Re: [squid-users] Squid TCP_TUNNEL_ABORTED/200

2024-05-03 Thread Emre Oksum 
 >In this case, all your tcp_outgoing_addr lines being tested. Most of
>them will not match.
Sorry I'm not really a Squid guy I was working on it due to a job that I
took but I cannot figure this out. What do you mean most of them do not
match? Does it mean Squid checks every ACL one by one that is defined in
config to find the correct IPv6 address? If that's the case I still didn't
understand why Squid randomly sends Connection Reset flag to client. Is it
because too many ACL's create bottleneck?

Amos Jeffries , 4 May 2024 Cmt, 01:45 tarihinde şunu
yazdı:

> On 4/05/24 09:48, Emre Oksum wrote:
> > Hi Amos,
> >  >FTR, "debug_options ALL" alone is invalid syntax and will not change
> >  >from the default cache.log output
> >
> > Yes, you were right! I was surely missing on that one. I changed
> > debug_options ALL to debug_options ALL 5 and now, I found these warnings
> > in cache.log file:
> >
>
> FYI, these are not warnings. They are debug traces saying what is going on.
>
> In this case, all your tcp_outgoing_addr lines being tested. Most of
> them will not match.
>
>
>
> Cheers
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid TCP_TUNNEL_ABORTED/200

2024-05-03 Thread Amos Jeffries 

On 4/05/24 09:48, Emre Oksum wrote:

Hi Amos,
 >FTR, "debug_options ALL" alone is invalid syntax and will not change
 >from the default cache.log output

Yes, you were right! I was surely missing on that one. I changed 
debug_options ALL to debug_options ALL 5 and now, I found these warnings 
in cache.log file:




FYI, these are not warnings. They are debug traces saying what is going on.

In this case, all your tcp_outgoing_addr lines being tested. Most of 
them will not match.




Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid TCP_TUNNEL_ABORTED/200

2024-05-03 Thread Jonathan Lee 
The only reason I know about this is the book I just purchased has a whole 
section on debugging. This is in my Squid The Definitive Guide by O’REILLY 
Duane Wessels (Older Book Still Good)

You can use 0 up to 84(helper process maintenance)

I think 6 is disk i/o routines and 9 is for FTP right?

Change all and add ranges

Example:
debug_options ALL,1 11,3 20,3

debug_option section, level section, level… + n just like a series

> On May 3, 2024, at 13:50, Amos Jeffries  wrote:
> 
> On 4/05/24 08:33, Emre Oksum wrote:
>> Hi Jonathan,
 Have you attempted to enable debugging ??
>> Yes, debugging was enabled but as I have pointed out, unfortunately it 
>> didn't give any information about the issue.
>> Maybe I was missing something? I don't know. debug_options was ALL in my 
>> squid.conf.
> 
> Sure, "ALL" sections.
> 
> But what display level:
> 
> 0 (critical only)?
> 1 (important)?
> 2 (protocol trace)?
> 3-6 (debugs)?
> 9 (raw I/O data traces)?
> 
> 
> FTR, "debug_options ALL" alone is invalid syntax and will not change from the 
> default cache.log output.
> 
> 
> Cheers
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid TCP_TUNNEL_ABORTED/200

2024-05-03 Thread Emre Oksum 
Hi Amos,
>FTR, "debug_options ALL" alone is invalid syntax and will not change
>from the default cache.log output

Yes, you were right! I was surely missing on that one. I changed
debug_options ALL to debug_options ALL 5 and now, I found these warnings in
cache.log file:

