Re: Apache + Squid Proxy: AH01991: SSL input filter read failed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Mittwoch, 3. Mai 2017, 19:32:04 CEST schrieb Luca Toscano:
> Hi,
> 
> 2017-05-02 19:18 GMT+02:00 chiasa.men <chiasa.men@xxxxxx>:
> > Hi,
> > my apache is behind a squid proxy which is configured like that:
> > https_port 3128 accel cert=/cert.pem key=/cert.key defaultsite=
> > ww1.example.com
> > vhost
> > acl server20_domains dstdomain ww1.example.com ww2.example.com
> > http_access allow server20_domains
> > cache_peer server20 parent 443 0 no-query originserver name=server20
> > login=PASSTHRU ssl sslversion=6
> > cache_peer_access server20 allow server20_domains
> > cache_peer_access server20 deny all
> > 
> > The idea was to send ww1 and ww2 to server20 which is hosting an apache
> > webservice for both sites.
> > It works but each time I visit one of those sites the following messages
> > appear in apache's logs:
> > 
> > [00:00:39.641665] ---
> > [00:00:44.641883] [ssl:info] ssl_engine_io.c(675): (70007)The timeout
> > specified has expired: [client wwwclient:47122] AH01991: SSL input filter
> > read
> > failed.
> > [00:00:44.642170] [ssl:info] ssl_engine_io.c(675): (70007)The timeout
> > specified has expired: [client wwwclient:47120] AH01991: SSL input filter
> > read
> > failed.
> > [00:00:44.642442] [ssl:info] ssl_engine_io.c(675): (70007)The timeout
> > specified has expired: [client wwwclient:47118] AH01991: SSL input filter
> > read
> > failed.
> > [00:00:44.642570] [ssl:info] ssl_engine_io.c(675): (70007)The timeout
> > specified has expired: [client wwwclient:47124] AH01991: SSL input filter
> > read
> > failed.
> > [00:00:44.642977] [ssl:debug] ssl_engine_io.c(1016): -: [client wwwclient:
> > 47118] AH02001: Connection closed to child 11 with standard shutdown
> > (server
> > ww1.example.com:443)
> > [00:00:44.643241] [ssl:debug] ssl_engine_io.c(1016): -: [client wwwclient:
> > 47124] AH02001: Connection closed to child 6 with standard shutdown
> > (server
> > ww1.example.com:443)
> > [00:00:44.643373] [ssl:debug] ssl_engine_io.c(1016): -: [client wwwclient:
> > 47120] AH02001: Connection closed to child 5 with standard shutdown
> > (server
> > ww1.example.com:443)
> > [00:00:44.643560] [ssl:debug] ssl_engine_io.c(1016): -: [client wwwclient:
> > 47122] AH02001: Connection closed to child 8 with standard shutdown
> > (server
> > ww1.example.com:443)
> > [00:00:44.647119] [ssl:info] ssl_engine_io.c(675): (70007)The timeout
> > specified has expired: [client wwwclient:47116] AH01991: SSL input filter
> > read
> > failed.
> > [00:00:44.647347] [ssl:debug] ssl_engine_io.c(1016): -: [client wwwclient:
> > 47116] AH02001: Connection closed to child 3 with standard shutdown
> > (server
> > ww1.example.com:443)
> > 
> > The corresponding squid access.log entries would be:
> > [00:00:39] "GET https://ww1.example.com/a/ HTTP/1.1" 503 4033 "-" "ua"
> > TCP_MISS:FIRSTUP_PARENT
> > [00:00:39] "GET https://ww1.example.com/some.js HTTP/1.1" 304 240
> > "https://
> > ww1.example.com/a/" "ua" TCP_MISS:FIRSTUP_PARENT
> > [00:00:39] "GET https://ww1.example.com/someother.js HTTP/1.1" 304 239
> > "https://ww1.example.com/a/"; "ua" TCP_MISS:FIRSTUP_PARENT
> > [00:00:39] "GET https://ww1.example.com/more.js HTTP/1.1" 304 241
> > "https://
> > ww1.example.com/a/" "ua" TCP_MISS:FIRSTUP_PARENT
> > [00:00:39] "GET https://ww1.example.com/some.css HTTP/1.1" 304 277
> > "https://
> > ww1.example.com/a/" "ua" TCP_MISS:FIRSTUP_PARENT
> > [00:00:39] "GET https://ww1.example.com/someother.css HTTP/1.1" 304 277
> > "https://ww1.example.com/a/"; "ua" TCP_MISS:FIRSTUP_PARENT
> > [00:00:39] "GET https://ww1.example.com/a.png HTTP/1.1" 304 241 "https://
> > ww1.example.com/a/" "ua" TCP_MISS:FIRSTUP_PARENT
> > 
> > 
> > You can see that approximately after 5s the timeout happens. Is it a
> > message
> > to worry about? (it is just "info" labled) Why does it occur?
> > 
> > I sent basically the same problem to squid's mailing list because I
> > supposed
> > squid was the problematic part here. But since they suggested apache could
> > be
> > the weirdo, I'm asking here
> > Thanks for your help
> 
> I'd need to ask you a couple of questions since I am not familiar with
> Squid:
> 
> 1) Does Squid terminate TLS/SSL or is it proxied to httpd in some way? Can
> you describe a bit more your set up?
That, so it seems, was the acutal reason. Thanks for that
The default setting for squid is:
server_persistent_connections on
which means that squid keeps the connections - apache didn't

> 2) Can you share your httpd configuration? Do you have any timeout set on
> it that might explain this in httpd or Squid (check also default timeouts)?
The timeout that happens seems to be the KeepAliveTimeout which is set to 5 
(set to 15, the same messages occur simply after 15 seconds)
> 3) Not super familiar with Squid but from the logs it seems that a 503 is
> logged for https://ww1.example.com/a.. Is it normal?
Yes this is intended since the page requested was under maintenance. It was 
even the only request which did not timeout :D

> 
> Luca
If fixed it by setting
server_persistent_connections off in squid.conf

Thanks for your hints

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux