[squid-users] Problems with squid 3.1 to 3.3 upgrade
Amos Jeffries
squid3 at treenet.co.nz
Sat Aug 10 06:47:23 UTC 2019
On 10/08/19 8:32 am, Tom Karches wrote:
>
>
> On Fri, Aug 9, 2019 at 2:37 PM Alex Rousskov wrote:
>
> On 8/9/19 1:37 PM, Tom Karches wrote:
> > On Fri, Aug 9, 2019 at 11:38 AM Alex Rousskov wrote:
>
> > Ok, here is the info from the real trace. First time with
> #dns_v4_first
> > on commented out, 2nd time "dns_v4_ first on" is active.
> Difference is
> > with no "dns_v4_first on" directive, I get a RR_CONNECT_FAIL 111. When
> > active, I get a RR_CONNECT_FAIL 101.
>
> BTW, it may be easier for you to read --trace--ascii output.
>
>
> I didn't see anything additional using the ascii option, though it is
> easier to read
>
>
>
> Both are ERR_CONNECT_FAIL errors ("connection reset by peer" and
> "connection refused"). Your Squid cannot connect to where it needs to
> connect in order to establish a TCP tunnel. It could be a Squid
> misconfiguration, a routing problem, insufficient capabilities, and many
> other things.
>
> I suggest checking cache.log for WARNINGs and ERRORs. After arriving at
> a clean cache.log, I would use a packet capture (or similar) to see
> where Squid is trying to connect (and which local address it is
> connecting from). That information may be enough to figure out why Squid
> cannot connect successfully.
>
>
> This is what I am seeing from cache.log when I attempt the proxy :
>
>
>
> 2019/08/09 16:19:08.127 kid1| 33,2| client_side.cc(817) swanSong:
> local=127.0.0.1:3128 <http://127.0.0.1:3128> remote=127.0.0.1:33428
> <http://127.0.0.1:33428> flags=1
>
> 2019/08/09 16:19:10.051 kid1| 33,2| client_side.cc(817) swanSong:
> local=152.7.114.135:3128 <http://152.7.114.135:3128>
> remote=10.50.54.21:43198 <http://10.50.54.21:43198> flags=1
>
> Right now my debug is set to ALL,1 33,2. Is there a better set of
> options to provide me more visibility of what might be wrong?
>
11,2 will show the HTTP message headers.
44,2 will show the servers Squid is finding as possible destinations for
the request/tunnel.
5,6 should show the TCP connection attempts activity by Squid.
If it is not clear from that, those should give you hints about lines to
look for (skip to) for searching a much larger ALL,6 trace.
> Here is our config file, in case that helps. If it's something obvious
> I'm not seeing. We have some whitelists, but I am running with those
> turned off until this is working so I won't include them here. Thanks
> for the help.
>
Few bits of polish. But nothing visible there to indicate what your
problem might be.
I think it is probably a firewall or routing problem for the traffic
leaving the proxy machine.
> Tom
>
> # squid config file - 2019-08-09
> # Timeouts
> connect_timeout 2 minutes # For CDWG Vendor
> debug_options ALL,1 33,2
>
> dns_v4_first on
>
> acl SSL_ports port 443
> acl SSL_ports port 1443 # b2b-test.apple.com:1443
> <http://b2b-test.apple.com:1443>
> acl SSL_ports port 3079 # bci.stapleslink.com
> <http://bci.stapleslink.com> special port
> acl SSL_ports port 4443 # pascal.apple.com:4443
> <http://pascal.apple.com:4443>
> acl SSL_ports port 993 # IMAP from Stat application to Gmail
> acl SSL_ports port 22 # Allow SSH and SFTP to proxy/connect
> acl SSL_ports port 8443 # redhat cap port
>
>
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
The ports below are all included in the 1024-65535 range. No need to
list them explicitly here.
> acl Safe_ports port 5228 # google services
> acl Safe_ports port 1935 # cam steamer port
> acl Safe_ports port 8443 # redhat cap port
> acl CONNECT method CONNECT
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
>
Latest Squid recommendation is to have these manager lines after the
CONNECT !SSL_ports line.
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> icp_access deny all
ICP is off by default in modern Squid. No need for the above deny.
>
> # Squid normally listens to port 3128
> http_port 3128
>
> # Uncomment and adjust the following to add a disk cache directory.
> #cache_dir ufs /var/spool/squid 2048 16 256
>
> # Default configuration value for cache_mem
> #cache_mem 256 MB
> cache deny all
>
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> max_filedescriptors 65000
>
> --
> Thomas Karches
> NCSU OIT CSI - Systems Specialist
> M.E Student - Technology Education
> Hillsborough 319 / 919.515.5508
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list