2024/05/03 21:09:30.963 kid4| 28,5| Acl.cc(124) matches: checking
(tcp_outgoing_address [aaa:bbb:ccc:ddd:eee:fff:a81b:338c
2024/05/03 21:09:30.963 kid6| 28,3| Acl.cc(151) matches: checked:
(tcp_outgoing_address [aaa::::::7eb8:b2e0 = 0
2024/05/03 21:09:30.963 kid8| 28,5| Acl.cc(124) matches: checking
tcp_outgoing_address [::::::f92c:14fb]
2024/05/03 21:09:30.963 kid5| 28,3| Ip.cc(538) match: aclIpMatchIp:
'[::::::4b29:abe5]:1182' NOT found
2024/05/03 21:09:30.963 kid1| 28,5| Acl.cc(124) matches: checking
(tcp_outgoing_address [::::::2a45:6d20
2024/05/03 21:09:30.963 kid2| 28,3| Acl.cc(151) matches: checked:
(tcp_outgoing_address [::::::9b7c:68db = 0
2024/05/03 21:09:30.963 kid7| 28,3| Checklist.cc(70) preCheck:
0x7ffd86446f80 checking fast ACLs
2024/05/03 21:09:30.963 kid3| 28,3| Ip.cc(538) match: aclIpMatchIp:
'[::::::3135:f730]:1182' NOT found
2024/05/03 21:09:30.963 kid4| 28,5| Acl.cc(124) matches: checking binding597
2024/05/03 21:09:30.963 kid6| 28,3| Acl.cc(151) matches: checked:
tcp_outgoing_address [aaa::::::7eb8:b2e0] = 0
2024/05/03 21:09:30.963 kid8| 28,5| Acl.cc(124) matches: checking
(tcp_outgoing_address [::::::f92c:14fb
2024/05/03 21:09:30.963 kid5| 28,3| Acl.cc(151) matches: checked:
binding3010 = 0
2024/05/03 21:09:30.963 kid1| 28,5| Acl.cc(124) matches: checking binding687
2024/05/03 21:09:30.963 kid2| 28,3| Acl.cc(151) matches: checked:
tcp_outgoing_address [::::::9b7c:68db] = 0
2024/05/03 21:09:30.963 kid7| 28,5| Acl.cc(124) matches: checking
tcp_outgoing_address [::::::4b16:da82]
2024/05/03 21:09:30.963 kid3| 28,3| Acl.cc(151) matches: checked: binding22
= 0
2024/05/03 21:09:30.963 kid6| 28,3| Checklist.cc(63) markFinished:
0x7ffcdd512440 answer DENIED for ACLs failed to match
2024/05/03 21:09:30.963 kid4| 28,3| Ip.cc(538) match: aclIpMatchIp:
'[::::::cf41:193c]:1182' NOT found

Is there any chance aclIpMatchIp warnings could be the problem here? Do
they generate TCP RST packets to client if that error happens?

Thanks
Emre

Amos Jeffries , 3 May 2024 Cum, 23:50 tarihinde şunu
yazdı:

> On 4/05/24 08:33, Emre Oksum wrote:
> > Hi Jonathan,
> >
> >  >> Have you attempted to enable debugging ??
> > Yes, debugging was enabled but as I have pointed out, unfortunately it
> > didn't give any information about the issue.
> > Maybe I was missing something? I don't know. debug_options was ALL in my
> > squid.conf.
>
> Sure, "ALL" sections.
>
> But what display level:
>
>   0 (critical only)?
>   1 (important)?
>   2 (protocol trace)?
>   3-6 (debugs)?
>   9 (raw I/O data traces)?
>
>
> FTR, "debug_options ALL" alone is invalid syntax and will not change
> from the default cache.log output.
>
>
> Cheers
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid TCP_TUNNEL_ABORTED/200

2024-05-03 Thread Amos Jeffries 

On 4/05/24 08:33, Emre Oksum wrote:

Hi Jonathan,

 >> Have you attempted to enable debugging ??
Yes, debugging was enabled but as I have pointed out, unfortunately it 
didn't give any information about the issue.
Maybe I was missing something? I don't know. debug_options was ALL in my 
squid.conf.


Sure, "ALL" sections.

But what display level:

 0 (critical only)?
 1 (important)?
 2 (protocol trace)?
 3-6 (debugs)?
 9 (raw I/O data traces)?


FTR, "debug_options ALL" alone is invalid syntax and will not change 
from the default cache.log output.



Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid TCP_TUNNEL_ABORTED/200

2024-05-03 Thread Emre Oksum 
Hi Jonathan,

>> Have you attempted to enable debugging ??
Yes, debugging was enabled but as I have pointed out, unfortunately it
didn't give any information about the issue.
Maybe I was missing something? I don't know. debug_options was ALL in my
squid.conf.

Thanks

Jonathan Lee , 3 May 2024 Cum, 23:00 tarihinde
şunu yazdı:

> Have you attempted to enable debugging ??
>
> Researching debug_options I found you can control detailed messages in the
> cache.log
> Sent from my iPhone
>
> On May 3, 2024, at 10:37, Emre Oksum  wrote:
>
> 
> Hi Amos, thank you for your reply.
>
> >What your "for example,..." describes is Transparent Proxy (TPROXY).
> >However, what you have in the config below is very different. The IP the
> >client is connected **to** (not "from") is being pinned on outgoing
> >connections.
>
> Sorry for the misunderstanding. Maybe I wasn't clear with my wording. I
> only need to create a proxy instance where the IPv6 address that client
> uses to connect to Squid, is used by Squid to connect to remote locations.
> In this setup, server running Squid has around 50k IPv6 addresses assigned
> to it and client is expected to connect to Squid proxy with 50k different
> IPv6 addresses of the Squid and Squid should always use the IP address
> client connects to it as outgoing address. I'm not sure if I explained that
> well.
>
> So if client connects to Squid proxy by the address of Squid let's say is
> feef:1234::1, Squid should use that IP for outgoing connections. That's not
> transparent proxy TPROXY because client and proxy is on different networks
> in this setup. Just like ordinary HTTP proxies.
>
> >The FLOW_CONTROL_ERROR is not something produced by Squid. Likely it
> >comes from the TCP stack and/or OS routing system.
> Client connects to Squid by a script written in Golang. Thats where they
> get that error. On the Squid's access.log, I can see that error as
> TCP_TUNNEL_ABORTED/200
>
> >Some improvements highlighted inline below.
> >Nothing stands out to me as being related to your issues.
> Thank you, I'll fix them however I don't think this issue is any related
> to the config.
>
> >Any particular reason not to use the registered port 3128 ?
> >(Not important, just wondering.)
> My client wants to prevent proxies from being detected by bots so we
> picked a different port number but it's not the one I shared here. I edited
> numbers and addresses from the config before sharing it here.
>
> >I/we will need to see the PCAP trace along with a cache.log generated
> >using "debug_options ALL,6" to confirm a bug or identify other breakage
> >though.
> Interestingly, debug_options ALL does not log anything related to this
> issue to cache.log. That left me very confused about this problem.
> I'm currently sending you the PCAP file. It's being uploaded. I would be
> appreciated if you can take a look at it.
>
> Thanks
> Amos Jeffries , 3 May 2024 Cum, 19:31 tarihinde
> şunu yazdı:
>
>> On 4/05/24 02:29, Emre Oksum wrote:
>> > Hi everyone,
>> >
>> > I'm having a issue with Squid Cache 4.10 which I cannot fix for weeks
>> > now and kinda lost at the moment. I will be appreciated if someone can
>> > guide me through the issue I'm having.
>> > I need to create a IPv6 HTTP proxy which should match the entry address
>> > to outgoing TCP address. For example, if user is connecting from
>> > fe80:abcd::1 it should exit the HTTP proxy from the same address. We
>> got
>> > like 50k addresses like this at the moment.
>>
>> What your "for example,..." describes is Transparent Proxy (TPROXY).
>>
>>
>> However, what you have in the config below is very different. The IP the
>> client is connected **to** (not "from") is being pinned on outgoing
>> connections.
>>
>>
>> > The issue is, client connecting to the proxy is receiving "EOF" or
>> > "FLOW_CONTROL_ERROR" on their side.
>>
>> The FLOW_CONTROL_ERROR is not something produced by Squid. Likely it
>> comes from the TCP stack and/or OS routing system.
>>
>> The EOF may be coming from either Squid or the OS. It also may be
>> perfectly normal for the circumstances, or a side effect of an error
>> elsewhere.
>>
>>
>> To solve will require identifying exactly what is sending those signals,
>> and why. Since they are signals going to the client, focus on the
>> client->Squid connections (not the Squid->server ones you talk about
>> testing below).
>>
>>
>>
>> > When I test connection by connecting
>> > to whatismyip.com  everything works fine and
>> > entry IP always matches with outgoing IP for each of the 50k addresses.
>> > Client tells me this problem occurs both at GET and POST requests with
>> > around 10 MB of data.
>>
>> Well, you are trying to manually force certain flow patterns that
>> prohibit or break some major HTTP performance features. Some problems
>> are to be expected.
>>
>> The issues which I expect to occur in your proxy would not show up in a
>> trivial outgoing-IP or connectivity test.
>>
>>
>> > I initially

