Darren Spruell wrote: [...]
It seems that every hour when we reload the cache, that error conditions occur on this second proxy. Here are entries from cache.log during one such occurance:
2004/04/10 13:01:01| Restarting Squid Cache (version 2.5.STABLE4)...
2004/04/10 13:01:01| FD 31 Closing HTTP connection
2004/04/10 13:01:01| FD 32 Closing ICP connection
2004/04/10 13:01:01| FD 38 Closing SNMP socket
2004/04/10 13:01:01| Closing unlinkd pipe on FD 33
2004/04/10 13:01:01| User-Agent logging is disabled.
2004/04/10 13:01:01| Referer logging is disabled.
2004/04/10 13:01:01| DNS Socket created at 0.0.0.0, port 32854, FD 6
2004/04/10 13:01:01| Adding nameserver 127.0.0.1 from /etc/resolv.conf
2004/04/10 13:01:01| Adding nameserver 10.5.1.11 from /etc/resolv.conf
2004/04/10 13:01:01| helperOpenServers: Starting 20 'squidGuard' processes
2004/04/10 13:01:01| Unlinkd pipe opened on FD 33
2004/04/10 13:01:01| Accepting HTTP connections at 0.0.0.0, port 8080, FD 31.
2004/04/10 13:01:01| Accepting ICP messages at 0.0.0.0, port 3130, FD 32.
2004/04/10 13:01:01| HTCP Disabled.
2004/04/10 13:01:01| Accepting SNMP messages on port 3401, FD 38.
2004/04/10 13:01:01| WCCP Disabled.
2004/04/10 13:01:01| Configuring Sibling 10.5.1.11/8080/3130
2004/04/10 13:01:01| Loaded Icons.
2004/04/10 13:01:01| Ready to serve requests.
2004/04/10 13:01:18| Failure Ratio at 1.01
2004/04/10 13:01:18| Going into hit-only-mode for 5 minutes...
[...]
I read in the FAQ that this indicates that the ratio of errors to successes is out of control and to search for ERR_* conditions in the access.log while this occurs. However, I don't see any ERR_* entries in the access.log. I do see lots of successful pages accessed (TCP_MISS, TCP_HIT, etc.)
[...]
As this is happening, the users on this proxy begin to see pages suddenly redirected to the whitelist error page - the one they are redirected to when the site they are requesting is not on the whitelist. This starts to appear for *any* page they visit, even the allowed sites.
Here are the enabled lines from squid.conf, in case it helps:
http_port 8080 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY redirect_program /usr/bin/squidGuard redirect_children 20 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT acl allports port 1-65535 acl local src 10.5.0.0/255.255.0.0 acl msn dst 64.4.13.170-64.4.13.189 acl novell src 10.5.53.0/255.255.255.0 acl snmppublic snmp_community public acl squid2 src 10.5.1.12/255.255.255.255 http_access allow manager localhost http_access allow manager squid2 http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all http_access allow novell CONNECT allports http_access allow novell all http_access allow novell allports http_access deny msn http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all append_domain .sento.com icp_hit_stale on snmp_access allow snmppublic local snmp_port 3401 coredump_dir /var/cache/squid
-- Darren Spruell
