Re: [squid-users] 4.0.2: ALE missing URL
Hi Alex, I'm using extra token %>ha{X-Forwarded-For} in helper configuration Is it help ? Le 07/11/2015 01:15, Alex Rousskov a écrit : On 11/06/2015 04:36 PM, David Touzeau wrote: Hi I'm testing the new 4.0.2 version.. Now i'm receive many errors like this in cache.log Whats wrong ? 2015/11/07 00:33:16 kid1| ALE missing URL 2015/11/07 00:33:16 kid1| ALE missing adapted HttpRequest object This may be a regression bug introduced by trunk r14351 (Support logformat %macros in external_acl_type format). AFAIK, those messages were added specifically to catch hard-to-find bugs like that. There is some logic in the code to limit the number of these messages, but, AFAICT, it does not work well for busy Squids: A worker doing 1000 requests per second might log ~100 messages per minute. Future releases may have less aggressive reporting if other developers agree that the current reporting is too aggressive and adjust the code. If you are seeing these messages, some of your ACLs may not work correctly. However, the messages are printed for missing fields that Squid can compute from other sources, so without call stack analysis you may not be able to tell which ACLs are not working, if any. If you want to help fixing this bug, please consider doing the following: 1. Add "assert(false);" line to showDebugWarning() in src/acl/FilledChecklist.cc. Any line within that method should work but placing it last, after the debugs() line, may work the best. This addition will _kill_ your Squid so do not use this in production or at least keep an unpatched binary around for a quick replacement! 2. Post gdb backtrace from the assertion in #1 to Bugzilla. Others may be able to provide you with more detailed instructions if you need them. Thank you, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] 4.0.2: ALE missing URL
On 7/11/2015 11:55 p.m., David Touzeau wrote: > Hi Alex, > > I'm using extra token %>ha{X-Forwarded-For} in helper configuration > > Is it help ? > Where you are using that ACL is also needed. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Fwd: Re: HTTP 503 error in squid proxy server
>>> On Saturday 07 November 2015 at 09:30:04, 聡司蛭田 wrote: Dear I have question about HTTPS communication through Squid Proxy Server. HTTP 503 error frequency occurs. 10.xx.xx.xx - - [01/Nov/2015:03:44:33 +0900] "CONNECT >>> ..xxx.io:443 HTTP/1.1" 503 0 "-" "Javaa/1.7.0_71" TCP_MISS:DIRECT ..xxx.io:443 is ELB (Internet-Facing Load Balancer) DNS name. >>> Hold up. Squid is being instructed to open a TCP connection from itself to ..xxx.io and deliver the contents that follow the CONNECT message there. If ..xxx.io is the ELB, what do you expect will happen when Squid obeys? The short answer is "Forwarding Loop", eventually the cycle of ELB->Squid->ELB->Squid ... ends up going through one of the Squid it has already passed through which kills the loop with a 503. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Transparent HTTPS Squid proxy with upstream parent
On 8/11/2015 12:20 a.m., Michael Ludvig wrote: > Hi again > > Does anyone have any idea how to fix the below described problem? Please :) > You are taking secured traffic. Removing the decryption. Then ... >> i.e. auto-generates a fake SSL cert and makes a >> direct connection to the target. Except when the target is a peer receiving plain-text TCP connections (not TLS encrypted connections) ... >> >> 1446684476.877 0 proxy-client TAG_NONE/200 0 CONNECT 198.51.100.10:443 >> - HIER_NONE/- - >> 1446684476.970 3 proxy-client TCP_MISS/503 4309 GET >> https://secure.example.com/ - FIRSTUP_PARENT/proxy-upstream text/html >> ... splat. Clear enough? If not the assertion below should make it clearer. >> Alternatively if I change the ssl_bumpsetup to this: >> >> acl step1 at_step SslBump1 >> ssl_bump peek step1 >> ssl_bump bump all >> >> I get a crash message in cache.log: >> >> 2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116: >> "peer->use_ssl" Attempting to connect and send encryption to a non-encryted peer. Using a current version of Squid should fix that assertion and just not let the peer be used. Your Squid is a whole 2 months old. In the arms race that is SSL-Bump a few months is a long time. Squid still will not generate new CONNECT to non-encrypted peers though. So you will need to TLS enable the cache_peer link. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Fwd: Re: HTTP 503 error in squid proxy server