Re: [squid-users] Linux Noob - Squid Config

2024-05-03 Thread Amos Jeffries 

On 4/05/24 07:59, Piana, Josh wrote:

Hey Everyone.

I apologize in advance for any lack of formality normally shared on 
mailing lists such as these, it’s my first time seeking product support 
in this manner.




NO need to apologize. Help and questions is most of what we do here :-)


I want to start by saying that I’m new to Linux, been using Windows 
environments my entire life. Such is the reason for me reaching out to 
you all.


I have been tasked with modernizing a Squid box and feel very 
overwhelmed, to say the least.


Current Setup:

èCentOS 5.0

èSquid 2.3

èApache 2.0.46

èSamba 3.0.9

Desired Setup:

èRHEL 9.2 OS

èNeeds to qualify for NTLM authentication



Hmm, does it *have* to be NTLM? that auth protocol was deprecated in 2006.



èWould like to remove legacy apps/services

èContinue to authenticate outgoing communication via AD

My question is, how do I get all of these services/apps to work 
together? Do I just install the newest versions of each and migrate the 
existing config files?


I was hoping for a better understanding on how all of these work 
together and exactly how to configure or edit these as needed. I’ve 
gotten as far as installing RHEL 9.2 on a fresh VM Server and trying as 
best as I can to learn the basics on Linux and just the general 
operation of a Linux ran environment. It feels like trying to ride a 
bike with box wheels.





The installation of a basic Squid service for RHEL is easy.
Just open a terminal and enter this command:

   yum install squid


The next part is going over your old Squid configuration to see how much 
of it remains necessary or can be updated. It would be useful for the 
next steps to copy it to the RHEL machine as /etc/squid/squid.conf.old .


You can likely find it on the CentOS machine at /etc/squid/squid.conf or 
/usr/share/squid/etc/squid.conf depending on how that Squid was built.



If you are able to paste the contents of that file (without the '#' 
comment or empty lines) here, we can assist with getting the new Squid 
doing the same or equivalent actions.



Also please paste the output of "squid -v" run on both the old CentOS 
machine and on the new RHEL.



Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

[squid-users] Linux Noob - Squid Config

2024-05-03 Thread Piana, Josh 
Hey Everyone.

I apologize in advance for any lack of formality normally shared on mailing 
lists such as these, it's my first time seeking product support in this manner.

I want to start by saying that I'm new to Linux, been using Windows 
environments my entire life. Such is the reason for me reaching out to you all.

I have been tasked with modernizing a Squid box and feel very overwhelmed, to 
say the least.

Current Setup:

è CentOS 5.0

è Squid 2.3

è Apache 2.0.46

è Samba 3.0.9

Desired Setup:

è RHEL 9.2 OS

è Needs to qualify for NTLM authentication

è Would like to remove legacy apps/services

è Continue to authenticate outgoing communication via AD

My question is, how do I get all of these services/apps to work together? Do I 
just install the newest versions of each and migrate the existing config files?

I was hoping for a better understanding on how all of these work together and 
exactly how to configure or edit these as needed. I've gotten as far as 
installing RHEL 9.2 on a fresh VM Server and trying as best as I can to learn 
the basics on Linux and just the general operation of a Linux ran environment. 
It feels like trying to ride a bike with box wheels.

