Package: squid-deb-proxy Version: 0.8.14 Severity: normal Dear Maintainer,
I have encountered a problem with caching using squid-deb-proxy. This may be a bug in squid itself, but I am not familiar enough with squid to determine that. The symptom of the problem is: ------------------------------------------------------------------------ $ sudo apt-get update Get:1 http://mirrors.kernel.org/debian sid InRelease [242 kB] Get:2 http://mirrors.kernel.org/debian experimental InRelease [107 kB] Hit:3 https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease Reading package lists... Done E: Release file for http://mirrors.kernel.org/debian/dists/sid/InRelease is expired (invalid since 49d 18h 44min 20s). Updates for this repository will not be applied. E: Release file for http://mirrors.kernel.org/debian/dists/experimental/InRelease is expired (invalid since 49d 18h 44min 20s). Updates for this repository will not be applied. ------------------------------------------------------------------------ I have been using mirrors.kernel.org for a long time; relatively recently, they started redirecting to mirrors.edge.kernel.org, and I think that is what triggered this problem. Here are some debugging commands to show what is happening: Requesting from the proxy: ------------------------------------------------------------------------ $ echo -e 'GET http://mirrors.kernel.org/debian/dists/sid/InRelease HTTP/1.1\r\nHost: mirrors.kernel.org\r\nConnection: Close\r\n\r\n' | nc fire 8000 | head -n 20 HTTP/1.1 200 OK Server: nginx Date: Sat, 02 Jun 2018 05:57:45 GMT Content-Type: text/plain Content-Length: 241761 Last-Modified: Sat, 02 Jun 2018 02:28:45 GMT Accept-Ranges: bytes X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Cache: MISS from squid-deb-proxy X-Cache-Lookup: HIT from squid-deb-proxy:8000 Via: 1.1 squid-deb-proxy (squid/3.5.27) Connection: close -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Origin: Debian Label: Debian Suite: unstable ------------------------------------------------------------------------ Requesting from origin: ------------------------------------------------------------------------ $ echo -e 'GET http://mirrors.kernel.org/debian/dists/sid/InRelease HTTP/1.1\r\nHost: mirrors.kernel.org\r\nConnection: Close\r\n\r\n' | nc mirrors.kernel.org 80 | head -n 20 HTTP/1.1 301 Moved Permanently Content-length: 0 Location: http://mirrors.edge.kernel.org/debian/dists/sid/InRelease Connection: close ------------------------------------------------------------------------ ...and following the redirect: ------------------------------------------------------------------------ $ echo -e 'GET http://mirrors.kernel.org/debian/dists/sid/InRelease HTTP/1.1\r\nHost: mirrors.kernel.org\r\nConnection: Close\r\n\r\n' | nc mirrors.edge.kernel.org 80 | head -n 20 HTTP/1.1 200 OK Server: nginx Date: Sat, 28 Jul 2018 21:19:35 GMT Content-Type: text/plain Content-Length: 232649 Last-Modified: Sat, 28 Jul 2018 20:28:39 GMT Connection: close Content-Security-Policy: default-src https: Strict-Transport-Security: max-age=15768001 X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection:: 1; mode=block Accept-Ranges: bytes -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Origin: Debian Label: Debian Suite: unstable ------------------------------------------------------------------------ Requesting from the proxy results in entries in the access log like: ------------------------------------------------------------------------ 1532811922.767 113 2001:470:805b:1:2efd:a1ff:feba:f3af TCP_REFRESH_IGNORED/200 242154 GET http://mirrors.kernel.org/debian/dists/sid/InRelease - HIER_DIRECT/2001:19d0:306:6:0:1994:3:14 text/plain ------------------------------------------------------------------------ >From what I read, TCP_REFRESH_IGNORED means that squid is trying to get a new object from the origin, but it thinks the response it gets is even older than the cached object. Doing a tcpdump on the proxy indicates that it only makes one request: ------------------------------------------------------------------------ 13:57:03.170260 IP6 tunnel8198-pt.tunnel.tserv3.fmt2.ipv6.he.net.59452 > mirrors.pdx.kernel.org.http: Flags [P.], seq 1:343, ack 1, win 222, options [nop,nop,TS val 1510245291 ecr 333388888], length 342: HTTP: GET /debian/dists/sid/InRelease HTTP/1.1 13:57:03.204071 IP6 mirrors.pdx.kernel.org.http > tunnel8198-pt.tunnel.tserv3.fmt2.ipv6.he.net.59452: Flags [F.], seq 1:142, ack 343, win 232, options [nop,nop,TS val 333388924 ecr 1510245291], length 141: HTTP: HTTP/1.1 301 Moved Permanently ------------------------------------------------------------------------ I think squid should be returning the 301 to the client, but instead it is returning a stale cached object. Thanks, Corey -- System Information: Debian Release: buster/sid APT prefers stable-debug APT policy: (500, 'stable-debug'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages squid-deb-proxy depends on: ii debconf [debconf-2.0] 1.5.66 ii squid 3.5.27-1 Versions of packages squid-deb-proxy recommends: ii avahi-utils 0.7-3.1 squid-deb-proxy suggests no packages. -- Configuration Files: /etc/squid-deb-proxy/squid-deb-proxy.conf changed [not included] -- debconf information: * squid-deb-proxy/acl-disable: false * squid-deb-proxy/ppa-enable: false