<div dir="ltr">Hello,<div><br></div><div>I am sorry to interrupt the conversation, <span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">but</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">in</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">my</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">opinion</span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">,</span><span style="white-space-collapse: preserve;"> the </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">ACL</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">used</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">in</span><span style="white-space-collapse: preserve;"> the </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">policy</span><span style="white-space-collapse: preserve;"> is </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">fast, a</span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">s</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">stated</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">in</span><span style="white-space-collapse: preserve;"> the </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">documentation (<a href="https://www.squid-cache.org/Doc/config/acl/">https://www.squid-cache.org/Doc/config/acl/</a>)</span><span style="white-space-collapse: preserve;">:</span></div><div><pre style="font-family:courier;padding:15px;color:rgb(30,30,30);font-size:12px">acl aclname dstdomain [-n] .<a href="http://foo.com">foo.com</a> ...
          # Destination server from URL [fast]</pre></div><div>So the configuration is reliable.</div><div><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">Alex</span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">,</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">maybe</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">there</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">are</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">other</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">factors</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">that</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">I</span><span style="white-space-collapse: preserve;">'m </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">not</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">considering</span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">?</span><br></div><div><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;"><br></span></div><div><span style="white-space-collapse: preserve;">Kind regards,</span></div><div><span style="white-space-collapse: preserve;">    Ankor.</span></div><div><br></div><div><span class="gmail-im" style="color:rgb(80,0,80)">>> # Google via ISP2<br>>> acl google dstdomain .<a href="http://google.com/" rel="noreferrer" target="_blank">google.com</a><br>>> tcp_outgoing_address REAL_IP_ISP2 google<br><br></span>> Please note that the above configuration usually "works" but is<br>> unreliable and unsupported: tcp_outgoing_address directive does not<br>> support slow ACLs and your ACL named google is a slow ACL.<br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">пн, 23 дек. 2024 г. в 14:33, A. Pechenin <<a href="mailto:alexmrrc@gmail.com">alexmrrc@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">
<div><span lang="en"><span><span>Unfortunately, there is no greater clarity in the practical application of the techniques used in the topics you have provided.</span></span></span></div><div>I would be grateful for practice specifically in my case for a better understanding of the work.</div>

</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">пн, 23 дек. 2024 г. в 00:42, Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 2024-12-22 15:13, A. Pechenin wrote:<br>
> could you please explain in more detail and in my case what needs to <br>
> be added to "strengthen and ensure" the operation of my solution?<br>
<br>
Does Q2 and Q3 at [1] help? If not, I hope that others can guide you <br>
through using a never-matching http_access rule and annotate_transaction <br>
ACL side effects to improve reliability of your current configuration.<br>
<br>
[1] <br>
<a href="https://lists.squid-cache.org/pipermail/squid-dev/2021-January/009643.html" rel="noreferrer" target="_blank">https://lists.squid-cache.org/pipermail/squid-dev/2021-January/009643.html</a><br>
<br>
<br>
BTW, more about transaction annotations is available at<br>
<a href="https://lists.squid-cache.org/pipermail/squid-users/2023-April/025784.html" rel="noreferrer" target="_blank">https://lists.squid-cache.org/pipermail/squid-users/2023-April/025784.html</a><br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
<br>
<br>
<br>
> вс, 22 дек. 2024 г. в 22:47, Alex Rousskov <br>
> <<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a> <br>
> <mailto:<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a>>>:<br>
> <br>
>     On 2024-12-22 08:13, A. Pechenin wrote:<br>