Thank you in advance for any direction or support,
Josh
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid TCP_TUNNEL_ABORTED/200

2024-05-03 Thread Jonathan Lee 
Have you attempted to enable debugging ??Researching debug_options I found you can control detailed messages in the cache.logSent from my iPhoneOn May 3, 2024, at 10:37, Emre Oksum  wrote:Hi Amos, thank you for your reply.>What your "for example,..." describes is Transparent Proxy (TPROXY).>However, what you have in the config below is very different. The IP the>client is connected **to** (not "from") is being pinned on outgoing>connections.Sorry for the misunderstanding. Maybe I wasn't clear with my wording. I only need to create a proxy instance where the IPv6 address that client uses to connect to Squid, is used by Squid to connect to remote locations. In this setup, server running Squid has around 50k IPv6 addresses assigned to it and client is expected to connect to Squid proxy with 50k different IPv6 addresses of the Squid and Squid should always use the IP address client connects to it as outgoing address. I'm not sure if I explained that well.So if client connects to Squid proxy by the address of Squid let's say is feef:1234::1, Squid should use that IP for outgoing connections. That's not transparent proxy TPROXY because client and proxy is on different networks in this setup. Just like ordinary HTTP proxies.>The FLOW_CONTROL_ERROR is not something produced by Squid. Likely it>comes from the TCP stack and/or OS routing system.Client connects to Squid by a script written in Golang. Thats where they get that error. On the Squid's access.log, I can see that error as TCP_TUNNEL_ABORTED/200>Some improvements highlighted inline below.>Nothing stands out to me as being related to your issues.Thank you, I'll fix them however I don't think this issue is any related to the config.>Any particular reason not to use the registered port 3128 ?>(Not important, just wondering.)My client wants to prevent proxies from being detected by bots so we picked a different port number but it's not the one I shared here. I edited numbers and addresses from the config before sharing it here.>I/we will need to see the PCAP trace along with a cache.log generated>using "debug_options ALL,6" to confirm a bug or identify other breakage>though.Interestingly, debug_options ALL does not log anything related to this issue to cache.log. That left me very confused about this problem.I'm currently sending you the PCAP file. It's being uploaded. I would be appreciated if you can take a look at it.ThanksAmos Jeffries , 3 May 2024 Cum, 19:31 tarihinde şunu yazdı:On 4/05/24 02:29, Emre Oksum wrote:
> Hi everyone,
> 
> I'm having a issue with Squid Cache 4.10 which I cannot fix for weeks 
> now and kinda lost at the moment. I will be appreciated if someone can 
> guide me through the issue I'm having.
> I need to create a IPv6 HTTP proxy which should match the entry address 
> to outgoing TCP address. For example, if user is connecting from 
> fe80:abcd::1 it should exit the HTTP proxy from the same address. We got 
> like 50k addresses like this at the moment.

What your "for example,..." describes is Transparent Proxy (TPROXY).


However, what you have in the config below is very different. The IP the 
client is connected **to** (not "from") is being pinned on outgoing 
connections.


> The issue is, client connecting to the proxy is receiving "EOF" or 
> "FLOW_CONTROL_ERROR" on their side.

The FLOW_CONTROL_ERROR is not something produced by Squid. Likely it 
comes from the TCP stack and/or OS routing system.

The EOF may be coming from either Squid or the OS. It also may be 
perfectly normal for the circumstances, or a side effect of an error 
elsewhere.


To solve will require identifying exactly what is sending those signals, 
and why. Since they are signals going to the client, focus on the 
client->Squid connections (not the Squid->server ones you talk about 
testing below).



> When I test connection by connecting 
> to whatismyip.com  everything works fine and 
> entry IP always matches with outgoing IP for each of the 50k addresses. 
> Client tells me this problem occurs both at GET and POST requests with 
> around 10 MB of data.

Well, you are trying to manually force certain flow patterns that 
prohibit or break some major HTTP performance features. Some problems 
are to be expected.

The issues which I expect to occur in your proxy would not show up in a 
trivial outgoing-IP or connectivity test.


> I initially thought that could be related to server resources being 
> drained but upon inspecting server resource usage, Squid isn't even 
> topping at 100% CPU or RAM anytime so not that.
> 

IMO, "FLOW_CONTROL_ERROR" is likely related to quantity of traffic 
flooding through the proxy to specific origin servers.

The concept you are implementing of the outgoing TCP connection having 
the same IP as the incoming connection reduces the available TCP sockets 
by 25%. Prohibiting the OS from allocating ports on otherwise unused 
outgoing addresses when



> My Squid.conf is like this

Re: [squid-users] Squid TCP_TUNNEL_ABORTED/200

2024-05-03 Thread Emre Oksum 
Hi Amos, thank you for your reply.

>What your "for example,..." describes is Transparent Proxy (TPROXY).
>However, what you have in the config below is very different. The IP the
>client is connected **to** (not "from") is being pinned on outgoing
>connections.

Sorry for the misunderstanding. Maybe I wasn't clear with my wording. I
only need to create a proxy instance where the IPv6 address that client
uses to connect to Squid, is used by Squid to connect to remote locations.
In this setup, server running Squid has around 50k IPv6 addresses assigned
to it and client is expected to connect to Squid proxy with 50k different
IPv6 addresses of the Squid and Squid should always use the IP address
client connects to it as outgoing address. I'm not sure if I explained that
well.

So if client connects to Squid proxy by the address of Squid let's say is
feef:1234::1, Squid should use that IP for outgoing connections. That's not
transparent proxy TPROXY because client and proxy is on different networks
in this setup. Just like ordinary HTTP proxies.

>The FLOW_CONTROL_ERROR is not something produced by Squid. Likely it
>comes from the TCP stack and/or OS routing system.
Client connects to Squid by a script written in Golang. Thats where they
get that error. On the Squid's access.log, I can see that error as
TCP_TUNNEL_ABORTED/200

>Some improvements highlighted inline below.
>Nothing stands out to me as being related to your issues.
Thank you, I'll fix them however I don't think this issue is any related to
the config.

>Any particular reason not to use the registered port 3128 ?
>(Not important, just wondering.)
My client wants to prevent proxies from being detected by bots so we picked
a different port number but it's not the one I shared here. I edited
numbers and addresses from the config before sharing it here.

>I/we will need to see the PCAP trace along with a cache.log generated
>using "debug_options ALL,6" to confirm a bug or identify other breakage
>though.
Interestingly, debug_options ALL does not log anything related to this
issue to cache.log. That left me very confused about this problem.
I'm currently sending you the PCAP file. It's being uploaded. I would be
appreciated if you can take a look at it.

Thanks
Amos Jeffries , 3 May 2024 Cum, 19:31 tarihinde şunu
yazdı:

> On 4/05/24 02:29, Emre Oksum wrote:
> > Hi everyone,
> >
> > I'm having a issue with Squid Cache 4.10 which I cannot fix for weeks
> > now and kinda lost at the moment. I will be appreciated if someone can
> > guide me through the issue I'm having.
> > I need to create a IPv6 HTTP proxy which should match the entry address
> > to outgoing TCP address. For example, if user is connecting from
> > fe80:abcd::1 it should exit the HTTP proxy from the same address. We got
> > like 50k addresses like this at the moment.
>
> What your "for example,..." describes is Transparent Proxy (TPROXY).
>
>
> However, what you have in the config below is very different. The IP the
> client is connected **to** (not "from") is being pinned on outgoing
> connections.
>
>
> > The issue is, client connecting to the proxy is receiving "EOF" or
> > "FLOW_CONTROL_ERROR" on their side.
>
> The FLOW_CONTROL_ERROR is not something produced by Squid. Likely it
> comes from the TCP stack and/or OS routing system.
>
> The EOF may be coming from either Squid or the OS. It also may be
> perfectly normal for the circumstances, or a side effect of an error
> elsewhere.
>
>
> To solve will require identifying exactly what is sending those signals,
> and why. Since they are signals going to the client, focus on the
> client->Squid connections (not the Squid->server ones you talk about
> testing below).
>
>
>
> > When I test connection by connecting
> > to whatismyip.com  everything works fine and
> > entry IP always matches with outgoing IP for each of the 50k addresses.
> > Client tells me this problem occurs both at GET and POST requests with
> > around 10 MB of data.
>
> Well, you are trying to manually force certain flow patterns that
> prohibit or break some major HTTP performance features. Some problems
> are to be expected.
>
> The issues which I expect to occur in your proxy would not show up in a
> trivial outgoing-IP or connectivity test.
>
>
> > I initially thought that could be related to server resources being
> > drained but upon inspecting server resource usage, Squid isn't even
> > topping at 100% CPU or RAM anytime so not that.
> >
>
> IMO, "FLOW_CONTROL_ERROR" is likely related to quantity of traffic
> flooding through the proxy to specific origin servers.
>
> The concept you are implementing of the outgoing TCP connection having
> the same IP as the incoming connection reduces the available TCP sockets
> by 25%. Prohibiting the OS from allocating ports on otherwise unused
> outgoing addresses when
>
>
>
> > My Squid.conf is like this at the moment:
>
> Some improvements highlighted inline below.
> Nothing stands out to me as