This reply came to my private address. Forwarding to the list. -- Forwarded Message Starts -- Subject: Re: [squid-users] HTTP 503 error in squid proxy server Date: Saturday 07 November 2015 10:43:14 From: 聡司蛭田To: Antony Stone > Dear Thank you for reply. Squid version is squid-3.1.16-22. > On Saturday 07 November 2015 at 09:30:04, 聡司蛭田 wrote: > > > Dear > > > > I have question about HTTPS communication through Squid Proxy Server. > > > > HTTP 503 error frequency occurs. > > Does it also occur if you point your browser directly at the site, not via > Squid? No browser. client Java Application communicate other site by using HTTPS protcol through squid proxy server. > > 10.xx.xx.xx - - [01/Nov/2015:03:44:33 +0900] "CONNECT > ..xxx.io:443 > > HTTP/1.1" 503 0 "-" "Javaa/1.7.0_71" TCP_MISS:DIRECT > > > > ..xxx.io:443 is ELB (Internet-Facing Load Balancer) DNS name. > > Do you have access to that machine, to see what its logs show about the > incoming requests, and the responses it generates? > > > Squid cache is disable. > > So, what are you using it for? > > > My addition squid config is the following. > > > > visible_hostname unknown > > strip_query_terms off > > acl NOCACHE src all > > cache deny NOCACHE > > Please show all of your squid.conf, omitting comments and blank lines. My squid config file is attached. > > What could be considered the cause? > > Temporary failure on the content server? Yes. temporary failure. -- Forwarded Message Ends -- squid.conf Description: Binary data ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Fwd: Re: HTTP 503 error in squid proxy server
On Saturday 07 November 2015 at 12:48:09, Antony Stone wrote: > This reply came to my private address. > > Forwarding to the list. > > -- Forwarded Message Starts -- > > Subject: Re: [squid-users] HTTP 503 error in squid proxy server > Date: Saturday 07 November 2015 10:43:14 > From: 聡司蛭田> To: Antony Stone > > > Dear > > Thank you for reply. > > Squid version is squid-3.1.16-22. > > > On Saturday 07 November 2015 at 09:30:04, 聡司蛭田 wrote: > > > Dear > > > > > > I have question about HTTPS communication through Squid Proxy Server. > > > > > > HTTP 503 error frequency occurs. > > > > Does it also occur if you point your browser directly at the site, not > > via Squid? > > No browser. client Java Application communicate other site by using HTTPS > protcol through squid proxy server. Okay, let me re-phrase my question then: Do you get the same intermittent problems if you tell the client java Application to connect to the site directly without using Squid? > > > 10.xx.xx.xx - - [01/Nov/2015:03:44:33 +0900] "CONNECT > > ..xxx.io:443 > > > HTTP/1.1" 503 0 "-" "Javaa/1.7.0_71" TCP_MISS:DIRECT > > > ..xxx.io:443 is ELB (Internet-Facing Load Balancer) DNS name. > > > > Do you have access to that machine, to see what its logs show about the > > incoming requests, and the responses it generates? What is the answer to the above question? > > > Squid cache is disable. > > > > So, what are you using it for? ? > > > My addition squid config is the following. > > > > > > visible_hostname unknown > > > strip_query_terms off > > > acl NOCACHE src all > > > cache deny NOCACHE > > > > Please show all of your squid.conf, omitting comments and blank lines. > > My squid config file is attached. > > > > What could be considered the cause? > > > > Temporary failure on the content server? > > Yes. temporary failure. No, I meant that there could genuinely be a temporary failure on the content server, which results in the HTTP/503 error. Nothing Squid can do about that (especially since you're not using it in caching mode - what are you using it for?) > -- Forwarded Message Ends -- Please send all replies to the list. Regards, Antony. -- Software development can be quick, high quality, or low cost. The customer gets to pick any two out of three. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] HTTP 503 error in squid proxy server
Dear I have question about HTTPS communication through Squid Proxy Server. HTTP 503 error frequency occurs. 10.xx.xx.xx - - [01/Nov/2015:03:44:33 +0900] "CONNECT ..xxx.io:443 HTTP/1.1" 503 0 "-" "Javaa/1.7.0_71" TCP_MISS:DIRECT ..xxx.io:443 is ELB (Internet-Facing Load Balancer) DNS name. Squid cache is disable. My addition squid config is the following. visible_hostname unknown strip_query_terms off acl NOCACHE src all cache deny NOCACHE What could be considered the cause? ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Transparent HTTPS Squid proxy with upstream parent
