Re: [squid-users] stale-if-error returning a 502
Thanks for clarification on max-stale, although it is unintentionally ideal for my use-case. Best, Robin On Mon, 12 Feb 2024 at 16:06, Alex Rousskov < rouss...@measurement-factory.com> wrote: > On 2024-02-12 10:13, Robin Carlisle wrote: > > > I have been having success so far with the config workaround.. config > > snippet :- > > > > /max_stale 31536000 seconds > > refresh_pattern . 0 20% 4320 max-stale=31536000/ > > > > When an object has expired due to max-age and the PC is offline > > (ethernet unplugged), squid attempts an origin refresh and gives me : > > > > /0 ::1 TCP_REFRESH_FAIL_OLD/200 35965 GET > > > https://widgets.api.labs.dev.framestoresignage.com/api/v1/instagram/labs/posts.json > < > https://widgets.api.labs.dev.framestoresignage.com/api/v1/instagram/labs/posts.json> > - HIER_NONE/- application/json/ > > > > Previously it had been passing the 502 through to the client application. > > Glad this workaround helps. Just keep in mind that the configuration > snippet above changes max-stale for _all_ responses. > > > > I am continuing to test this - but it looks like I have a working > solution. > > Meanwhile, the fix for the underlying Squid bug was officially accepted > and should become a part of v6.8 release (at least). > > > Thank you, > > Alex. > > > > On Fri, 9 Feb 2024 at 14:31, Alex Rousskov wrote: > > > > On 2024-02-09 08:53, Robin Carlisle wrote: > > > > > I am trying the config workaround approach. > > > > Please keep us posted on your progress. > > > > > Below is the config snippet I have added.I made the > > > assumption that for the /refresh_pattern, max-stale=NN /config, > > the NN > > > is in minutes as per the rest of that config directive. > > > > That assumption is natural but incorrect: Unlike the anonymous > > positional min and max parameters (that use minutes), refresh_pattern > > max-stale=NN uses seconds. Documentation improvements are welcome. > > > > Said that, the workaround should still prevent the application of the > > broken default refresh_pattern max-stale=0 rule, so you should still > > see > > positive results for the first NN seconds of the response age. > > > > Instead of specifying max-stale=NN, consider adding refresh_pattern > > rules recommended by squid.conf.documented (and included in > > squid.cond.default). Those rules do not have max-stale options at > all, > > and, hence, Squid will use (explicit or default) max_stale directive > > instead. > > > > HTH, > > > > Alex. > > > > > > > I am testing this right now > > > > > > # this should allow stale objects up to 1 year if allowed by > > > Cache-Control repsonseheaders ... > > > > > > # ... setting both options just in case > > > > > > max_stale 525600 minutes > > > > > > refresh_pattern . 0 20% 4320 max-stale=525600 > > > > > > > > > Thanks again for your help > > > > > > > > > Robin > > > > > > > > > > > > > > > On Thu, 8 Feb 2024 at 17:42, Alex Rousskov > > > > <mailto:rouss...@measurement-factory.com> > > > <mailto:rouss...@measurement-factory.com > > <mailto:rouss...@measurement-factory.com>>> wrote: > > > > > > Hi Robin, > > > > > > AFAICT from the logs you have privately shared and your > > > squid.conf > > > that you have posted earlier, your Squid overwrites > > > stale-if-error=31536000 in the response with "refresh_pattern > > > max-stale=0" default. That 0 value is wrong. The correct value > > > should be > > > taken from max_stale directive that defaults to 1 week, not > zero: > > > > > > refresh_pattern > > > ... > > > max-stale=NN provide a maximum staleness factor. Squid > > won't > > > serve objects more stale than this even if it failed to > > > validate the object. Default: use the max_stale global > > limit. > > > > > > This wrong default is a Squid bug AFAICT. I posted an > >
Re: [squid-users] stale-if-error returning a 502
Hi, I have been having success so far with the config workaround.. config snippet :- *max_stale 31536000 secondsrefresh_pattern . 0 20% 4320 max-stale=31536000* When an object has expired due to max-age and the PC is offline (ethernet unplugged), squid attempts an origin refresh and gives me : * 0 ::1 TCP_REFRESH_FAIL_OLD/200 35965 GET https://widgets.api.labs.dev.framestoresignage.com/api/v1/instagram/labs/posts.json <https://widgets.api.labs.dev.framestoresignage.com/api/v1/instagram/labs/posts.json> - HIER_NONE/- application/json* Previously it had been passing the 502 through to the client application. I am continuing to test this - but it looks like I have a working solution. Thanks again for all your help on this, Robin On Fri, 9 Feb 2024 at 14:31, Alex Rousskov wrote: > On 2024-02-09 08:53, Robin Carlisle wrote: > > > I am trying the config workaround approach. > > Please keep us posted on your progress. > > > Below is the config snippet I have added.I made the > > assumption that for the /refresh_pattern, max-stale=NN /config, the NN > > is in minutes as per the rest of that config directive. > > That assumption is natural but incorrect: Unlike the anonymous > positional min and max parameters (that use minutes), refresh_pattern > max-stale=NN uses seconds. Documentation improvements are welcome. > > Said that, the workaround should still prevent the application of the > broken default refresh_pattern max-stale=0 rule, so you should still see > positive results for the first NN seconds of the response age. > > Instead of specifying max-stale=NN, consider adding refresh_pattern > rules recommended by squid.conf.documented (and included in > squid.cond.default). Those rules do not have max-stale options at all, > and, hence, Squid will use (explicit or default) max_stale directive > instead. > > HTH, > > Alex. > > > > I am testing this right now > > > > # this should allow stale objects up to 1 year if allowed by > > Cache-Control repsonseheaders ... > > > > # ... setting both options just in case > > > > max_stale 525600 minutes > > > > refresh_pattern . 