<div dir="auto">Hey Amish,<div dir="auto"><br></div><div dir="auto">I want to replicate this issue on a local vm.</div><div dir="auto">Can you give us some details on the version of arch and the relevant settings for recreating the issue?</div><div dir="auto">How did you installed arch and also squid?</div><div dir="auto"><br></div><div dir="auto">Thanks,</div><div dir="auto">Eliezer </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">בתאריך יום ב׳, 18 בדצמ׳ 2023, 16:36, מאת Amish <<a href="mailto:anon.amish@gmail.com">anon.amish@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
I use Arch Linux and today I updated squid from squid 5.7 to squid 6.6.<br>
<br>
After the update from 5.7 to 6.6, squid starts but then reaches Dead <br>
state in a minute or two.<br>
<br>
# ps aux | grep squid<br>
root 601 0.0 0.2 73816 22528 ? Ss 12:59 0:02 <br>
/usr/bin/squid -f /etc/squid/btnet/squid.btnet.conf --foreground -sYC<br>
proxy 604 0.0 0.0 0 0 ? D 12:59 0:03 [squid]<br>
proxy 607 0.0 0.0 11976 7424 ? S 12:59 0:00 <br>
(security_file_certgen) -s /var/cache/squid/ssl_db -M 4MB<br>
proxy 608 0.0 0.0 11976 7168 ? S 12:59 0:00 <br>
(security_file_certgen) -s /var/cache/squid/ssl_db -M 4MB<br>
proxy 609 0.0 0.0 11712 5632 ? S 12:59 0:00 <br>
(security_file_certgen) -s /var/cache/squid/ssl_db -M 4MB<br>
proxy 610 0.0 0.0 11712 5376 ? S 12:59 0:00 <br>
(security_file_certgen) -s /var/cache/squid/ssl_db -M 4MB<br>
proxy 611 0.0 0.0 11712 5504 ? S 12:59 0:00 <br>
(security_file_certgen) -s /var/cache/squid/ssl_db -M 4MB<br>
proxy 622 0.0 0.0 6116 3200 ? S 12:59 0:00 <br>
(logfile-daemon) /var/log/squid/access.log<br>
<br>
And then all requests get stuck. Notice the D (dead) state of squid.<br>
<br>
I use multiple ports for multiple purposes. (It all worked fine in squid <br>
5.7)<br>
<br>
Dec 18 12:59:10 mumbai squid[601]: Starting Authentication on port [::]:3128<br>
Dec 18 12:59:10 mumbai squid[601]: Disabling Authentication on port <br>
[::]:3128 (interception enabled)<br>
Dec 18 12:59:10 mumbai squid[601]: Starting Authentication on port [::]:8081<br>
Dec 18 12:59:10 mumbai squid[601]: Disabling Authentication on port <br>
[::]:8081 (interception enabled)<br>
Dec 18 12:59:12 mumbai squid[601]: Starting Authentication on port [::]:8082<br>
Dec 18 12:59:12 mumbai squid[601]: Disabling Authentication on port <br>
[::]:8082 (interception enabled)<br>
Dec 18 12:59:12 mumbai squid[601]: Starting Authentication on port [::]:8083<br>
Dec 18 12:59:12 mumbai squid[601]: Disabling Authentication on port <br>
[::]:8083 (interception enabled)<br>
Dec 18 12:59:13 mumbai squid[601]: Starting Authentication on port [::]:8084<br>
Dec 18 12:59:13 mumbai squid[601]: Disabling Authentication on port <br>
[::]:8084 (interception enabled)<br>
Dec 18 12:59:13 mumbai squid[601]: Starting Authentication on port [::]:3136<br>
Dec 18 12:59:13 mumbai squid[601]: Disabling Authentication on port <br>
[::]:3136 (interception enabled)<br>
Dec 18 12:59:13 mumbai squid[601]: Starting Authentication on port [::]:3137<br>