Re: [squid-users] Squid TCP_TUNNEL_ABORTED/200

2024-05-03 Thread Amos Jeffries 

On 4/05/24 02:29, Emre Oksum wrote:

Hi everyone,

I'm having a issue with Squid Cache 4.10 which I cannot fix for weeks 
now and kinda lost at the moment. I will be appreciated if someone can 
guide me through the issue I'm having.
I need to create a IPv6 HTTP proxy which should match the entry address 
to outgoing TCP address. For example, if user is connecting from 
fe80:abcd::1 it should exit the HTTP proxy from the same address. We got 
like 50k addresses like this at the moment.


What your "for example,..." describes is Transparent Proxy (TPROXY).


However, what you have in the config below is very different. The IP the 
client is connected **to** (not "from") is being pinned on outgoing 
connections.



The issue is, client connecting to the proxy is receiving "EOF" or 
"FLOW_CONTROL_ERROR" on their side.


The FLOW_CONTROL_ERROR is not something produced by Squid. Likely it 
comes from the TCP stack and/or OS routing system.


The EOF may be coming from either Squid or the OS. It also may be 
perfectly normal for the circumstances, or a side effect of an error 
elsewhere.



To solve will require identifying exactly what is sending those signals, 
and why. Since they are signals going to the client, focus on the 
client->Squid connections (not the Squid->server ones you talk about 
testing below).




When I test connection by connecting 
to whatismyip.com  everything works fine and 
entry IP always matches with outgoing IP for each of the 50k addresses. 
Client tells me this problem occurs both at GET and POST requests with 
around 10 MB of data.


Well, you are trying to manually force certain flow patterns that 
prohibit or break some major HTTP performance features. Some problems 
are to be expected.


The issues which I expect to occur in your proxy would not show up in a 
trivial outgoing-IP or connectivity test.



I initially thought that could be related to server resources being 
drained but upon inspecting server resource usage, Squid isn't even 
topping at 100% CPU or RAM anytime so not that.




IMO, "FLOW_CONTROL_ERROR" is likely related to quantity of traffic 
flooding through the proxy to specific origin servers.


The concept you are implementing of the outgoing TCP connection having 
the same IP as the incoming connection reduces the available TCP sockets 
by 25%. Prohibiting the OS from allocating ports on otherwise unused 
outgoing addresses when





My Squid.conf is like this at the moment:


Some improvements highlighted inline below.
Nothing stands out to me as being related to your issues.



auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
acl auth_users proxy_auth REQUIRED
http_access allow auth_users
http_access deny !auth_users


Above two lines are backwards. Deny first, then allow.



cache deny all
dns_nameservers 
dns_v4_first off
via off
forwarded_for delete
follow_x_forwarded_for deny all
server_persistent_connections off


*If* the issue turns out to be congestion on Squid->server connections
enabling this might be worthwhile. Otherwise it should be fine.



max_filedesc 1048576


You can remove that line. "max_filedesc" was a RedHat hack from 20+ 
years ago when the feature was experimental.


