[squid-users] Strange Interaction between Squid and Facebook

Eliezer Croitoru eliezer at ngtech.co.il
Fri Oct 30 02:09:17 UTC 2015 

Hey Patrick,

Thanks for clearing the picture out.
Since it's HTTPS traffic it will might be a bit difficult to debug.

I wanted to notify you that squid 3.5.10 is suffering from some bugs but 
it is very hard for me to actually find this specific issue meet any of 
the know bugs else then one bug(something with ssl-bump).

One thing I can think of in this scenario in order to maybe somehow 
change how things are would be to use a second proxy just for the test.
If you can run another proxy on a tiny VM with another IP on the same DC 
as the existing one it would narrow down couple things.
If it works OK with squid default conf file then try to assign the IP of 
the problematic proxy to the new one.
If it works with the same IP it's an issue with something in the proxy 
setup or the conf.


Another approach would be to use the secondary DC proxy as a cache_peer 
of the primary DC proxy to verify if it affects the traffic in a similar 
way.

--
In the first post you have mentioned this link:
http://wiki.squid-cache.org/ConfigExamples/SmpCarpCluster

This specific example was intended for caching optimization or something 
similar.
Since your case involves CONNECT requests which cannot be cached anyway 
and also this CARP has certain limitations I would first try to simplify 
the setup into a no-disk RAM only cache with couple workers rather then 
multi workers peering.
The CARP example actually limits the whole service to the frontend 
capabilities and there for it's recommended to not use it if possible.
Try a default squid.conf if possible.

Since the issue can be reproduced very easily testing the different 
options will take couple minutes and can be done after work hours.

The above options is what I would have tried with my own servers.

Eliezer

On 30/10/2015 01:17, Patrick Blair - Peapod wrote:
> It is very unclear, our network team is trying to determine if a
> network issue may be in play, but we believe that is unlikely...
>
> I couldn't understand how you ran the tests.
>> >I do understand that you have two proxies and one is peering to the
>> >other, right?
> Apologies if that wasn't clear, I'll try to give a better explanation:
>
>     - There is always one proxy in this situation.
>     - The difference is that we run the proxy out of our secondary
>     datacenter and route all user internet traffic through that location so it
>     doesn't cause any issues with the traffic to our website flowing in and out
>     of our primary datacenter.
>     - A test instance I used to recreate the squid instance that is having
>     the issues with, works as expected in our primary datacenter, however, the
>     older version of squid we were using is located in the secondary datacenter
>     and also works as expected, only the newer version doesn't work.
>
>
> Thanks for your help!
>
> Pat Blair
> Sr. Unix Administrator
> Peapod, LLC
> pblair at peapod.com

More information about the squid-users mailing list