Re: [squid-users] After enabling IPv6 squid no longer responds
On 26/11/19 11:52 am, Alex Rousskov wrote: > On 11/25/19 1:53 PM, James Moe wrote: > >> I have narrowed the problem space. The issue occurs only with https:, and not >> always. Most sites timeout, others (partially) load after a delay of 5 - 20 >> seconds. >> The delay never occurs for non-secure traffic. > > After the timeout and client-to-Squid connection closure, is there a > corresponding CONNECT record in access.log? > If not, double-check that the traffic is actually going to the Squid you think it is (that may require one or more packet traces). There have been a few cases in the past where it turned out sometimes traffic was going to a proxy it was not supposed to. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] After enabling IPv6 squid no longer responds
On 26/11/19 8:11 am, James Moe wrote: > On 2019-11-14 3:04 PM, Alex Rousskov wrote: > >> FYI: "utterly ignored" seems to contradict "error message from squid" >> above. >> > The command "ip a" produces the following rather intimidating output. > Should I > add some more IPv6 addresses to the configuration parameter "localnet"? You could add the fe80::/10 subnet back in. But it should not have any noticeable effect on your current problem. The number of "temporary deprecated dynamic" means your server is changing its public IP randomly and frequently (so-called 'privacy addressing'). The addresses marked 'deprecated' can only be used by existing fully-open TCP connections. New connections to that IP are rejected as if it did not exist - these addresses are supposed to be only for outbound traffic anyway. So ... check if you have any firewall rules or DNS entries regarding traffic *to* the server. Make sure they only use the addresses marked 'forever' in that list, or the whole fd2f:4760:521f:3f3c::/64 range. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] After enabling IPv6 squid no longer responds
On 11/25/19 1:53 PM, James Moe wrote: >>> There is nothing in the access.log; the request is utterly ignored. >> FYI: "utterly ignored" seems to contradict "error message from squid" >> above. > I know. Confusing. My remark was meant as a hint that something in your description needs adjustment: "error message from squid" is mutually exclusive with "the request is utterly ignored". Going forward, I will assume that the request was not ignored; I will assume that Squid received the request and responded with an error message (after a timeout). Do you see Squid making DNS queries when handling the problematic transaction? Can you reproduce the problem using a single transaction on an otherwise idle Squid? > I have narrowed the problem space. The issue occurs only with https:, and not > always. Most sites timeout, others (partially) load after a delay of 5 - 20 > seconds. > The delay never occurs for non-secure traffic. After the timeout and client-to-Squid connection closure, is there a corresponding CONNECT record in access.log? And just to double check, the error message from Squid is in response to a CONNECT request, right? I see no SslBump rules in your configuration so this must be a simple case of trying to establish a TCP tunnel with the address specified by the CONNECT request. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] After enabling IPv6 squid no longer responds
On 2019-11-14 3:04 PM, Alex Rousskov wrote: > FYI: "utterly ignored" seems to contradict "error message from squid" > above. > The command "ip a" produces the following rather intimidating output. Should I add some more IPv6 addresses to the configuration parameter "localnet"? Address fd2f:4760:521f:3f3c::c0a8:45f6 is the IPv6 address given as the static entry for the network interface. 2: eth0: mtu 1460 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:24:8c:9a:f4:f4 brd ff:ff:ff:ff:ff:ff inet 192.168.69.246/24 brd 192.168.69.255 scope global eth0:smasvr3 valid_lft forever preferred_lft forever inet6 fd2f:4760:521f:3f3c:4dfa:4b86:934:5684/64 scope global temporary dynamic valid_lft 602374sec preferred_lft 83376sec inet6 fd2f:4760:521f:3f3c:1f0:8b81:2a1e:bb1f/64 scope global temporary deprecated dynamic valid_lft 516573sec preferred_lft 0sec inet6 fd2f:4760:521f:3f3c:38ef:8276:b87b:5f8d/64 scope global temporary deprecated dynamic valid_lft 430773sec preferred_lft 0sec inet6 fd2f:4760:521f:3f3c:d4c3:7847:797c:37da/64 scope global temporary deprecated dynamic valid_lft 344973sec preferred_lft 0sec inet6 fd2f:4760:521f:3f3c:c02e:96a3:1557:88ec/64 scope global temporary deprecated dynamic valid_lft 259173sec preferred_lft 0sec inet6 fd2f:4760:521f:3f3c:3598:28d1:3525:e51e/64 scope global temporary deprecated dynamic valid_lft 173373sec preferred_lft 0sec inet6 fd2f:4760:521f:3f3c:913c:74dd:d2fd:dc66/64 scope global temporary deprecated dynamic valid_lft 87572sec preferred_lft 0sec inet6 fd2f:4760:521f:3f3c:f592:3b23:f025:50ba/64 scope global temporary deprecated dynamic valid_lft 1773sec preferred_lft 0sec inet6 fd2f:4760:521f:3f3c:224:8cff:fe9a:f4f4/64 scope global mngtmpaddr dynamic valid_lft 2591781sec preferred_lft 604581sec inet6 fd2f:4760:521f:3f3c::c0a8:45f6/64 scope global valid_lft forever preferred_lft forever inet6 fe80::224:8cff:fe9a:f4f4/64 scope link valid_lft forever preferred_lft forever -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] After enabling IPv6 squid no longer responds
