[squid-users] Two connections per client

Amos Jeffries squid3 at treenet.co.nz
Thu Mar 17 08:50:12 UTC 2016


On 17/03/2016 4:56 a.m., Chris Nighswonger wrote:
> On Wed, Mar 16, 2016 at 10:44 AM, Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
> 
>> On 17/03/2016 3:03 a.m., Chris Nighswonger wrote:
>>> On Wed, Mar 16, 2016 at 9:07 AM, Amos Jeffries <squid3 at treenet.co.nz>
>> wrote:
>>>
>>>> On 17/03/2016 1:57 a.m., Amos Jeffries wrote:
>>>>> On 17/03/2016 1:25 a.m., Chris Nighswonger wrote:
>>>>>> On Wed, Mar 16, 2016 at 1:03 AM, Amos Jeffries wrote:
>>>>>>
>>>>>>> On 16/03/2016 12:38 p.m., Chris Nighswonger wrote:
>>>>>>>> Why does netstat show two connections per client connection to
>> Squid:
>>>>>>>>
>>>>>>>> tcp        0      0 127.0.0.1:3128          127.0.0.1:34167
>>>>>>>> ESTABLISHED
>>>>>>>> tcp        0      0 127.0.0.1:34167         127.0.0.1:3128
>>>>>>>> ESTABLISHED
>>>>>>>>
>>>>>>>> In this case, there is a content filter running in front of Squid on
>>>> the
>>>>>>>> same box. The same netstat command filtered on the content filter
>> port
>>>>>>>> shows only one connection per client:
>>>>>>>>
>>>>>>>> tcp        0      0 192.168.x.x:8080      192.168.x.y:1310
>>>>>>>  ESTABLISHED
>>>>>>>>
>>>>>>>
>>>>>>> Details of your Squid configuration are needed to answer that.
>>>>>>>
>>>>>>
>>>>>>
>>>>>> Here it is. I've stripped out all of the acl lines to reduce the
>> length:
>>>>>>
>>>>>> tcp_outgoing_address 184.x.x.x
>>>>>> http_port 127.0.0.1:3128
>>>>>
>>>>> It would seem that it is not Squid making those connections outbound
>>>>> from 127.0.0.1:3128. Squid uses that 184.x.x.x address with random
>>>>> source ports for *all* its outbound connections.
>>>>
>>>>
>>>> Ah, just had an idea. Do you have IDENT protocol in those ACLs you
>> elided?
>>>>
>>>> IDENT makes a reverse connection back to the client to find the
>> identity.
>>>>
>>>>
>>> So I have this acl in the list:
>>>
>>> acl AuthorizedUsers proxy_auth REQUIRED
>>>
>>> Might that be the one?
>>
>> No, if existing it would have 'ident' or 'ident_regex' type.
>>
>> Log formats would be the other way to hit ident. But I didn't notice
>> anything fancy like that in the config you posted.
>>
> 
> Sorry for the direct reply on the last iteration. Silly g-mail does not
> support reply to list apparently.
> 
> I've cleaned up the config based on your suggestions.
> 
> I'm not super concerned about the two connection issue. I was mostly
> wondering what was up. Perhaps I should be. Ignorance is not always bliss.
> 

Nod. Its an oddity. If it is Squid doing ident from behind a gateway
device/software then its probably a waste of CPU and sockets - things
would be slightly better off without waste.

If its not Squid then something is playing around with the Squid port.
Best know what it is even if thats okay.


> WRT follow_x_forwarded_for allow all, I've changed "all" to "localhost." I
> don't know if that tightens things up maybe? 

It does. Quite a lot :-)

> I need this enabled so that
> the client IPs show up in the Squid log. At least I think I do.

I think so, at least assuming the gateway software which is passing
traffic to Squid sets the XFF header.

If that software frontend is not setting the header then following it is
useless.

> 
> Thanks for the help. We've run Squid for over 16 years and it mostly just
> works.
> 
> Kind regards,
> Chris
> 

Thank you.
Amos



More information about the squid-users mailing list