Re: [squid-users] Strange problem with some sites (403 and no connection) from Amos Jeffries on 2014-04-28 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 29 Apr 2014 04:33:57 +1200

On 26/03/2014 12:58 a.m., Antonio Gutiérrez Mayoral wrote:
> Hi there, I have a problem with my squid setup. I am running
> Squid 3.2 in a SLES 11 box. Ok, everthing is working fine, with my
> particular setup but I have discovered (by my users) that there is
> at least two sites that are not working.
>
> The strange thing is this sites are not forbidden, but, I am seeing
> 403 codes and after that, the home site for this sles server :? (for apache)
> not my 403 customized page in case this site was forbiden (like facebook,
> youtube, etc).
>
> This sites are spanish sites: www.aemet.es and www.agenciatributaria.es
> Its very strange. The access.log shows this:
>
> 1395744973.690 2 10.10.5.17 TCP_MISS/403 5821 GET http://www.aemet.es/
> MyUser DIRECT/:: text/html

Apparently the IP address of their server is ANY_ADDR.

>
> 1395744973.707 6 10.10.5.17 TCP_REFRESH_UNMODIFIED/304 330 GET
> http://www.aemet.es/welcome/inc/micro.js MyUser DIRECT/:: -
>
> 1395744973.708 5 10.10.5.17 TCP_REFRESH_UNMODIFIED/304 329 GET
> http://www.aemet.es/welcome/inc/share.js MyUser DIRECT/:: -
>

Weird thing is those apparently working. Perhapse you have a log display
bug.

> The strange thing is I have runned tcpdump in the proxy server, and
> the DNS queries for
> aemet.es were ok, after that there isnt any kind of connection from
> the proxy server
> to the aemet site. I dont understand why.

dig AAAA www.aemet.es

;; ANSWER SECTION:
www.aemet.es. 86370 IN CNAME B23117.cdn.telefonica.com.
B23117.cdn.telefonica.com. 21571 IN CNAME b23117.2.cdn.telefonica.com.
b23117.2.cdn.telefonica.com. 16 IN AAAA ::

... yes, that is the actual DNS record the telefonica CDN servers told
your Squid to contact. If you know how to contact them an email to their
NOC would not go amiss.

I assume your tests were all checking the IPv4 connectivity to the
website - which has no issues of course.

PS. general advice for IPv6, caching and connectivity issues is upgrade
to 3.4. These things have been constantly improved across the releases.

Amos
Received on Mon Apr 28 2014 - 16:34:03 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 28 2014 - 12:00:08 MDT