Hi again Does anyone have any idea how to fix the below described problem? Please :) Thanks! Michael On 05/11/15 16:01, Michael Ludvig wrote: Hi I've got a network without direct internet access where I have Squid 3.5.9as a transparent proxylistening on tcp/8080for HTTP and on tcp/8443for HTTPS (redirected via iptablesfrom tcp/80 and tcp/443 respectively). This Squid (proxy-test) doesn't have a direct Internet access either but can talk to a parent Squid (proxy-upstream) in other part of the network that does have Internet access. With HTTP it works well - client makes a request to http://www.example.com(port 80), router and iptables redirect the connection to Squid's port 8080, that intercepts the request and makes a request to the upstream proxy that serves it as usual. Here are the config options used: http_port 8080 intercept cache_peer proxy-upstream parent 3128 0 no-query never_direct allow all Now I wanted to do a similar thing for HTTPS: https_port 8443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5 ssl_bump bump all Without cache_peerit works as expected (when I enable temporary internet access), i.e. auto-generates a fake SSL cert and makes a direct connection to the target. However with cache_peerit doesn't work. I get HTTP/503 error from the proxy: 1446684476.877 0 proxy-client TAG_NONE/200 0 CONNECT 198.51.100.10:443 - HIER_NONE/- - 1446684476.970 3 proxy-client TCP_MISS/503 4309 GET https://secure.example.com/ - FIRSTUP_PARENT/proxy-upstream text/html Alternatively if I change the ssl_bumpsetup to this: acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all I get a crash message in cache.log: 2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116: "peer->use_ssl" When I use this proxy in non-transparent mode, i.e. configuring the proxy on client to proxy-test:3128, it works: 1446684724.879 141 proxy-client TCP_TUNNEL/200 1886 CONNECT secure.example.com:443 - FIRSTUP_PARENT/proxy-upstream - So I need to somehow turn the HTTPSrequest that lands on proxy-testinto CONNECTrequest that's forwarded to proxy-upstream. If Squid can't do that is there any other transparent-to-nontransparent proxy software that can do that? Thanks! Michael ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] HTTP 503 error in squid proxy server
On Saturday 07 November 2015 at 09:30:04, 聡司蛭田 wrote: > Dear > > I have question about HTTPS communication through Squid Proxy Server. > > HTTP 503 error frequency occurs. Does it also occur if you point your browser directly at the site, not via Squid? > 10.xx.xx.xx - - [01/Nov/2015:03:44:33 +0900] "CONNECT ..xxx.io:443 > HTTP/1.1" 503 0 "-" "Javaa/1.7.0_71" TCP_MISS:DIRECT > > ..xxx.io:443 is ELB (Internet-Facing Load Balancer) DNS name. Do you have access to that machine, to see what its logs show about the incoming requests, and the responses it generates? > Squid cache is disable. So, what are you using it for? > My addition squid config is the following. > > visible_hostname unknown > strip_query_terms off > acl NOCACHE src all > cache deny NOCACHE Please show all of your squid.conf, omitting comments and blank lines. > What could be considered the cause? Temporary failure on the content server? Regards, Antony. -- Salad is what food eats. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] 4.0.2: ALE missing URL
Le 07/11/2015 15:07, Amos Jeffries a écrit : On 7/11/2015 11:55 p.m., David Touzeau wrote: Hi Alex, I'm using extra token %>ha{X-Forwarded-For} in helper configuration Is it help ? Where you are using that ACL is also needed. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users Using as this: external_acl_type ArticaRestrictAccess ttl=360 negative_ttl=360 children-startup=1 children-idle=1 children-max=5 ipv4 %SRC %SRCEUI48 %>ha{X-Forwarded-For} /usr/share/artica-postfix/external_acl_restrict_access.php acl ArticaRestrictAccess external ArticaRestrictAccess external_acl_type MacToUid ttl=360 negative_ttl=360 children-startup=1 children-idle=1 children-max=5 ipv4 %SRC %SRCEUI48 %>ha{X-Forwarded-For} /usr/share/artica-postfix/external_acl_usersMacs.php --mactouid acl MacToUid_acl external MacToUid ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users