0 20% 4320 max-stale=525600 > > > > > > Thanks again for your help > > > > > > Robin > > > > > > > > > > On Thu, 8 Feb 2024 at 17:42, Alex Rousskov > > > <mailto:rouss...@measurement-factory.com>> wrote: > > > > Hi Robin, > > > > AFAICT from the logs you have privately shared and your > > squid.conf > > that you have posted earlier, your Squid overwrites > > stale-if-error=31536000 in the response with "refresh_pattern > > max-stale=0" default. That 0 value is wrong. The correct value > > should be > > taken from max_stale directive that defaults to 1 week, not zero: > > > > refresh_pattern > > ... > > max-stale=NN provide a maximum staleness factor. Squid won't > > serve objects more stale than this even if it failed to > > validate the object. Default: use the max_stale global limit. > > > > This wrong default is a Squid bug AFAICT. I posted an _untested_ fix > as > > Squid PR 1664: https://github.com/squid-cache/squid/pull/1664 > > <https://github.com/squid-cache/squid/pull/1664> > > > > If possible, please test the corresponding patch: > > > https://github.com/squid-cache/squid/commit/571973589b5a46d458311f8b60dcb83032fd5cec.patch > < > https://github.com/squid-cache/squid/commit/571973589b5a46d458311f8b60dcb83032fd5cec.patch > > > > > > AFAICT, you can also work around that bug by configuring an explicit > > refresh_pattern rule with an explicit max-stale option (see > > squid.conf.documented for examples). I have not tested that theory > > either. > > > > > > HTH, > > > > Alex. > > > > > > On 2024-02-07 13:45, Robin Carlisle wrote: > > > Hi, > > > > > > I have just started my enhanced logging journey and have a small > > snippet > > > below that might illuminate the issue ... > > > > > > /2024/02/07 17:06:39.212 kid1| 88,3| client_side_reply.cc(507) > > > handleIMSReply: origin replied with error 502, forwarding to > > client due > > > to fail_on_validation_err/ > > > > > > A few lines below in the log it looks like squid sent :- > > > > > > /2024/02/07 17:06:39.212 kid1| 11,2| Stream.cc(280) > >
Re: [squid-users] stale-if-error returning a 502
Hi, Thanks for the info Alex. Patching code and building is a little beyond me tbh, especially as I would need this as a debian package to deploy to many machines. With that in mind I am trying the config workaround approach. Below is the config snippet I have added.I made the assumption that for the *refresh_pattern, max-stale=NN *config, the NN is in minutes as per the rest of that config directive. I am testing this right now # this should allow stale objects up to 1 year if allowed by Cache-Control repsonse headers ... # ... setting both options just in case max_stale 525600 minutes refresh_pattern . 0 20% 4320 max-stale=525600 Thanks again for your help Robin On Thu, 8 Feb 2024 at 17:42, Alex Rousskov wrote: > Hi Robin, > > AFAICT from the logs you have privately shared and your squid.conf > that you have posted earlier, your Squid overwrites > stale-if-error=31536000 in the response with "refresh_pattern > max-stale=0" default. That 0 value is wrong. The correct value should be > taken from max_stale directive that defaults to 1 week, not zero: > > refresh_pattern > ... > max-stale=NN provide a maximum staleness factor. Squid won't > serve objects more stale than this even if it failed to > validate the object. Default: use the max_stale global limit. > > This wrong default is a Squid bug AFAICT. I posted an _untested_ fix as > Squid PR 1664: https://github.com/squid-cache/squid/pull/1664 > > If possible, please test the corresponding patch: > > https://github.com/squid-cache/squid/commit/571973589b5a46d458311f8b60dcb83032fd5cec.patch > > AFAICT, you can also work around that bug by configuring an explicit > refresh_pattern rule with an explicit max-stale option (see > squid.conf.documented for examples). I have not tested that theory either. > > > HTH, > > Alex. > > > On 2024-02-07 13:45, Robin Carlisle wrote: > > Hi, > > > > I have just started my enhanced logging journey and have a small snippet > > below that might illuminate the issue ... > > > > /2024/02/07 17:06:39.212 kid1| 88,3| client_side_reply.cc(507) > > handleIMSReply: origin replied with error 502, forwarding to client due > > to fail_on_validation_err/ > > > > A few lines below in the log it looks like squid sent :- > > > > /2024/02/07 17:06:39.212 kid1| 11,2| Stream.cc(280) sendStartOfMessage: > > HTTP Client REPLY: > > - > > HTTP/1.1 502 Bad Gateway > > Server: squid/5.7 > > Mime-Version: 1.0 > > Date: Wed, 07 Feb 2024 17:06:39 GMT > > Content-Type: text/html;charset=utf-8 > > Content-Length: 3853 > > X-Squid-Error: ERR_READ_ERROR 0 > > Vary: Accept-Language > > Content-Language: en > > X-Cache: MISS from labs-maul-st-15 > > X-Cache-Lookup: HIT from labs-maul-st-15:3129 > > Via: 1.1 labs-maul-st-15 (squid/5.7) > > Connection: close/ > > > > > > The rest of the logs are quite large and contain URLs I cannot put > > here. The logs were generated with debug_options to ALL,3. > > > > Any ideas? Or should I generate more detailed logs and send them > > privately? > > > > Thanks again, > > > > Robin > > > > > > > > > > On Fri, 2 Feb 2024 at 11:20, Robin Carlisle > > mailto:robin.carli...@framestore.com>> > > wrote: > > > > Hi, thanks for your reply. > > > > I have been looking at : > > > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control < > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control> > > > > /The stale-if-error response directive indicates that the cache can > > reuse a stale response when an upstream server generates an error, > > or when the error is generated locally. Here, an error is considered > > any response with a status code of 500, 502, 503, or 504. > > > > Cache-Control: max-age=604800, stale-if-error=86400 > > In the example above, the response is fresh for 7 days (604800s). > > Afterwards, it becomes stale, but can be used for an extra 1 day > > (86400s) when an error is encountered. > > > > After the stale-if-error period passes, the client will receive any > > error generated/ > > > > Given what you have said and what the above docs say - I am still > > confused as it looks like (in my test cases) the cached response can > > be used for 3600 secs (this works), after which the cached response > > can still be used for an additional 31536000 seconds on an error > > (this doesnt work). > > &
Re: [squid-users] stale-if-error returning a 502
Hi, I have just started my enhanced logging journey and have a small snippet below that might illuminate the issue ... *2024/02/07 17:06:39.212 kid1| 88,3| client_side_reply.cc(507) handleIMSReply: origin replied with error 502, forwarding to client due to fail_on_validation_err* A few lines below in the log it looks like squid sent :- *2024/02/07 17:06:39.212 kid1| 11,2| Stream.cc(280) sendStartOfMessage: HTTP Client REPLY:-HTTP/1.1 502 Bad GatewayServer: squid/5.7Mime-Version: 1.0Date: Wed, 07 Feb 2024 17:06:39 GMTContent-Type: text/html;charset=utf-8Content-Length: 3853X-Squid-Error: ERR_READ_ERROR 0Vary: Accept-LanguageContent-Language: enX-Cache: MISS from labs-maul-st-15X-Cache-Lookup: HIT from labs-maul-st-15:3129Via: 1.1 labs-maul-st-15 (squid/5.7)Connection: close* The rest of the logs are quite large and contain URLs I cannot put here. The logs were generated with debug_options to ALL,3. Any ideas? Or should I generate more detailed logs and send them privately? Thanks again, Robin On Fri, 2 Feb 2024 at 11:20, Robin Carlisle wrote: > Hi, thanks for your reply. > > I have been looking at : > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control > > > > > > > *The stale-if-error response directive indicates that the cache can reuse > a stale response when an upstream server generates an error, or when the > error is generated locally. Here, an error is considered any response with > a status code of 500, 502, 503, or 504.Cache-Control: max-age=604800, > stale-if-error=86400In the example above, the response is fresh for 7 days > (604800s). Afterwards, it becomes stale, but can be used for an extra 1 day > (86400s) when an error is encountered.After the stale-if-error period > passes, the client will receive any error generated* > > Given what you have said and what the above docs say - I am still confused > as it looks like (in my test cases) the cached response can be used for > 3600 secs (this works), after which the cached response can still be used > for an additional 31536000 seconds on an error (this doesnt work). > > I am going to dig into the error logging you suggested to see if I can > make sense of that - and will send on if I can't. > > Thanks v much for your help again, > > Robin > > > > > > On Thu, 1 Feb 2024 at 18:27, Alex Rousskov < > rouss...@measurement-factory.com> wrote: > >> On 2024-02-01 12:03, Robin Carlisle wrote: >> > Hi, I am having trouble with stale-if-error response. >> >> If I am interpreting Squid code correctly, in primary use cases: >> >> * without a Cache-Control:stale-if-error=X in the original response, >> Squid sends a stale object if revalidation results in a 5xx error; >> >> * with a Cache-Control:stale-if-error=X and object age at most X, Squid >> sends a stale object if revalidation results in a 5xx error; >> >> * with a Cache-Control:stale-if-error=X and object age exceeding X, >> Squid forwards the 5xx error response if revalidation results in a 5xx >> error; >> >> In other words, stale-if-error=X turns on a "fail on validation errors" >> behavior for stale objects older than X. It has no other effects. >> >> In your test case, the stale objects are much younger than >> stale-if-error value (e.g., Age~=3601 vs. stale-if-error=31536000). >> Thus, stale-if-error should have no relevant effect. >> >> Something else is probably preventing your Squid from serving the stale >> response when facing a 5xx error. I do not