Re: [squid-users] Problem to access to a specific url (correo-gto.com.mx) with squid 2.7

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Wed, 05 Dec 2012 23:44:21 +0200

Hey omzatru,

You indeed gave us a lot of info on config etc.
The basic thing to check is a network issue.
If the client is not able to access the site try to not use the proxy or
use a forward mode which is not transparent.

This can eliminate the issue from the network level to the application.

Did you tried to use wget or curl from the squid machine to test
connectivity?

You are using a very old version of squid 2.7 is out of support for a
very long time.

I can however point you to that squid 2.7 dosn't support http/1.1 which
might be the source to the problem.

Also this server response can sometime be very slow maybe due to a
reverse proxy on the way or other device.

For the next time filter the squid.conf since the diff makes it unreadable.

Kind Regards,
Eliezer

On 12/5/2012 11:23 PM, omzatru wrote:
> Hi I have a proxy server with Squid 2.7 installed, and I a problem
> with a specific page.
>
> www.correo-gto.com.mx
>
> A client can not access via proxy (squid 2.7) to this page.
>
> Accessing to diferents pages I do not have this problem, the
> navigation via proxy works fine.
>
> I have adj the config file for the squid.
>
> I have the following logs:
>
> (1)
> log in /var/log/squid/access.log:
> ---------------------------------
>
> 1354318142.058 381547 10.0.12.51 TCP_MISS/502 1634 GET
> http://www.correo-gto.com.mx/ - DIRECT/184.154.122.58 text/html
> 1354318175.552 378090 10.0.12.51 TCP_MISS/502 1634 GET
> http://www.correo-gto.com.mx/ - DIRECT/184.154.122.58 text/html
> 1354318206.135 378088 10.0.12.51 TCP_MISS/502 1634 GET
> http://www.correo-gto.com.mx/ - DIRECT/184.154.122.58 text/html
>
>
> (2)
> error in firefox accessing to www.correo-gto.com.mx
> -----------------
>
> ERROR
> The requested URL could not be retrieved
> The following error was encountered while trying to retrieve the URL:
> http://www.correo-gto.com.mx/
> Read Error
> The system returned: (104) Connection reset by peer
> An error condition occurred while reading data from the network.
> Please retry your request.
> Your cache administrator is webmaster.
> Generated Fri, 31 Aug 2012 21:36:31 GMT by webproxy (squid/2.7.STABLE7)
>
>
>
> (3.a)
> Testin nslookup from the proxy server:
> --------------------------------
>
> # nslookup correo-gto.com.mx
> Server: 10.0.0.2
> Address: 10.0.0.2#53
>
> Non-authoritative answer:
> Name: correo-gto.com.mx
> Address: 184.154.122.58
>
>
>
> (4.a)
> Making a tracepath to correo-gto.com.mx from proxy server
> ---------------------------------
>
> # tracepath correo-gto.com.mx
> 1: web.congresogto.gob.mx (10.0.0.8) 0.200ms pmtu 1500
> 1: 10.0.0.253 (10.0.0.253) 0.230ms
> 1: 10.0.0.253 (10.0.0.253) 0.183ms
> 2: no reply
> 3: no reply
> 4: no reply
> ...
> 30: no reply
> 31: no reply
>
>
> I have posted the problem in, but I have not had a contribution.
>
> http://www.linuxquestions.org/questions/showthread.php?p=4771659#post4771659
>
>
> I will appreciate a lot, if you can help me on this, I been looking
> throw a solution, but I have not succeed.
>
> On the other hand, I have configure a new proxy test with squid 3.1,
> and works fine, I can reach to the page correo-gto.com.mx with out any
> problem.
>
> Thanks and have a great day.
>
>
> squid.conf file, here are the changes that I have made:
>
>
> diff -purN squid.conf.orig squid.conf
>
> --- squid.conf.orig 2012-03-22 09:30:54.732721143 -0600
> +++ squid.conf 2012-12-05 13:02:57.745042191 -0600
> @@ -608,7 +608,7 @@ acl to_localhost dst 127.0.0.0/8 0.0.0.0
> # should be allowed
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> -acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> +acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
> #
> acl SSL_ports port 443 # https
> acl SSL_ports port 563 # snews
> @@ -626,9 +626,16 @@ acl Safe_ports port 777 # multiling htt
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> +acl Safe_ports port 3201 # SAP
> +acl Safe_ports port 82 # isseg
> +
> acl purge method PURGE
> acl CONNECT method CONNECT
>
> +# Lista de pAginas denegadas
> +acl pages_deny url_regex "/etc/squid/pagesDeny.acl"
> +acl pages_acces url_regex "/etc/squid/pagesAcces.acl"
> +
> # TAG: http_access
> # Allowing or Denying access based on defined access lists
> #
> @@ -662,6 +669,11 @@ http_access deny purge
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
> +
> +# Deny pages request
> +#http_access deny pages_deny
> +#http_access allow pages_acces
> +
> #
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> @@ -673,7 +685,7 @@ http_access deny CONNECT !SSL_ports
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> -#http_access allow localnet