Any value you set on the line above, will be erased and replaced by the 
line below:




max_filedescriptors 1048576
workers 8
http_port [::0]:1182


Above is just a complicated way to write:

 http_port 1182


Any particular reason not to use the registered port 3128 ?
(Not important, just wondering.)



acl binding1 myip fe80:abcd::1
tcp_outgoing_address fe80:abcd::1 binding1
acl binding2 myip fe80:abcd::2
tcp_outgoing_address fe80:abcd::2 binding2
acl binding3 myip fe80:abcd::3
tcp_outgoing_address fe80:abcd::3 binding3
...
...
...
access_log /var/log/squid/access.log squid



cache_store_log none


You can erase this line.
This is default setting. No need to manually set it.



cache deny all


You can erase this line.
This "cache deny all" exists earlier in the config.




I've tried to get a PCAP file and realized when client tries to connect 
with a new IPv6 address, Squid is not trying to open a new connection 
instead tries to resume a previously opened one on a different outgoing 
IPv6 address.


Can you provide the trace demonstrating that issue?

Although, as noted earlier your problems are apparently on the client 
connections. This is about server connections behaviour.



I set server_persistent_connections off which should have 
disabled this behavior but it's still the same.


Nod. Yes that should forbid re-use of connections.

I/we will need to see the PCAP trace along with a cache.log generated 
using "debug_options ALL,6" to confirm a bug or identify other breakage 
though.




I tried using a newer 
version of Squid but it behaved differently and did not follow my 
outgoing address specifications and kept connecting on IPv4.


That would seem to indicate that your IPv4 connectivity is better than

[squid-users] Squid TCP_TUNNEL_ABORTED/200

2024-05-03 Thread Emre Oksum 
 Hi everyone,

I'm having a issue with Squid Cache 4.10 which I cannot fix for weeks now
and kinda lost at the moment. I will be appreciated if someone can guide me
through the issue I'm having.
I need to create a IPv6 HTTP proxy which should match the entry address to
outgoing TCP address. For example, if user is connecting from fe80:abcd::1
it should exit the HTTP proxy from the same address. We got like 50k
addresses like this at the moment.
The issue is, client connecting to the proxy is receiving "EOF" or
"FLOW_CONTROL_ERROR" on their side. When I test connection by connecting to
whatismyip.com everything works fine and entry IP always matches with
outgoing IP for each of the 50k addresses. Client tells me this problem
occurs both at GET and POST requests with around 10 MB of data.
I initially thought that could be related to server resources being drained
but upon inspecting server resource usage, Squid isn't even topping at 100%
CPU or RAM anytime so not that.

My Squid.conf is like this at the moment:

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
acl auth_users proxy_auth REQUIRED
http_access allow auth_users
http_access deny !auth_users
cache deny all
dns_nameservers 
dns_v4_first off
via off
forwarded_for delete
follow_x_forwarded_for deny all
server_persistent_connections off
max_filedesc 1048576
max_filedescriptors 1048576
workers 8
http_port [::0]:1182
acl binding1 myip  fe80:abcd::1
tcp_outgoing_address  fe80:abcd::1 binding1
acl binding2 myip  fe80:abcd::2
tcp_outgoing_address  fe80:abcd::2 binding2
acl binding3 myip  fe80:abcd::3
tcp_outgoing_address  fe80:abcd::3 binding3
...
...
...
access_log /var/log/squid/access.log squid
cache_store_log none
cache deny all

I've tried to get a PCAP file and realized when client tries to connect
with a new IPv6 address, Squid is not trying to open a new connection
instead tries to resume a previously opened one on a different outgoing
IPv6 address. I set server_persistent_connections off which should have
disabled this behavior but it's still the same. I tried using a newer
version of Squid but it behaved differently and did not follow my outgoing
address specifications and kept connecting on IPv4.

I would be appreciated if someone can help me out here.
Thank you.
Emre
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users