[squid-users] 6.x gives frequent connection to peer failed - spurious?

Alex Rousskov rousskov at measurement-factory.com
Tue Nov 21 15:55:13 UTC 2023


On 2023-11-21 08:38, Stephen Borrill wrote:
> On 15/11/2023 21:55, Alex Rousskov wrote:
>> On 2023-11-10 05:46, Stephen Borrill wrote:
>>
>>> With 6.x (currently 6.5) there are very frequent (every 10 seconds or 
>>> so) messages like:
>>> 2023/11/10 10:25:43 kid1| ERROR: Connection to 127.0.0.1:8123 failed
>>
>>
>>> why is this logged as a connection failure
>>
>> The current error wording is too assuming and, in your case, evidently 
>> misleading. The phrase "Connection to X failed" should be changed to 
>> something more general like "Cannot contact cache_peer X" or "Cannot 
>> communicate with cache_peer X".
>>
>> CachePeer::countFailure() patches welcome.

> But the point is that it _can_ communicate with the peer, but the peer 
> itself can't service the request. The peer returning 503 shouldn't be 
> logged as a connection failure


My bad. I missed the fact that the described DNS error happens at a 
_peer_ Squid. Sorry.


Currently, Squid v6 treats most CONNECT-to-peer errors as a sign of a 
broken peer. In 2022, 4xx errors were excluded from that set[1]. At that 
time, we also proposed to make that decision configurable using a new 
cache_peer_fault directive[2], but the new directive was blocked as an 
"overkill"[3], so we hard-coded 4xx exclusion instead.

Going forward, you have several options, including these two:

1. Convince others that Squid should treat all 503 CONNECT errors from 
peers as it already treats all 4xx errors. Hard-code that new logic.

2. Convince others that cache_peer_fault or a similar directive is a 
good idea rather than an overkill. Resurrect its implementation[2].


[1] 
https://github.com/squid-cache/squid/commit/022dbabd89249f839d1861aa87c1ab9e1a008a47

[2] 
https://github.com/squid-cache/squid/commit/25431f18f2f5e796b8704c85fc51f93b6cc2a73d

[3] https://github.com/squid-cache/squid/pull/1166#issuecomment-1295806530


HTH,

Alex.


>>  > do I need to worry about it beyond it filing up the logs needlessly?
>>
>> In short, "yes".
>>
>> I cannot accurately assess your specific needs, but, in most 
>> environments, one should indeed worry that their cache_peer server 
>> names cannot be reliably resolved because failed resolution attempts 
>> waste Squid resources and increase transaction response time. 
>> Moreover, if these failures are frequent enough (relative to peer 
>> usage attempts), the affected cache_peer will be marked as DEAD (as 
>> you have mentioned):
>>
>>  > 2023/11/09 08:55:22 kid1| Detected DEAD Parent: 127.0.0.1:8123
> 
> Problem seems to be easily reproducible:
> 
> 1# env https_proxy=http://127.0.0.1:8084 curl https://www.invalid.domain/
> curl: (56) CONNECT tunnel failed, response 503
> 2# grep invalid /usr/local/squid/logs/access.log|tail -1
> 1700573429.015      4 127.0.0.1:8084 TCP_TUNNEL/503 0 CONNECT 
> www.invalid.domain:443 - FIRSTUP_PARENT/127.0.0.1:8123 -
> 3# date -r 1700573429 '+%Y/%m/%d %H:%M:%S'
> 2023/11/21 13:30:29
> 4# grep '2023/11/21 13:30:29' /usr/local/squid/logs/cache.log
> 2023/11/21 13:30:29 kid1| ERROR: Connection to 127.0.0.1:8123 failed
> 
>>> With 4.x there were no such messages.
>>>
>>> By comparing to the peer squid logs, these seems to tally with DNS 
>>> failures:
>>> peer_select.cc(479) resolveSelected: PeerSelector1688 found all 0 
>>> destinations for bugzilla.tucasi.com:443
>>>
>>> Full ALL,2 log at the time of the reported connection failure:
>>>
>>> 2023/11/10 10:25:43.162 kid1| 5,2| TcpAcceptor.cc(214) doAccept: New 
>>> connection on FD 17
>>> 2023/11/10 10:25:43.162 kid1| 5,2| TcpAcceptor.cc(316) acceptNext: 
>>> connection on conn3 local=127.0.0.1:8123 remote=[::] FD 17 flags=9
>>> 2023/11/10 10:25:43.162 kid1| 11,2| client_side.cc(1332) 
>>> parseHttpRequest: HTTP Client conn13206 local=127.0.0.1:8123 
>>> remote=127.0.0.1:57843 FD 147 flags=1
>>> 2023/11/10 10:25:43.162 kid1| 11,2| client_side.cc(1336) 
>>> parseHttpRequest: HTTP Client REQUEST:
>>> 2023/11/10 10:25:43.162 kid1| 85,2| client_side_request.cc(707) 
>>> clientAccessCheckDone: The request CONNECT bugzilla.tucasi.com:443 is 
>>> ALLOWED; last ACL checked: localhost
>>> 2023/11/10 10:25:43.162 kid1| 85,2| client_side_request.cc(683) 
>>> clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
>>> 2023/11/10 10:25:43.162 kid1| 85,2| client_side_request.cc(707) 
>>> clientAccessCheckDone: The request CONNECT bugzilla.tucasi.com:443 is 
>>> ALLOWED; last ACL checked: localhost
>>> 2023/11/10 10:25:43.162 kid1| 44,2| peer_select.cc(460) 
>>> resolveSelected: Find IP destination for: bugzilla.tucasi.com:443' 
>>> via bugzilla.tucasi.com
>>> 2023/11/10 10:25:43.163 kid1| 44,2| peer_select.cc(479) 
>>> resolveSelected: PeerSelector1526 found all 0 destinations for 
>>> bugzilla.tucasi.com:443
>>> 2023/11/10 10:25:43.163 kid1| 44,2| peer_select.cc(480) 
>>> resolveSelected:    always_direct = ALLOWED
>>> 2023/11/10 10:25:43.163 kid1| 44,2| peer_select.cc(481) 
>>> resolveSelected:     never_direct = DENIED
>>> 2023/11/10 10:25:43.163 kid1| 44,2| peer_select.cc(482) 
>>> resolveSelected:         timedout = 0
>>> 2023/11/10 10:25:43.163 kid1| 4,2| errorpage.cc(1397) buildBody: No 
>>> existing error page language negotiated for ERR_DNS_FAIL. Using 
>>> default error file.
>>> 2023/11/10 10:25:43.163 kid1| 33,2| client_side.cc(617) swanSong: 
>>> conn13206 local=127.0.0.1:8123 remote=127.0.0.1:57843 flags=1
>>>
>>> If my analysis is correct why is this logged as a connection failure 
>>> and do I need to worry about it beyond it filing up the logs needlessly?
>>>
>>> My concern is that this could lead to the parent being incorrectly 
>>> declared DEAD thus impacting other traffic:
>>>
>>> 2023/11/09 08:55:22 kid1| Detected DEAD Parent: 127.0.0.1:8123
>>>      current master transaction: master4581234
>>>
>>



More information about the squid-users mailing list