Re: [squid-users] Re: TCP_MISS/Squid-Error: ERR_CONNECT_FAIL

From: SaRaVanAn <saravanan.nagarajan87_at_gmail.com>
Date: Tue, 20 Aug 2013 15:10:30 +0530

Hi Amos,
  I changed my configuration file as you suggested.

There is an another clarification from my side.
I could able to see TCP_HIT only when I clear browser cache manually .
The behavior is same for all the websites I have tried to connect.

Is this an expected behavior?
If not, What needs to be done in order to get TCP_HIT without manually
clearing browser cache?

Regards,
Saravanan N

On Mon, Aug 19, 2013 at 7:48 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 19/08/2013 11:29 p.m., SaRaVanAn wrote:
>>
>> Hi Amos,
>> Thanks a lot for your help. There is an issue in web-server
>> connectivity which has been solved as you suggested. I could able to
>> connect the webserver via squid successfully.
>>
>> But there is an issue in caching webpages . I am always getting
>> "TCP/MISS 200" messages from squid. I could not able to see a single
>> "TCP_HIT" message even I try to access the same webpages from browser
>> again and again.
>>
>> 1376909027.627 211 10.1.1.1 TCP_MISS/200 416 GET
>> http://b.scorecardresearch.com/p? - DIRECT/120.29.145.65 image/gif
>> [Host: b.scorecardresearch.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux
>> i686; rv:10.0.12) Gecko/20130109 Firefox/10.0.12\r\nAccept:
>> image/png,image/*;q=0.8,*/*;q=0.5\r\nAccept-Language:
>> en-us,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection:
>> keep-alive\r\nReferer: http://in.yahoo.com/?p=us\r\nCookie:
>> UID=6cdd678-61.213.189.48-1366091370; UIDR=1366091370\r\n] [HTTP/1.1
>> 200 OK\r\nContent-Length: 43\r\nContent-Type: image/gif\r\nDate: Mon,
>> 19 Aug 2013 10:27:24 GMT\r\nConnection: keep-alive\r\nPragma:
>> no-cache\r\nExpires: Mon, 01 Jan 1990 00:00:00 GMT\r\nCache-Control:
>> private, no-cache, no-cache=Set-Cookie, no-store,
>> proxy-revalidate\r\n\r]
>
>
> This response object has been configured explicitly and rather emphatically
> to prevent caching.
> Expires, no less than 5 ways to force MISS or at least REFRESH behaviour
> from Cache-Control, and even the invalid Pragma header in case something
> obeys it.
>
> Several of these are way beyond what server frameworks add by default. So it
> is clearly an explicit admin design that this object be a MISS. Perhapse it
> woudl be a good idea to let it, yes?
>
> Amos
>
>
>>
>> Squid.conf
>> ---------------
>> acl all src all
>
>
> Please run "squid -k parse". If your Squid is not at least complaining about
> the above line being redundant then your proxy is seriously outdated.
>
>
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32 ::1
>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>> acl SSL_ports port 443 # https
>> acl SSL_ports port 563 # snews
>> acl SSL_ports port 873 # rsync
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl Safe_ports port 631 # cups
>> acl Safe_ports port 873 # rsync
>> acl Safe_ports port 901 # SWAT
>> acl purge method PURGE
>> acl CONNECT method CONNECT
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_reply_access allow all
>
>
> "allow all" is the default for http_reply_access. You can drop the above
> line entirely from your config.
>
> You are also missing the basic security protection for CONNECT requests:
> http_access deny CONNECT !SSL_ports
>
>
>> http_port 3128
>> http_port 3129 tproxy
>> hierarchy_stoplist cgi-bin ?
>
> You can omit "hierarchy_stoplist" from your config.
>
>
>> cache_mem 256 MB
>> cache_dir ufs /var/spool/squid3 1000 16 256
>> maximum_object_size 20480 KB
>> access_log /var/log/squid3/access.log
>> cache_log /var/log/squid3/cache.log
>> mime_table /usr/share/squid3/mime.conf
>> log_mime_hdrs on
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>
>
> You are missing the refresh pattern instructing Squid how to safely handle
> dynamic responses without expiry information:
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>
>
>
>> refresh_pattern . 0 20% 4320
>> acl apache rep_header Server ^Apache
>> coredump_dir /var/spool/squid3
>> acl localnet src 10.1.1.0/24
>> http_access allow localhost
>> http_access allow localnet
>> cache allow all
>
>
> "allow all" is teh default for the "cache" directive. You can omit this line
> entirely from your config file.
>
>
>> request_header_access Allow allow all
>> request_header_access Authorization allow all
>> request_header_access WWW-Authenticate allow all
>> request_header_access Proxy-Authorization allow all
>> request_header_access Proxy-Authenticate allow all
>> request_header_access Cache-Control allow all
>> request_header_access Content-Encoding allow all
>> request_header_access Content-Length allow all
>> request_header_access Content-Type allow all
>> request_header_access Date allow all
>> request_header_access Expires allow all
>> request_header_access Host allow all
>> request_header_access If-Modified-Since allow all
>> request_header_access Last-Modified allow all
>> request_header_access Location allow all
>> request_header_access Pragma allow all
>> request_header_access Accept allow all
>> request_header_access Accept-Charset allow all
>> request_header_access Accept-Encoding allow all
>> request_header_access Accept-Language allow all
>> request_header_access Content-Language allow all
>> request_header_access Mime-Version allow all
>> request_header_access Retry-After allow all
>> request_header_access Title allow all
>> request_header_access Connection allow all
>> request_header_access Proxy-Connection allow all
>> request_header_access User-Agent allow all
>> request_header_access Cookie allow all
>> request_header_access All deny all
>>
>> Am I missing something in squid.conf?
>>
>
> Amos
Received on Tue Aug 20 2013 - 09:40:40 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 21 2013 - 12:00:43 MDT