> +http_access allow localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> @@ -715,8 +727,8 @@ http_access deny all
> # icp_access deny all
> #
> #Allow ICP queries from local networks only
> -icp_access allow localnet
> -icp_access deny all
> +##icp_access allow localnet
> +##icp_access deny all
>
> # TAG: htcp_access
> # Allowing or Denying access to the HTCP port based on defined
> @@ -1111,7 +1123,7 @@ icp_access deny all
> # visible on the internal address.
> #
> # Squid normally listens to port 3128
> -http_port 3128
> +http_port 3128 transparent
>
> # TAG: https_port
> # Note: This option is only available if Squid is rebuilt with the
> @@ -1748,7 +1760,7 @@ hierarchy_stoplist cgi-bin ?
> # objects.
> #
> #Default:
> -# cache_mem 8 MB
> +cache_mem 1024 MB
>
> # TAG: maximum_object_size_in_memory (bytes)
> # Objects greater than this size will not be attempted to kept in
> @@ -1757,7 +1769,7 @@ hierarchy_stoplist cgi-bin ?
> # enough to keep larger objects from hoarding cache_mem.
> #
> #Default:
> -# maximum_object_size_in_memory 8 KB
> +maximum_object_size_in_memory 512 KB
>
> # TAG: memory_replacement_policy
> # The memory replacement policy parameter determines which
> @@ -1955,7 +1967,7 @@ hierarchy_stoplist cgi-bin ?
> # (hard coded at 1 MB).
> #
> #Default:
> -# cache_dir ufs /var/spool/squid 100 16 256
> +cache_dir ufs /var/spool/squid 6144 14 256
>
> # TAG: store_dir_select_algorithm
> # Set this to 'round-robin' as an alternative.
> @@ -1998,7 +2010,7 @@ hierarchy_stoplist cgi-bin ?
> # proper proxy for APT.
> #
> #Default:
> -# maximum_object_size 20480 KB
> +maximum_object_size 10240 MB
>
> # TAG: cache_swap_low (percent, 0-100)
> # TAG: cache_swap_high (percent, 0-100)
> @@ -2015,8 +2027,8 @@ hierarchy_stoplist cgi-bin ?
> # numbers closer together.
> #
> #Default:
> -# cache_swap_low 90
> -# cache_swap_high 95
> +cache_swap_low 90
> +cache_swap_high 95
>
> # TAG: update_headers on|off
> # By default Squid updates stored HTTP headers when receiving
> @@ -2816,6 +2828,7 @@ refresh_pattern . 0 20% 4320
> #
> #Default:
> # negative_ttl 5 minutes
> +negative_ttl 0 seconds
>
> # TAG: positive_dns_ttl time-units
> # Upper limit on how long Squid will cache positive DNS responses.
> @@ -2892,6 +2905,7 @@ refresh_pattern . 0 20% 4320
> #
> #Default:
> # request_header_max_size 20 KB
> +request_header_max_size 64 KB
>
> # TAG: reply_header_max_size (KB)
> # This specifies the maximum size for HTTP headers in a reply.
> @@ -2902,6 +2916,7 @@ refresh_pattern . 0 20% 4320
> #
> #Default:
> # reply_header_max_size 20 KB
> +reply_header_max_size 64 KB
>
> # TAG: request_body_max_size (KB)
> # This specifies the maximum size for an HTTP request body.
> @@ -3307,6 +3322,7 @@ extension_methods REPORT MERGE MKACTIVIT
> #
> #Default:
> # half_closed_clients on
> +half_closed_clients off
>
> # TAG: pconn_timeout
> # Timeout for idle persistent connections to servers and other
> @@ -3344,8 +3360,7 @@ extension_methods REPORT MERGE MKACTIVIT
> # mail if the cache dies. The default is "webmaster".
> #
> #Default:
> -# cache_mgr webmaster
> -
> +cache_mgr dti_at_congresogto.gob.mx
> # TAG: mail_from
> # From: email-address for mail sent when the cache dies.
> # The default is to use 'appname_at_unique_hostname'.
> @@ -3498,7 +3513,7 @@ extension_methods REPORT MERGE MKACTIVIT
> #
> #Default:
> # httpd_accel_no_pmtu_disc off
> -
> +httpd_accel_no_pmtu_disc on
>
> # DELAY POOL PARAMETERS
> # -----------------------------------------------------------------------------
> @@ -3815,6 +3830,7 @@ extension_methods REPORT MERGE MKACTIVIT
> #
> #Default:
> # persistent_connection_after_error off
> +persistent_connection_after_error on
>
> # TAG: detect_broken_pconn
> # Some servers have been found to incorrectly signal the use
> @@ -3940,6 +3956,7 @@ extension_methods REPORT MERGE MKACTIVIT
> #
> #Default:
> # icp_port 3130
> +icp_port 0
>
> # TAG: htcp_port
> # The port number where Squid sends and receives HTCP queries to
> @@ -4236,6 +4253,7 @@ extension_methods REPORT MERGE MKACTIVIT
> #
> #Default:
> # error_directory /usr/share/squid/errors/en
> +error_directory /usr/share/squid/errors/es-mx
>
> # TAG: error_map
> # Map errors to custom messages
> @@ -4511,6 +4529,7 @@ extension_methods REPORT MERGE MKACTIVIT
> #
> #Default:
> # check_hostnames on
> +check_hostnames off
>
> # TAG: allow_underscore
> # Underscore characters is not strictly allowed in Internet hostnames
> @@ -4888,6 +4907,7 @@ coredump_dir /var/spool/squid
> #
> #Default:
> # balance_on_multiple_ip on
> +balance_on_multiple_ip off
>
> # TAG: pipeline_prefetch
> # To boost the performance of pipelined requests to closer
>

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
sip:ngtech_at_sip2sip.info
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
Received on Wed Dec 05 2012 - 21:44:35 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 06 2012 - 12:00:04 MST