know what that something is. >> >> I recommend sharing (privately if you need to protect sensitive info) a >> pointer to a compressed ALL,9 cache.log collected while reproducing the >> problem (using two transactions similar to the ones you have shared >> below -- a successful stale hit and a problematic one): >> >> https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction >> >> Alternatively, you can try to study cache.log yourself after setting >> debug_options to ALL,3. Searching for "refresh" and "handleIMSReply" may >> yield enough clues. >> >> >> HTH, >> >> Alex. >> >> >> >> >> > # /etc/squid/squid.conf : >> > >> > acl to_aws dstdomain .amazonaws.com <http://amazonaws.com> >> > >> > acl from_local src localhost >> > >> > http_access allow to_aws >> > >> > http_access allow from_local >> > >> > cache allow all >> > >> > cache_dir ufs /var/cache/squid 1024 16 256 >> > >> > http_port 3129 ssl-bump cert=/etc/squid/ma
Re: [squid-users] stale-if-error returning a 502
Hi, thanks for your reply. I have been looking at : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control *The stale-if-error response directive indicates that the cache can reuse a stale response when an upstream server generates an error, or when the error is generated locally. Here, an error is considered any response with a status code of 500, 502, 503, or 504.Cache-Control: max-age=604800, stale-if-error=86400In the example above, the response is fresh for 7 days (604800s). Afterwards, it becomes stale, but can be used for an extra 1 day (86400s) when an error is encountered.After the stale-if-error period passes, the client will receive any error generated* Given what you have said and what the above docs say - I am still confused as it looks like (in my test cases) the cached response can be used for 3600 secs (this works), after which the cached response can still be used for an additional 31536000 seconds on an error (this doesnt work). I am going to dig into the error logging you suggested to see if I can make sense of that - and will send on if I can't. Thanks v much for your help again, Robin On Thu, 1 Feb 2024 at 18:27, Alex Rousskov wrote: > On 2024-02-01 12:03, Robin Carlisle wrote: > > Hi, I am having trouble with stale-if-error response. > > If I am interpreting Squid code correctly, in primary use cases: > > * without a Cache-Control:stale-if-error=X in the original response, > Squid sends a stale object if revalidation results in a 5xx error; > > * with a Cache-Control:stale-if-error=X and object age at most X, Squid > sends a stale object if revalidation results in a 5xx error; > > * with a Cache-Control:stale-if-error=X and object age exceeding X, > Squid forwards the 5xx error response if revalidation results in a 5xx > error; > > In other words, stale-if-error=X turns on a "fail on validation errors" > behavior for stale objects older than X. It has no other effects. > > In your test case, the stale objects are much younger than > stale-if-error value (e.g., Age~=3601 vs. stale-if-error=31536000). > Thus, stale-if-error should have no relevant effect. > > Something else is probably preventing your Squid from serving the stale > response when facing a 5xx error. I do not know what that something is. > > I recommend sharing (privately if you need to protect sensitive info) a > pointer to a compressed ALL,9 cache.log collected while reproducing the > problem (using two transactions similar to the ones you have shared > below -- a successful stale hit and a problematic one): > > https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction > > Alternatively, you can try to study cache.log yourself after setting > debug_options to ALL,3. Searching for "refresh" and "handleIMSReply" may > yield enough clues. > > > HTH, > > Alex. > > > > > > # /etc/squid/squid.conf : > > > > acl to_aws dstdomain .amazonaws.com <http://amazonaws.com> > > > > acl from_local src localhost > > > > http_access allow to_aws > > > > http_access allow from_local > > > > cache allow all > > > > cache_dir ufs /var/cache/squid 1024 16 256 > > > > http_port 3129 ssl-bump cert=/etc/squid/maul.pem > > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > > > sslcrtd_program /usr/lib/squid/security_file_certgen -s > > /var/lib/squid/ssl_db -M 4MB > > > > acl step1 at_step SslBump1 > > > > ssl_bump bump step1 > > > > ssl_bump bump all > > > > sslproxy_cert_error deny all > > > > cache_store_log stdio:/var/log/squid/store.log > > > > logfile_rotate 0 > > > > shutdown_lifetime 3 seconds > > > > > > # /usr/bin/proxy-test : > > > > #!/bin/bash > > > > curl --proxy http://localhost:3129 <http://localhost:3129> \ > > > >--cacert /etc/squid/stuff.pem \ > > > >-v "https://stuff.amazonaws.com/api/v1/stuff/stuff.json > > <https://stuff.amazonaws.com/api/v1/stuff/stuff.json>" \ > > > >-H "Authorization: token MYTOKEN" \ > > > >-H "Content-Type: application/json" \ > > > >--output "/tmp/stuff.json" > > > > > > > > Tests .. > > > > > > At this point in time the network cable is unattached. Squid returns > > the cached object it got when the network was online earlier. The Age of > > this object is just still under the max_age of 3600. Previously I > > was using offline_mode but I found that it did not try to revalidate > > from the origin after the o