Dec 18 12:59:13 mumbai squid[601]: Disabling Authentication on port <br>
[::]:3137 (interception enabled)<br>
...<br>
Dec 18 12:59:29 mumbai squid[604]: Adaptation support is on<br>
Dec 18 12:59:29 mumbai squid[604]: Accepting NAT intercepted HTTP Socket <br>
connections at conn19 local=[::]:3128 remote=[::] FD 27 flags=41<br>
listening port: 3128<br>
Dec 18 12:59:29 mumbai squid[604]: Accepting SSL bumped HTTP Socket <br>
connections at conn21 local=[::]:8080 remote=[::] FD 28 flags=9<br>
listening port: 8080<br>
Dec 18 12:59:29 mumbai squid[604]: Accepting NAT intercepted SSL bumped <br>
HTTPS Socket connections at conn23 local=[::]:8081 remote=[::] FD 29 <br>
flags=41<br>
listening port: 8081<br>
Dec 18 12:59:29 mumbai squid[604]: Accepting SSL bumped HTTP Socket <br>
connections at conn25 local=[::]:8092 remote=[::] FD 30 flags=9<br>
listening port: 8092<br>
Dec 18 12:59:29 mumbai systemd[1]: Started Squid Web Proxy Server.<br>
Dec 18 12:59:29 mumbai squid[604]: Accepting SSL bumped HTTP Socket <br>
connections at conn27 local=[::]:8093 remote=[::] FD 31 flags=9<br>
listening port: 8093<br>
Dec 18 12:59:29 mumbai squid[604]: Accepting SSL bumped HTTP Socket <br>
connections at conn29 local=[::]:8094 remote=[::] FD 32 flags=9<br>
listening port: 8094<br>
Dec 18 12:59:29 mumbai squid[604]: Accepting NAT intercepted SSL bumped <br>
HTTPS Socket connections at conn31 local=[::]:8082 remote=[::] FD 33 <br>
flags=41<br>
listening port: 8082<br>
Dec 18 12:59:29 mumbai squid[604]: Accepting NAT intercepted SSL bumped <br>
HTTPS Socket connections at conn33 local=[::]:8083 remote=[::] FD 34 <br>
flags=41<br>
listening port: 8083<br>
Dec 18 12:59:29 mumbai squid[604]: Accepting NAT intercepted SSL bumped <br>
HTTPS Socket connections at conn35 local=[::]:8084 remote=[::] FD 35 <br>
flags=41<br>
listening port: 8084<br>
Dec 18 12:59:29 mumbai squid[604]: Accepting NAT intercepted HTTP Socket <br>
connections at conn37 local=[::]:3136 remote=[::] FD 36 flags=41<br>
listening port: 3136<br>
Dec 18 12:59:29 mumbai squid[604]: Accepting NAT intercepted HTTP Socket <br>
connections at conn39 local=[::]:3137 remote=[::] FD 37 flags=41<br>
listening port: 3137<br>
<br>
And then following errors came:<br>
<br>
<br>
Dec 18 12:59:45 mumbai squid[604]: ERROR: failure while accepting a TLS <br>
connection on conn41 local=<a href="http://192.168.0.1:8080" rel="noreferrer noreferrer" target="_blank">192.168.0.1:8080</a> remote=<a href="http://192.168.0.111:53867" rel="noreferrer noreferrer" target="_blank">192.168.0.111:53867</a> <br>
FD 12 flags=1: SQUID_TLS<br>
_ERR_ACCEPT+TLS_LIB_ERR=A000416+TLS_IO_ERR=1<br>
current master transaction: master53<br>
Dec 18 12:59:45 mumbai squid[604]: ERROR: failure while accepting a TLS <br>
connection on conn42 local=<a href="http://192.168.0.1:8080" rel="noreferrer noreferrer" target="_blank">192.168.0.1:8080</a> remote=<a href="http://192.168.0.111:53868" rel="noreferrer noreferrer" target="_blank">192.168.0.111:53868</a> <br>
FD 14 flags=1: SQUID_TLS<br>
