[squid-users] Squid proxy without name resolution for internet adresses behind parent proxy

Amos Jeffries squid3 at treenet.co.nz
Mon May 1 02:44:15 UTC 2017 

On 30/04/17 18:50, Eliezer Croitoru wrote:
> Can you try to add the next to your squid.conf:
> dns_v4_first on
>
> and see if it helps?
>
> Eliezer
>
> * http://www.squid-cache.org/Doc/config/dns_v4_first/

Just to clarify: if that solves your problem then you need to fix IPV6 
handling in your network. Squid-2 is IPv4-only, and a Squid-3 trying to 
connect to it on a properly working IPv6-enabled network should failover 
very fast to the parents IPv4 address(es). Any delay caused by IPv6 in 
that process indicated ICMP/ICMPv6 failures - usually in the path-MTU 
discovery or tunnel MSS settings.


Additional to that test - make sure the child proxy has:

  nonhierarchical_direct off

that will ensure that CONNECT/PUT/POST etc traffic is sent through the 
parent proxy and never tries to resolve.

You can also check that host_verify_strict is *not* in your child 
squid.conf. If that is set to "on" it will force Squid to resolve to do 
the verify checks. Likewise Squid-3 will need to resolve public names if 
it ever receives intercepted traffic, but thankfully your setup seems to 
avoiding that.


Assuming your local servers are using .local as the internal domain. If 
not make this whatever your internal TLD is:

  acl local dstdomain .local
  never_diirect allow !local


The cache_peer name to the parent can be hostname instead of an internal 
IP, but does need to be the internal name in this network. That will 
simplify management and also make the Squid-3 ready to cope with IPv6 
parents when your network migrates for that.

Not having dns_nameservers configured means Squid is using the machines 
system-wide DNS settings. Those do need to be set somehow, since at the 
very least Squid needs to resolve names for the parent proxies and any 
internal traffic that happens to get to it. I would make sure that has 
the internal DNS server details there to handle those lookups traffic.


If the problem remains after all that, tracking down what exactly the 
timeout value is would be helpful. The various things that can hang have 
different timeouts. And worst case a debug log with ALL,6 might be 
needed to find the exact cause of delay, but be aware that could be a 
huge log.


HTH
Amos

More information about the squid-users mailing list