[squid-users] stale-if-error returning a 502
Hi, I am having trouble with stale-if-error response. I am making calls using curl to an API (under my control) on Amazon AWS. Config and details below ... # /etc/squid/squid.conf : acl to_aws dstdomain .amazonaws.com acl from_local src localhost http_access allow to_aws http_access allow from_local cache allow all cache_dir ufs /var/cache/squid 1024 16 256 http_port 3129 ssl-bump cert=/etc/squid/maul.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB acl step1 at_step SslBump1 ssl_bump bump step1 ssl_bump bump all sslproxy_cert_error deny all cache_store_log stdio:/var/log/squid/store.log logfile_rotate 0 shutdown_lifetime 3 seconds # /usr/bin/proxy-test : #!/bin/bash curl --proxy http://localhost:3129 \ --cacert /etc/squid/stuff.pem \ -v "https://stuff.amazonaws.com/api/v1/stuff/stuff.json; \ -H "Authorization: token MYTOKEN" \ -H "Content-Type: application/json" \ --output "/tmp/stuff.json" Tests .. At this point in time the network cable is unattached. Squid returns the cached object it got when the network was online earlier. The Age of this object is just still under the max_age of 3600. Previously I was using offline_mode but I found that it did not try to revalidate from the origin after the object expired (defined via max-age response). My understanding is that stale-if-error should work under my circumstances. # /var/log/squid/access.log 1706799404.440 6 127.0.0.1 NONE_NONE/200 0 CONNECT stuff.amazonaws.com:443 - HIER_NONE/- - 1706799404.440 0 127.0.0.1 TCP_MEM_HIT/200 20726 GET https://stuff.amazonaws.com/stuff.json - HIER_NONE/- application/json # extract from /usr/bin/proxy-test < HTTP/1.1 200 OK < Date: Thu, 01 Feb 2024 13:57:11 GMT < Content-Type: application/json < Content-Length: 20134 < x-amzn-RequestId: 3a2d3b26-df73-4b30-88cb-1a9268fa0df2 < Last-Modified: 2024-02-01T13:00:45.000Z < Access-Control-Allow-Origin: * < x-amz-apigw-id: SdZwpG7qiYcERUQ= < Cache-Control: public, max-age=3600, stale-if-error=31536000 < ETag: "cec102b43372840737ab773c2e77858b" < X-Amzn-Trace-Id: Root=1-65bba337-292be751134161b03555cdd6 < Age: 3573 < X-Cache: HIT from labs-maul-st-31 < X-Cache-Lookup: HIT from labs-maul-st-31:3129 < Via: 1.1 labs-maul-st-31 (squid/5.7) < Connection: keep-alive Below .. the curl script executes again. The Age has gone over the max-age so squid attempted to refresh from the origin. The machine is still offline so the refresh failed. I expected that the stale-if-error response would instruct squid to return the cached object as a 200. # /var/log/squid/access.log 1706799434.464 5 127.0.0.1 NONE_NONE/200 0 CONNECT stuff.amazonaws.com:443 - HIER_NONE/- - 1706799434.464 0 127.0.0.1 TCP_REFRESH_FAIL_ERR/502 4235 GET https://stuff.amazonaws.com/stuff.json - HIER_NONE/- text/html # extract from /usr/bin/proxy-test < HTTP/1.1 502 Bad Gateway < Server: squid/5.7 < Mime-Version: 1.0 < Date: Thu, 01 Feb 2024 14:57:14 GMT < Content-Type: text/html;charset=utf-8 < Content-Length: 3853 < X-Squid-Error: ERR_READ_ERROR 0 < Vary: Accept-Language < Content-Language: en < X-Cache: MISS from labs-maul-st-31 < X-Cache-Lookup: HIT from labs-maul-st-31:3129 < Via: 1.1 labs-maul-st-31 (squid/5.7) < Connection: close Hope someone can help me with this. All the best, Robin Carlisle ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] offline mode not working for me
Ah OK - understood. Thanks for the explanation. Robin On Sat, 20 Jan 2024 at 12:17, Amos Jeffries wrote: > On 20/01/24 02:05, Robin Carlisle wrote: > > > > I do have 1 followup question which I think is unrelated, let me know if > > etiquette demands I create a new post for this. When I test using > > chromium browser, chromium sends OPTION requests- which I think is > > something to do with CORS. These always cause cache MISS from squid,.. > > I think because the return code is 204...? > > > > No, the reason is HTTP specification (RFC 9110 section 9.3.7): > "Responses to the OPTIONS method are not cacheable." > > If these actually are CORS (might be several other things also), then > there is important differences in the response headers per-visitor. > These cannot be cached, and Squid does not know how to correctly > generate for those headers. So having Squid auto-respond is not a good > idea. > > > Cheers > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > https://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] offline mode not working for me
Thanks for the explanations Amos, much appreciated. On Thu, 18 Jan 2024 at 16:24, Amos Jeffries wrote: > On 19/01/24 03:53, Robin Carlisle wrote: > > Hi, Hoping someone can help me with this issue that I have been > > struggling with for days now. I am setting up squid on an ubuntu PC to > > forward HTTPS requests to an API and an s3 bucket under my control on > > amazon AWS. The reason I am setting up the proxy is two-fold... > > > > 1) To reduce costs from AWS. > > 2) To provide content to the client on the ubuntu PC if there is a > > networking issue somewhere in between the ubuntu PC and AWS. > > > > Item 1 is going well so far. Item 2 is not going well. Setup details > ... > > > ... > > > > > When network connectivity is BAD, I get errors and a cache MISS. In > > this test case I