_ERR_ACCEPT+TLS_LIB_ERR=A000416+TLS_IO_ERR=1<br>
current master transaction: master53<br>
Dec 18 12:59:45 mumbai squid[604]: ERROR: failure while accepting a TLS <br>
connection on conn43 local=<a href="http://192.168.0.1:8080" rel="noreferrer noreferrer" target="_blank">192.168.0.1:8080</a> remote=<a href="http://192.168.0.111:53869" rel="noreferrer noreferrer" target="_blank">192.168.0.111:53869</a> <br>
FD 16 flags=1: SQUID_TLS<br>
_ERR_ACCEPT+TLS_LIB_ERR=A000416+TLS_IO_ERR=1<br>
current master transaction: master57<br>
Dec 18 12:59:45 mumbai squid[604]: ERROR: failure while accepting a TLS <br>
connection on conn44 local=<a href="http://192.168.0.1:8080" rel="noreferrer noreferrer" target="_blank">192.168.0.1:8080</a> remote=<a href="http://192.168.0.111:53870" rel="noreferrer noreferrer" target="_blank">192.168.0.111:53870</a> <br>
FD 12 flags=1: SQUID_TLS<br>
_ERR_ACCEPT+TLS_LIB_ERR=A000416+TLS_IO_ERR=1<br>
current master transaction: master57<br>
Dec 18 12:59:56 mumbai squid[604]: ERROR: failure while accepting a TLS <br>
connection on conn62 local=<a href="http://192.168.0.1:8080" rel="noreferrer noreferrer" target="_blank">192.168.0.1:8080</a> remote=<a href="http://192.168.0.111:53887" rel="noreferrer noreferrer" target="_blank">192.168.0.111:53887</a> <br>
FD 12 flags=1: SQUID_TLS<br>
_ERR_ACCEPT+TLS_LIB_ERR=A000416+TLS_IO_ERR=1<br>
current master transaction: master95<br>
Dec 18 12:59:59 mumbai squid[604]: ERROR: failure while accepting a TLS <br>
connection on conn64 local=<a href="http://192.168.0.1:8080" rel="noreferrer noreferrer" target="_blank">192.168.0.1:8080</a> remote=<a href="http://192.168.0.111:53888" rel="noreferrer noreferrer" target="_blank">192.168.0.111:53888</a> <br>
FD 12 flags=1: SQUID_TLS<br>
_ERR_ACCEPT+TLS_LIB_ERR=A000416+TLS_IO_ERR=1<br>
current master transaction: master99<br>
Dec 18 13:00:02 mumbai squid[604]: ERROR: failure while accepting a TLS <br>
connection on conn65 local=<a href="http://192.168.0.1:8080" rel="noreferrer noreferrer" target="_blank">192.168.0.1:8080</a> remote=<a href="http://192.168.0.178:56115" rel="noreferrer noreferrer" target="_blank">192.168.0.178:56115</a> <br>
FD 12 flags=1: SQUID_TLS<br>
_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>
current master transaction: master53<br>
Dec 18 13:01:24 mumbai squid[604]: kick abandoning conn199 <br>
local=<a href="http://192.168.0.1:8093" rel="noreferrer noreferrer" target="_blank">192.168.0.1:8093</a> remote=<a href="http://192.168.0.101:52211" rel="noreferrer noreferrer" target="_blank">192.168.0.101:52211</a> FD 52 flags=1<br>
connection: conn199 <br>
local=<a href="http://192.168.0.1:8093" rel="noreferrer noreferrer" target="_blank">192.168.0.1:8093</a> remote=<a href="http://192.168.0.101:52211" rel="noreferrer noreferrer" target="_blank">192.168.0.101:52211</a> FD 52 flags=1<br>
Dec 18 13:01:45 mumbai squid[604]: ERROR: failure while accepting a TLS <br>