>      > The reason and solution were not simple and obvious at first glance.<br>
>      > I have two providers accessing the gateway, the main and backup<br>
>      > channels, and automatic switching is configured when the<br>
>     connection on<br>
>      > the main channel is lost.<br>
>      > To check, I switched the proxy server to the second channel and the<br>
>      > problem with partial unavailability of Google services was solved.<br>
>      ><br>
>      > I returned it back, used a simple formula in the configuration<br>
>     file with<br>
>      > subsequent partial adjustment of ipfw.<br>
> <br>
>     Glad you found a solution! Diagnosing problems related to CONNECT<br>
>     tunnels is difficult because Squid (playing a role of a dumb TCP relay)<br>
>     is often unaware of problems experienced by clients and origin servers.<br>
> <br>
> <br>
>      > # Google via ISP2<br>
>      > acl google dstdomain .<a href="http://google.com" rel="noreferrer" target="_blank">google.com</a> <<a href="http://google.com" rel="noreferrer" target="_blank">http://google.com</a>><br>
>      > tcp_outgoing_address REAL_IP_ISP2 google<br>
> <br>
>     Please note that the above configuration usually "works" but is<br>
>     unreliable and unsupported: tcp_outgoing_address directive does not<br>
>     support slow ACLs and your ACL named google is a slow ACL.<br>
> <br>
>     For a more reliable solution, consider annotating google-matching<br>
>     transaction at http_access check time and then using those annotations<br>
>     at tcp_outgoing_address check time. For a somewhat related example,<br>
>     look<br>
>     for "markSpecial" in squid.conf.documented or search this mailing list<br>
>     archives for annotate_transaction discussions.<br>
> <br>
> <br>
>     HTH,<br>
> <br>
>     Alex.<br>
> <br>
> <br>
>      > сб, 21 дек. 2024 г. в 20:26, A. Pechenin <<a href="mailto:alexmrrc@gmail.com" target="_blank">alexmrrc@gmail.com</a><br>
>     <mailto:<a href="mailto:alexmrrc@gmail.com" target="_blank">alexmrrc@gmail.com</a>>>:<br>
>      ><br>
>      >     This week, when connecting users through a proxy server, some<br>
>     Google<br>
>      >     services became inaccessible, such as Calendar, Translator, user<br>
>      >     profile.<br>
>      ><br>
>      >     When clicking on the services section in the browser on the<br>
>     Google<br>
>      >     portal, the page does not open and then a connection error is<br>
>      >     displayed. When directly going to the calendar section, the<br>
>      >     connection also hangs for a long time without loading the<br>
>     page. At<br>
>      >     the same time, the Google home page, mail, search work.<br>
>      ><br>
>      >     Transparent proxying is not used.<br>
>      >     Viewing the proxy server logs did not add any understanding, all<br>
>      >     requests are processed correctly and no errors or<br>
>     prohibitions are<br>
>      >     observed. There are no other problems with the unavailability<br>
>     of any<br>
>      >     sites.<br>
>      ><br>
>      >     When connecting directly (bypassing the proxy server), all Google<br>
>      >     services work completely correctly.<br>
>      >     The platform on which the problem was suddenly discovered:<br>
>      >     FreeBSD 13.2-RELEASE-p9<br>
>      >     Squid 6.6<br>
>      ><br>
>      >     A new separate server was deployed for objectivity and<br>
>     finding the<br>
>      >     cause, but the problem was also reproduced there, its platform.<br>
>      >     FreeBSD 13.4-RELEASE-p2<br>
>      >     Squid 6.10<br>
>      ><br>
>      >     I tried using the default configuration file (recommended minimum<br>
>      >     configuration) to eliminate the problem in my working squid.conf,<br>
>      >     but the problem remained<br>
>      ><br>
>      >     I repeat, the problem reproduced suddenly, no changes were<br>
>     made to<br>
>      >     the proxy server configuration on our side, no problems with<br>
>     Google<br>
>      >     have arisen for many years. What should I pay attention to in the<br>
>      >     Squid configuration? Any idea<br>
>      ><br>
>      ><br>
>      > _______________________________________________<br>
>      > squid-users mailing list<br>
>      > <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
>     <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
>      > <a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
>     <<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>><br>
> <br>
>     _______________________________________________<br>
>     squid-users mailing list<br>
>     <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
>     <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
>     <a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
>     <<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>><br>
> <br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>