unplugged the ethernet cable from the back on the > > ubuntu-pc ... > > > > *# /var/log/squid/access.log* > > 1705588717.420 11 127.0.0.1 NONE_NONE/200 0 CONNECT > > stuff.amazonaws.com:443 <http://stuff.amazonaws.com:443> - > > HIER_DIRECT/3.135.162.228 <http://3.135.162.228> - > > 1705588717.420 0 127.0.0.1 NONE_NONE/503 4087 GET > > https://stuff.amazonaws.com/api/v1/stuff/stuff.json > > <https://stuff.amazonaws.com/api/v1/stuff/stuff.json> - HIER_NONE/- > > text/html > > > > *# extract from /usr/bin/proxy-test output* > > < HTTP/1.1 503 Service Unavailable > > < Server: squid/5.7 > > < Mime-Version: 1.0 > > < Date: Thu, 18 Jan 2024 14:38:37 GMT > > < Content-Type: text/html;charset=utf-8 > > < Content-Length: 3692 > > < X-Squid-Error: ERR_CONNECT_FAIL 101 > > < Vary: Accept-Language > > < Content-Language: en > > < X-Cache: MISS from ubuntu-pc > > < X-Cache-Lookup: NONE from ubuntu-pc:3129 > > < Via: 1.1 ubuntu-pc (squid/5.7) > > < Connection: close > > > > I have also seen it error in a different way with a 502 but with the > > same ultimate result. > > > > My expectation/hope is that squid would return the cached object on any > > network failure in between ubuntu-pc and the AWS endpoint - and continue > > to return this cached object forever. Is this something squid can do? > >It would seem that offline_mode should do this? > > > > > FYI, offline_mode is not a guarantee that a URL will always HIT. It is > simply a form of "greedy" caching - where Squid will take actions to > ensure that full-size objects are fetched whenever it lacks one, and > serve things as stale HITs when a) it is not specifically prohibited, > and b) a refresh/fetch is not working. > > > The URL you are testing with should meet your expected behaviour due to > the "Cache-Control: public, stale-of-error" header alone. >Regardless of offline_mode configuration. > > > That said, getting a 5xx response when there is an object already in > cache seems like something is buggy to me. > > A high level cache.log will be needed to figure out what is going on > (see https://wiki.squid-cache.org/SquidFaq/BugReporting#full-debug-output > ). > Be aware this list does not permit large posts so please provide a link > to download in your reply not attachment. > > > Cheers > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > https://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] offline mode not working for me
Hi, thanks so much for the detailed response. I chose to test option 2 from your recommendations as I am new to squid and I do not understand how to set it up as a reverse proxy anyway. I made the change to my squid.conf : #ssl_bump peek step1 ssl_bump bump step1 ssl_bump bump all This made it work - which is great news. My curl requests now are satisfied by the cache when the pc is offline! I do have 1 followup question which I think is unrelated, let me know if etiquette demands I create a new post for this. When I test using chromium browser, chromium sends OPTION requests - which I think is something to do with CORS. These always cause cache MISS from squid,.. I think because the return code is 204...? 1705669236.776113 ::1 TCP_MISS/204 680 OPTIONS https://stuff.amazonaws.com/api/v1/stuff/stuff.json - HIER_DIRECT/ 3.135.146.17 application/json I can prevent my chromium instance from making these (pointless?) OPTIONS calls using the following args, but I would rather not have to do this. --disable-web-security --disable-features=IsolateOrigins,site-per-process Any way I can get squid to cache these calls? Thanks again and all the best, Robin On Thu, 18 Jan 2024 at 16:03, Alex Rousskov < rouss...@measurement-factory.com> wrote: > On 2024-01-18 09:53, Robin Carlisle wrote: > > > My expectation/hope is that squid would return the cached object on > > any network failure in between ubuntu-pc and the AWS endpoint - and > > continue to return this cached object forever. Is this something > > squid can do? It would seem that offline_mode should do this? > > Yes and yes. The reason you are getting errors are not related to cache > hits or misses. Those errors happen _before_ Squid gets the requested > resource URL and looks up that resource in Squid cache. > > > ssl_bump peek step1 > > ssl_bump bump all > > To get that URL (in your configuration), Squid must bump the connection. > To bump the connection at step2, Squid must contact the origin server. > When the cable is unplugged, Squid obviously cannot do that: The attempt > to open a Squid-AWS connection fails. > > > .../200 0 CONNECT stuff.amazonaws.com:443 - HIER_DIRECT > > .../503 4087 GET https://stuff.amazonaws.com/api/... - HIER_NONE > > Squid reports bumping errors to the client using HTTP responses. To do > that, Squid remembers the error response, bumps the client connection, > receives GET from the client on that bumped connection, and sends that > error response to the client. This is why you see both CONNECT/200 and > GET/503 access.log records. Note that Squid does not check whether the > received GET request would have been a cache hit in this case -- the > response to that request has been preordained by the earlier bumping > failure. > > > Solution candidates to consider include: > > * Stop bumping: https_port 443 cert=/etc/squid/stuff.pem > > Configure Squid as (a reverse HTTPS proxy for) the AWS service. Use > https_port. No SslBump rules/options! The client would think that it is > sending HTTPS requests directly to the service. Squid will forward > client requests to the service. If this works (and I do not have enough > information to know that this will work in your specific environment), > then you will get a much simpler setup. > > > * Bump at step1, before Squid contacts AWS: ssl_bump bump all > > Bugs notwithstanding, there will be no Squid-AWS connection for cache > hits. The resulting certificate will not be based on AWS service info, > but it looks like your client is ignorant enough to ignore related > certificate problems. > > > HTH, > > Alex. > > > > Hi, Hoping someone can help me with this issue that I have been > > struggling with for days now. I am setting up squid on an ubuntu PC to > > forward HTTPS requests to an API and an s3 bucket under my control on > > amazon AWS. The reason I am setting up the proxy is two-fold... > > > > 1) To reduce costs from AWS. > > 2) To provide content to the client on the ubuntu PC if there is a > > networking issue somewhere in between the ubuntu PC and AWS. > > > > Item 1 is going well so far. Item 2 is not going well. Setup details > ... > > > > *# squid - setup cache folder* > > mkdir -p /var/cache/squid > > chown -R proxy:proxy /var/cache/squid > > > > *# ssl - generate key* > > apt --yes install squid-openssl libnss3-tools > > openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \ > >-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com > > <http://www.example.com>" \ > >-keyout /etc/squid/stuff.pem -out /etc/squid/stuff.pem > > chown root:proxy /etc/squid/stuff.pem
[squid-users] offline mode not working for me
Hi, Hoping someone can help me with this issue that I have been struggling with for days now. I am setting up squid on an ubuntu PC to forward HTTPS requests to an API and an s3 bucket under my control on amazon AWS. The reason I am setting up the proxy is two-fold... 1) To reduce costs from AWS. 2) To provide content to the client on the ubuntu PC if there is a networking issue somewhere in between the ubuntu PC and AWS. Item 1 is going well so far. Item 2 is not going well. Setup details ... *# squid - setup cache folder* mkdir -p /var/cache/squid chown -R proxy:proxy /var/cache/squid *# ssl - generate key* apt --yes install squid-openssl libnss3-tools openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \ -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \ -keyout /etc/squid/stuff.pem -out /etc/squid/stuff.pem chown root:proxy /etc/squid/stuff.pem chmod 644 /etc/squid/stuff.pem *# ssl - ssl DB* mkdir -p /var/lib/squid rm -rf /var/lib/squid/ssl_db /usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB chown -R proxy:proxy /var/lib/squid/ssl_db *# /etc/squid/squid.conf :* acl to_aws dstdomain .amazonaws.com acl from_local src localhost http_access allow to_aws http_access allow from_local cache allow all cache_dir ufs /var/cache/squid 1024 16 256 offline_mode on http_port 3129 ssl-bump cert=/etc/squid/stuff.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all sslproxy_cert_error deny all cache_store_log stdio:/var/log/squid/store.log logfile_rotate 0 *# /usr/bin/proxy-test :* #!/bin/bash curl --proxy http://localhost:3129 \ --cacert /etc/squid/stuff.pem \ -v "https://stuff.amazonaws.com/api/v1/stuff/stuff.json; \ -H "Authorization: token MYTOKEN" \ -H "Content-Type: application/json" \ --output "/tmp/stuff.json" When network connectivity is GOOD, everything works well and I get cache HITS ... *# /var/log/squid/access.log* 1705587538.837238 127.0.0.1 NONE_NONE/200 0 CONNECT stuff.amazonaws.com:443 - HIER_DIRECT/3.136.246.238 - 1705587538.838 0 127.0.0.1 TCP_MEM_HIT/200 32818 GET https://stuff.amazonaws.com/api/v1/stuff/stuff.json - HIER_NONE/- application/json *# extract from /usr/bin/proxy-test output* < HTTP/1.1 200 OK < Date: Thu, 18 Jan 2024 13:38:01 GMT < Content-Type: application/json < Content-Length: 32187 < x-amzn-RequestId: 8afba80e-6df7-4d5b-a34b-a70bd9b54380 < Last-Modified: 2024-01-03T11:23:19.000Z < Access-Control-Allow-Origin: * < x-amz-apigw-id: RvN1CF2_iYcEokA= < Cache-Control: max-age=2147483648,public,stale-if-error < ETag: "53896156c4e8e26933188a092c4e40f1" < X-Amzn-Trace-Id: Root=1-65a929b9-3bd3285934151c1a2495481a < Age: 2578 < Warning: 110 squid/5.7 "Response is stale" < X-Cache: HIT from ubuntu-pc < X-Cache-Lookup: HIT from ubuntu-pc:3129 < Via: 1.1 ubuntu-pc (squid/5.7) < Connection: keep-alive When network connectivity is BAD, I get errors and a cache MISS. In this test case I unplugged the ethernet cable from the back on the ubuntu-pc ... *# /var/log/squid/access.log* 1705588717.420 11 127.0.0.1 NONE_NONE/200 0 CONNECT stuff.amazonaws.com:443 - HIER_DIRECT/3.135.162.228 - 1705588717.420 0 127.0.0.1 NONE_NONE/503 4087 GET https://stuff.amazonaws.com/api/v1/stuff/stuff.json - HIER_NONE/- text/html *# extract from /usr/bin/proxy-test output* < HTTP/1.1 503 Service Unavailable < Server: squid/5.7 < Mime-Version: 1.0 < Date: Thu, 18 Jan 2024 14:38:37 GMT < Content-Type: text/html;charset=utf-8 < Content-Length: 3692 < X-Squid-Error: ERR_CONNECT_FAIL 101 < Vary: Accept-Language < Content-Language: en < X-Cache: MISS from ubuntu-pc < X-Cache-Lookup: NONE from ubuntu-pc:3129 < Via: 1.1 ubuntu-pc (squid/5.7) < Connection: close I have also seen it error in a different way with a 502 but with the same ultimate result. My expectation/hope is that squid would return the cached object on any network failure in between ubuntu-pc and the AWS endpoint - and continue to return this cached object forever. Is this something squid can do? It would seem that offline_mode should do this? Hope you can help, Robin ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