connection on conn240 local=<a href="http://192.168.0.1:8093" rel="noreferrer noreferrer" target="_blank">192.168.0.1:8093</a> remote=<a href="http://192.168.0.111:53931" rel="noreferrer noreferrer" target="_blank">192.168.0.111:53931</a> <br>
FD 48 flags=1: SQUID_TL<br>
S_ERR_ACCEPT+TLS_LIB_ERR=A000416+TLS_IO_ERR=1<br>
current master transaction: <br>
master314<br>
<br>
<br>
After this point there is nothing in systemd journal (via: journalctl -f <br>
-u squid) and same lines are in cache.log.<br>
<br>
Squid got stuck (DEAD state) at 13:01 and right now it 19:26 (6 hours <br>
passed) and squid is still in dead state.<br>
<br>
kill -9 or kill -ALRM or -HUP also does nothing.<br>
<br>
So to restart squid - I will need to restart whole system.<br>
<br>
I have sslbump directives but it is not really applied.<br>
<br>
#NOTE: nosslbump_ips below contains <a href="http://192.168.0.0/24" rel="noreferrer noreferrer" target="_blank">192.168.0.0/24</a> (whole LAN) so <br>
effectively there is no SSL bump after step1.<br>
<br>
acl nosslbump_ips src <a href="http://192.168.0.0/24" rel="noreferrer noreferrer" target="_blank">192.168.0.0/24</a><br>
ssl_bump splice ssl_step1 nosslbump_ips<br>
ssl_bump peek ssl_step1<br>
ssl_bump splice nosslbump_domains<br>
ssl_bump stare sslbump_domains<br>
ssl_bump splice ssl_step2<br>
ssl_bump bump all<br>
<br>
<br>
Any idea? If anything changed from 5.7 to 6.6 that may cause this behaviour?<br>
<br>
Looking at changelog:<br>
<br>
Bug 5256: Intercepting port fails to accept<br>
<a href="https://bugs.squid-cache.org/show_bug.cgi?id=5256" rel="noreferrer noreferrer" target="_blank">https://bugs.squid-cache.org/show_bug.cgi?id=5256</a><br>
<br>
Bug 5154: Do not open IPv6 sockets when IPv6 is disabled<br>
<a href="https://bugs.squid-cache.org/show_bug.cgi?id=5154" rel="noreferrer noreferrer" target="_blank">https://bugs.squid-cache.org/show_bug.cgi?id=5154</a><br>
<br>
Not sure if above two bug FIXES (in between v5.7 to v6.6) are related to <br>
my issue.<br>
<br>
I ran netstat:<br>
<br>
# netstat -ntlp<br>
Active Internet connections (only servers)<br>
Proto Recv-Q Send-Q Local Address Foreign Address <br>
State PID/Program name<br>
...<br>
tcp6 33 0 :::3137 :::* LISTEN -<br>
tcp6 0 0 :::3136 :::* LISTEN -<br>
tcp6 4 0 :::3128 :::* LISTEN -<br>
tcp6 0 0 :::8081 :::* LISTEN -<br>
tcp6 0 0 :::8080 :::* LISTEN -<br>
tcp6 0 0 :::8083 :::* LISTEN -<br>
tcp6 0 0 :::8082 :::* LISTEN -<br>
tcp6 0 0 :::8084 :::* LISTEN -<br>
tcp6 4097 0 :::8093 :::* LISTEN -<br>
tcp6 0 0 :::8092 :::* LISTEN -<br>
tcp6 0 0 :::8094 :::* LISTEN -<br>
...<br>
<br>
I do not have IPv6 enabled, yet there are 33 and 4097 numbers in Recv-Q <br>
and also no process/PID owns these ports.<br>
<br>
Same IPv4 ports are not shown in use by netstat, so only IPv6 ports <br>
remain open, that too orphaned!<br>
<br>
So what is happening?<br>
<br>
Any idea to solve or any workaround?<br>
<br>
Thank you,<br>
<br>
Amish.<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank" rel="noreferrer">squid-users@lists.squid-cache.org</a><br>
<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>