br>https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept <br>http_access allow SSL_ports #-- this allows every https website<br>acl step1 at_step SslBump1 <br>acl step2 at_step SslBump2 <br>acl step3 at_step SslBump3 <br>ssl_bump peek step1 all <br><br># Deny requests to proxy instance metadata <br>acl instance_metadata dst 169.254.169.254 <br>http_access deny instance_metadata <br><br># Filter HTTP Only requests based on the whitelist <br>#acl allowed_http_only dstdomain .<a href="http://veevasourcedev.com" target="_blank" rel="noreferrer">veevasourcedev.com</a> .<a href="http://google.com" target="_blank" rel="noreferrer">google.com</a> .<a href="http://pypi.org" target="_blank" rel="noreferrer">pypi.org</a> .<a href="http://youtube.com" target="_blank" rel="noreferrer">youtube.com</a><br>#acl allowed_http_only dstdomain .<a href="http://amazonaws.com" target="_blank" rel="noreferrer">amazonaws.com</a><br>#acl allowed_http_only dstdomain .<a href="http://veevanetwork.com" target="_blank" rel="noreferrer">veevanetwork.com</a> .<a href="http://veevacrm.com" target="_blank" rel="noreferrer">veevacrm.com</a> .<a href="http://veevacrmdi.com" target="_blank" rel="noreferrer">veevacrmdi.com</a> .<a href="http://veeva.com" target="_blank" rel="noreferrer">veeva.com</a> .<a href="http://veevavault.com" target="_blank" rel="noreferrer">veevavault.com</a> .<a href="http://vaultdev.com" target="_blank" rel="noreferrer">vaultdev.com</a> .<a href="http://veevacrmqa.com" target="_blank" rel="noreferrer">veevacrmqa.com</a><br>#acl allowed_http_only dstdomain .<a href="http://documentforce.com" target="_blank" rel="noreferrer">documentforce.com</a> .<a href="http://sforce.com" target="_blank" rel="noreferrer">sforce.com</a> .<a href="http://force.com" target="_blank" rel="noreferrer">force.com</a> .<a href="http://forceusercontent.com" target="_blank" rel="noreferrer">forceusercontent.com</a> .<a href="http://force-user-content.com" target="_blank" rel="noreferrer">force-user-content.com</a> .<a href="http://lightning.com" target="_blank" rel="noreferrer">lightning.com</a> .<a href="http://salesforce.com" target="_blank" rel="noreferrer">salesforce.com</a> .<a href="http://salesforceliveagent.com" target="_blank" rel="noreferrer">salesforceliveagent.com</a> .<a href="http://salesforce-communities.com" target="_blank" rel="noreferrer">salesforce-communities.com</a> .<a href="http://salesforce-experience.com" target="_blank" rel="noreferrer">salesforce-experience.com</a> .<a href="http://salesforce-hub.com" target="_blank" rel="noreferrer">salesforce-hub.com</a> .<a href="http://salesforce-scrt.com" target="_blank" rel="noreferrer">salesforce-scrt.com</a> .<a href="http://salesforce-sites.com" target="_blank" rel="noreferrer">salesforce-sites.com</a> .<a href="http://site.com" target="_blank" rel="noreferrer">site.com</a> .<a href="http://sfdcopens.com" target="_blank" rel="noreferrer">sfdcopens.com</a> .sfdc.sh .<a href="http://trailblazer.me" target="_blank" rel="noreferrer">trailblazer.me</a> .<a href="http://trailhead.com" target="_blank" rel="noreferrer">trailhead.com</a> .<a href="http://visualforce.com" target="_blank" rel="noreferrer">visualforce.com</a><br><br><br># Filter HTTPS requests based on the whitelist <br>acl allowed_https_sites ssl::server_name .<a href="http://pypi.org" target="_blank" rel="noreferrer">pypi.org</a> .<a href="http://pythonhosted.org" target="_blank" rel="noreferrer">pythonhosted.org</a> .<a href="http://tfhub.dev" target="_blank" rel="noreferrer">tfhub.dev</a> .<a href="http://gstatic.com" target="_blank" rel="noreferrer">gstatic.com</a> .<a href="http://googleapis.com" target="_blank" rel="noreferrer">googleapis.com</a><br>acl allowed_https_sites ssl::server_name .<a href="http://amazonaws.com" target="_blank" rel="noreferrer">amazonaws.com</a><br>acl allowed_https_sites ssl::server_name .<a href="http://documentforce.com" target="_blank" rel="noreferrer">documentforce.com</a> .<a href="http://sforce.com" target="_blank" rel="noreferrer">sforce.com</a> .<a href="http://force.com" target="_blank" rel="noreferrer">force.com</a> .<a href="http://forceusercontent.com" target="_blank" rel="noreferrer">forceusercontent.com</a> .<a href="http://force-user-content.com" target="_blank" rel="noreferrer">force-user-content.com</a> .<a href="http://lightning.com" target="_blank" rel="noreferrer">lightning.com</a> .<a href="http://salesforce.com" target="_blank" rel="noreferrer">salesforce.com</a> .<a href="http://salesforceliveagent.com" target="_blank" rel="noreferrer">salesforceliveagent.com</a> .<a href="http://salesforce-communities.com" target="_blank" rel="noreferrer">salesforce-communities.com</a> .<a href="http://salesforce-experience.com" target="_blank" rel="noreferrer">salesforce-experience.com</a> .<a href="http://salesforce-hub.com" target="_blank" rel="noreferrer">salesforce-hub.com</a> .<a href="http://salesforce-scrt.com" target="_blank" rel="noreferrer">salesforce-scrt.com</a> .<a href="http://salesforce-sites.com" target="_blank" rel="noreferrer">salesforce-sites.com</a> .<a href="http://site.com" target="_blank" rel="noreferrer">site.com</a> .<a href="http://sfdcopens.com" target="_blank" rel="noreferrer">sfdcopens.com</a> .sfdc.sh .<a href="http://trailblazer.me" target="_blank" rel="noreferrer">trailblazer.me</a> .<a href="http://trailhead.com" target="_blank" rel="noreferrer">trailhead.com</a> .<a href="http://visualforce.com" target="_blank" rel="noreferrer">visualforce.com</a><br>ssl_bump peek step2 allowed_https_sites <br>ssl_bump splice step3 allowed_https_sites <br>ssl_bump terminate step2 all<br><br><br>connect_timeout 60 minute<br>read_timeout 60 minute<br>write_timeout 60 minute<br>request_timeout 60 minute<br><br>## http filtering ###<br>#http_access allow localnet allowed_http_only<br>#http_access allow localhost allowed_http_only<br>http_access allow localnet allowed_https_sites<br>http_access allow localhost allowed_https_sites<br># And finally deny all other access to this proxy<br>http_access deny all<br><br># Uncomment and adjust the following to add a disk cache directory.<br>#cache_dir ufs /var/spool/squid 100 16 256<br><br># Leave coredumps in the first cache dir<br>coredump_dir /var/spool/squid<br><br>#<br># Add any of your own refresh_pattern entries above these.<br>#<br>refresh_pattern ^ftp: 1440 20% 10080<br>refresh_pattern ^gopher: 1440 0% 1440<br>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>refresh_pattern . 0 20% 4320<br>------------------------------------------------------------------------------------<br></div><div>Will appreciate any help, been struggling with it for last week. it is hard to reproduce and happens randomly and re-running the failed job goes through to success at times. thanks<br></div></div>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank" rel="noreferrer">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>