[squid-users] Strange Interaction between Squid and Facebook
Eliezer Croitoru
eliezer at ngtech.co.il
Fri Oct 30 02:09:17 UTC 2015
Hey Patrick,
Thanks for clearing the picture out.
Since it's HTTPS traffic it will might be a bit difficult to debug.
I wanted to notify you that squid 3.5.10 is suffering from some bugs but
it is very hard for me to actually find this specific issue meet any of
the know bugs else then one bug(something with ssl-bump).
One thing I can think of in this scenario in order to maybe somehow
change how things are would be to use a second proxy just for the test.
If you can run another proxy on a tiny VM with another IP on the same DC
as the existing one it would narrow down couple things.
If it works OK with squid default conf file then try to assign the IP of
the problematic proxy to the new one.
If it works with the same IP it's an issue with something in the proxy
setup or the conf.
Another approach would be to use the secondary DC proxy as a cache_peer
of the primary DC proxy to verify if it affects the traffic in a similar
way.
--
In the first post you have mentioned this link:
http://wiki.squid-cache.org/ConfigExamples/SmpCarpCluster
This specific example was intended for caching optimization or something
similar.
Since your case involves CONNECT requests which cannot be cached anyway
and also this CARP has certain limitations I would first try to simplify
the setup into a no-disk RAM only cache with couple workers rather then
multi workers peering.
The CARP example actually limits the whole service to the frontend
capabilities and there for it's recommended to not use it if possible.
Try a default squid.conf if possible.
Since the issue can be reproduced very easily testing the different
options will take couple minutes and can be done after work hours.
The above options is what I would have tried with my own servers.
Eliezer
On 30/10/2015 01:17, Patrick Blair - Peapod wrote:
> It is very unclear, our network team is trying to determine if a
> network issue may be in play, but we believe that is unlikely...
>
> I couldn't understand how you ran the tests.
>> >I do understand that you have two proxies and one is peering to the
>> >other, right?
> Apologies if that wasn't clear, I'll try to give a better explanation:
>
> - There is always one proxy in this situation.
> - The difference is that we run the proxy out of our secondary
> datacenter and route all user internet traffic through that location so it
> doesn't cause any issues with the traffic to our website flowing in and out
> of our primary datacenter.
> - A test instance I used to recreate the squid instance that is having
> the issues with, works as expected in our primary datacenter, however, the
> older version of squid we were using is located in the secondary datacenter
> and also works as expected, only the newer version doesn't work.
>
>
> Thanks for your help!
>
> Pat Blair
> Sr. Unix Administrator
> Peapod, LLC
> pblair at peapod.com
More information about the squid-users
mailing list