On 2019-11-14 3:04 PM, Alex Rousskov wrote: > Can you connect to port 80 of that IPv6 address using telnet, wget, or > curl running on the Squid box? > Yes. $ telnet fd2f:4760:521f:3f3c::c0a8:45f6 80 Trying fd2f:4760:521f:3f3c::c0a8:45f6... Connected to fd2f:4760:521f:3f3c::c0a8:45f6. Escape character is '^]'. > >> There is nothing in the access.log; the request is utterly ignored. > FYI: "utterly ignored" seems to contradict "error message from squid" > above. > I know. Confusing. I have narrowed the problem space. The issue occurs only with https:, and not always. Most sites timeout, others (partially) load after a delay of 5 - 20 seconds. The delay never occurs for non-secure traffic. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] After enabling IPv6 squid no longer responds
On 11/14/19 1:50 PM, James Moe wrote: > On 13/11/2019 12.36 pm, James Moe wrote: > >> After adding v6 addresses to the server and hosts, and enabling an RA, >> squid >> no longer delivers anything from its cache, or is exceedingly slow about it. > Here is a typical error message from squid: > > The following error was encountered while trying to retrieve the URL: > http://dx.doi.org/ > Connection to 2606:4700:20::681a:9ed failed. > The system returned: (110) Connection timed out Can you connect to port 80 of that IPv6 address using telnet, wget, or curl running on the Squid box? > There is nothing in the access.log; the request is utterly ignored. FYI: "utterly ignored" seems to contradict "error message from squid" above. If Squid v4 sent an error response to the browser but logged nothing to access.log, then there is a Squid bug that you should report to Bugzilla. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] After enabling IPv6 squid no longer responds
On Thursday 14 November 2019 at 19:50:00, James Moe wrote: > On 13/11/2019 12.36 pm, James Moe wrote: > > After adding v6 addresses to the server and hosts, and enabling an RA, > > squid no longer delivers anything from its cache, or is exceedingly slow > > about it. > > Here is a typical error message from squid: > > The following error was encountered while trying to retrieve the URL: > http://dx.doi.org/ > Connection to 2606:4700:20::681a:9ed failed. > The system returned: (110) Connection timed out > > There is nothing in the access.log; the request is utterly ignored. > When I have the browser bypass the proxy, the site loads almost instantly. Have you confirmed (for example with a network packet sniffer) that the browser is connecting directly to the site also using IPv6? For that matter, have you used a packet sniffer to find out what Squid is doing, in terms of requests sent and possible responses received? Antony. -- Wanted: telepath. You know where to apply. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] After enabling IPv6 squid no longer responds
On 13/11/2019 12.36 pm, James Moe wrote: > After adding v6 addresses to the server and hosts, and enabling an RA, squid > no longer delivers anything from its cache, or is exceedingly slow about it. > Here is a typical error message from squid: The following error was encountered while trying to retrieve the URL: http://dx.doi.org/ Connection to 2606:4700:20::681a:9ed failed. The system returned: (110) Connection timed out There is nothing in the access.log; the request is utterly ignored. When I have the browser bypass the proxy, the site loads almost instantly. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] After enabling IPv6 squid no longer responds
On 13/11/2019 12.36 pm, James Moe wrote: > After adding v6 addresses to the server and hosts, and enabling an RA, squid > no longer delivers anything from its cache, or is exceedingly slow about it. > Any one? -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] After enabling IPv6 squid no longer responds
Hello, squid v4.8 I have started transitioning our local network to IPv6. After adding v6 addresses to the server and hosts, and enabling an RA, squid no longer delivers anything from its cache, or is exceedingly slow about it. I have reviewed the wiki. The one section that discusses this issue has a solution only for v3.1 or earlier. Does it also apply to later versions? What am I missing? [ squid.conf ] # acl manager url_regex -i ^cache_object:// /squid-internal-mgr/ acl manager_admin src 192.168.69.115 # # acl localnet src fc00::/7 # acl localnet src fe80::/10 # # https, cups acl SSL_ports port 443 acl SSL_ports port 631 # # Jumpline cPanel ports acl SSL_ports port 2083 acl SSL_ports port 2096 # # sma-nas-02, cgatePro, webadmin acl SSL_ports port 5000 acl SSL_ports port 5001 acl SSL_ports port 9010 acl SSL_ports port 9100 acl SSL_ports port 1 # acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 563 acl Safe_ports port 631 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl Safe_ports port 9100 # acl CONNECT method CONNECT acl localnet src 192.168.69.0/24 acl localnet src fd2f:4760:521f:3f3c::0/64 access_log /data01/var/log/squid/access.log # http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow manager_admin http_access allow manager localhost http_access deny manager http_access allow localnet http_access deny all # Squid normally listens to port 3128 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. # cache_dir ufs /var/cache/squid 100 16 256 cache_dir ufs /data01/var/cache/squid 51200 16 256 maximum_object_size 9 KB cache_mem 256 MB # Leave coredumps in the first cache dir coredump_dir /var/cache/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20 10080 refresh_pattern ^gopher: 1440 0 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0 0 refresh_pattern . 0 20 4320 cache_log /data01/var/log/squid/cache.log cache_mgr ji...@sohnen-moe.com cache_replacement_policy lru cache_store_log /data01/var/log/squid/store.log cache_swap_high 95 cache_swap_low 90 client_lifetime 1 days connect_timeout 2 minutes logfile_rotate 0 error_directory /usr/share/squid/errors/en ftp_passive on memory_replacement_policy lru minimum_object_size 0 KB [ end ] -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users