[squid-users] TCP_MISS_ABORTED

Amos Jeffries squid3 at treenet.co.nz
Wed Dec 13 18:04:30 UTC 2017


On 13/12/17 20:30, zhongzhe at lvmama.com wrote:
> Hi, All
>      I used httpclient to imitate a request to squid , but the response 
> page had not stored by squid although response header is 200. I had 
> tried many times with three different pages . only one can be stored by 
> the squid cache. and the others must need to send requset by brower then 
> they were cached.  I had checked the access.log , it show me like this.
> 1513148548.653   9172 10.112.4.54 TCP_MISS_ABORTED/200 106197 GET http://youlun.lvmama.com/ship_front/youlun/1012487 - FIRSTUP_PARENT/10.112.4.54 text/html
> 
> do you know what's wrong of my squid.conf ? need your help !\

There seem to be many things. But none of them have much to do with te 
above.

What the above says is that a client at 10.112.4.54 requested 
http://youlun.lvmama.com/ship_front/youlun/1012487 and disconnected 
after 9 seconds.

The fact that ~100KB of traffic happened in that transaction implies 
that everything was going okay for a while at least. So there is no 
visible problem with Squid in that log entry. The ABORTED simply means 
one of the endpoints (probably the client) decided to disconnect early.



Back to your squid.conf;




>      below is my squid.conf
> acl gsrc src 10.112.4.54 10.113.10.191
> acl gdst dst 10.112.4.54 10.113.10.191
> http_access allow gsrc
> http_access allow gdst

What is the above supposed to mean?

> 
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7       # RFC 4193 local private network range
> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
> 
> acl purge method PURGE
> acl clientServers src 10.112.4.54
> http_access allow purge clientServers
> http_access deny purge
> 
> acl gat method GET
> acl clientS src 10.112.4.54 10.113.10.190
> http_access allow gat clientS
> #http_access deny gat

The localnet ACL defines 10.*/8 as allowed and your rules below specify 
that all localnet traffic is allowed.

So the above four lines of config seem pointless.


You have configured the machines 10.112.4.54 and 10.113.10.190 as your 
cache_peer servers. So why are they listed as "src" ?

In a reverse-proxy "src" is the IP of a client requesting a URL.

"dst" is the destination server - as determined by DNS records for the 
URL domain being fetched. In a reverse-proxy those DNS records should 
hold the proxies own IP address. So dst-IP is rarely ever useful and are 
downright dangerous to make use of in the reverse-proxy.



> 
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl Safe_ports port 3130        # icp
> acl Safe_ports port 3128
> acl CONNECT method CONNECT
> 
> http_access deny !Safe_ports
> 
> http_access deny CONNECT !SSL_ports
> 
> http_access allow localhost manager
> http_access deny manager
> 

As the default config file says:

"
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
"


> http_access allow localnet
> http_access allow localhost
> 
> http_port 80 accel defaultsite=youlun.lvmama.com no-vhost
> 
> cache_dir aufs /var/spool/squid 8198 16 256
> cache_mem 5120 MB
> cache_swap_low 90
> cache_swap_high 95
> cache_mgr zhongzhe at lvmama.com
> 
> visible_hostname cache190
> 

So the domain name Squid announces to your clients is "cache190" as in 
http://cache190/ship_front/youlun/1012487.


> coredump_dir  /var/spool/squid
> 
> via off

At least while debugging peering issues set "via on". Only turn it off 
if you really have to and *after* you have a fully working proxy hierarchy.


> maximum_object_size 500 KB
> 
> icp_port 3130
> icp_access allow all
> icp_query_timeout 2000
> 
> cache_peer 10.112.4.54 parent 8090 0 no-query originserver name=youlun
> acl mysites dstdomain youlun.lvmama.com
> http_access allow mysites
> cache_peer_access youlun allow all
> cache_peer_access youlun deny all

The default for cache_peer_access is to allow. No need to specify that 
"allow all". What you need to do to allow everything to reach that peer 
server is *not* specify "deny all".

Though the normal thing is to use an ACL (eg your "mysites" one) to 
allow the domains an origin server is known to supply and to deny other 
things. Since it is not even worth trying that peer for things it is not 
known to be capable of serving.

So:
   http_access allow mysites
   cache_peer_access youlun allow mysites
   cache_peer_access youlun deny all


Also be aware that all of this peer and http_access config needs to be 
located up where it says " INSERT YOUR OWN RULE(S) HERE " etc.



> 
> refresh_pattern -i .*/youlun/([0-9]+) 1440 100% 10080 ignore-no-store ignore-must-revalidate store-stale ignore-reload
> 

Why? if your server is not producing correct cacheability headers then 
everyone trying to use your site will be having problems. "Fixing" it 
for only your proxy by ignoring required things is the worst possible 
action to take.

Your proxy is a reverse-proxy (aka CDN), it advertises its Surrogate 
abilities to the origin server so your proxy cache can be given custom 
values different from the general public. If you need


> refresh_pattern ^ftp:          1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> 
> cache_log /var/log/squid/cache.log
> cache_access_log /var/log/squid/access.log

The directive name is "access_log"

> cache_store_log /var/log/squid/store.log
> 
> log_icp_queries off
> 
> http_access allow all

Do not do that "allow all".

> http_access deny all
> 


Amos


More information about the squid-users mailing list