[FFmpeg-user] ffmpeg : kmsgrab not working for me
Hi, Hoping someone can help me with my issue, or guide me to the correct place to ask this question. I am using an Intel NUC :- https://ark.intel.com/content/www/us/en/ark/products/188808/intel-nuc-10-performance-kit-nuc10i7fnk.html that has this CPU :- https://ark.intel.com/content/www/us/en/ark/products/196448/intel-core-i7-10710u-processor-12m-cache-up-to-4-70-ghz.html I am using Linux, ubuntu desktop 20.04 with the drivers that are installed as default. I did a minimal installation with no 3rd party drivers as part of the installation process. I am running the default desktop in X. 1920x1080 @ 60 Hz I installed ffmpeg with the usual *sudo apt install ffmpeg* I granted required permissions to the ffmpeg exe : *sudo setcap cap_sys_admin+ep `which ffmpeg`* I tried the following too,.. but this made no difference : *sudo usermod -a -G video $USER* *sudo usermod -a -G render $USER* I also tried the oibaf drivers.. but this made no difference either way. *sudo add-apt-repository ppa:oibaf/graphics-driverssudo apt -y updatesudo apt -y upgradesudo reboot* I followed many online examples and none of them worked, they all ended up with the same error. Thanks v much! *ffmpeg -f kmsgrab -i - -vf 'hwmap=derive_device=vaapi,scale_vaapi=w=1920:h=1080:format=nv12' -c:v h264_vaapi output.mp4* ffmpeg version 4.2.2-1ubuntu1 Copyright (c) 2000-2019 the FFmpeg developers built with gcc 9 (Ubuntu 9.3.0-3ubuntu1) configuration: --prefix=/usr --extra-version=1ubuntu1 --toolchain=hardened --libdir=/usr/lib/x86_64-linux-gnu --incdir=/usr/include/x86_64-linux-gnu --arch=amd64 --enable-gpl --disable-stripping --enable-avresample --disable-filter=resample --enable-avisynth --enable-gnutls --enable-ladspa --enable-libaom --enable-libass --enable-libbluray --enable-libbs2b --enable-libcaca --enable-libcdio --enable-libcodec2 --enable-libflite --enable-libfontconfig --enable-libfreetype --enable-libfribidi --enable-libgme --enable-libgsm --enable-libjack --enable-libmp3lame --enable-libmysofa --enable-libopenjpeg --enable-libopenmpt --enable-libopus --enable-libpulse --enable-librsvg --enable-librubberband --enable-libshine --enable-libsnappy --enable-libsoxr --enable-libspeex --enable-libssh --enable-libtheora --enable-libtwolame --enable-libvidstab --enable-libvorbis --enable-libvpx --enable-libwavpack --enable-libwebp --enable-libx265 --enable-libxml2 --enable-libxvid --enable-libzmq --enable-libzvbi --enable-lv2 --enable-omx --enable-openal --enable-opencl --enable-opengl --enable-sdl2 --enable-libdc1394 --enable-libdrm --enable-libiec61883 --enable-nvenc --enable-chromaprint --enable-frei0r --enable-libx264 --enable-shared libavutil 56. 31.100 / 56. 31.100 libavcodec 58. 54.100 / 58. 54.100 libavformat58. 29.100 / 58. 29.100 libavdevice58. 8.100 / 58. 8.100 libavfilter 7. 57.100 / 7. 57.100 libavresample 4. 0. 0 / 4. 0. 0 libswscale 5. 5.100 / 5. 5.100 libswresample 3. 5.100 / 3. 5.100 libpostproc55. 5.100 / 55. 5.100 [kmsgrab @ 0x55af5b53b700] Using plane 31 to locate framebuffers. [kmsgrab @ 0x55af5b53b700] Template framebuffer is 108: 1920x1080 32bpp 24b depth. Input #0, kmsgrab, from 'pipe:': Duration: N/A, start: 1591804071.260090, bitrate: N/A Stream #0:0: Video: wrapped_avframe, drm_prime, 1920x1080, 29.83 tbr, 1000k tbn, 1000k tbc Stream mapping: Stream #0:0 -> #0:0 (wrapped_avframe (native) -> h264 (h264_vaapi)) [Parsed_scale_vaapi_1 @ 0x55af5b55c0c0] Failed to create processing pipeline config: 12 (the requested VAProfile is not supported). [Parsed_scale_vaapi_1 @ 0x55af5b55c0c0] Failed to configure output pad on Parsed_scale_vaapi_1 Error reinitializing filters! Failed to inject frame into filter network: Input/output error Error while processing the decoded data for stream #0:0 Conversion failed! *vainfo* libva info: VA-API version 1.7.0 libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so libva info: Found init function __vaDriverInit_1_7 libva info: va_openDriver() returns 0 vainfo: VA-API version: 1.7 (libva 2.6.0) vainfo: Driver version: Intel iHD driver for Intel(R) Gen Graphics - 20.1.1 () vainfo: Supported profile and entrypoints VAProfileMPEG2Simple: VAEntrypointVLD VAProfileMPEG2Main : VAEntrypointVLD VAProfileH264Main : VAEntrypointVLD VAProfileH264Main : VAEntrypointEncSliceLP VAProfileH264High : VAEntrypointVLD VAProfileH264High : VAEntrypointEncSliceLP VAProfileJPEGBaseline : VAEntrypointVLD VAProfileJPEGBaseline : VAEntrypointEncPicture VAProfileH264ConstrainedBaseline: VAEntrypointVLD VAProfileH264ConstrainedBaseline: VAEntrypointEncSliceLP VAProfileVP8Version0_3 : VAEntrypointVLD VAProfileHEVCMain : VAEntrypointVLD VAProfileHEVCMain10 : VAEntrypointVLD