Hello list,
I've just spent the better part of three hours up to my ears in packet traces, squid debugging, reconfiguring, upgrading from -STABLE5 to -STABLE8 and and firewall tweaking.
I was getting "Zero Sized Reply" on a specific page of a website (within an authenticated realm). All the usual recipes got me nowhere. And the firewall was showing odd behaviour: I was getting connection rejects on a high port of the natted address of the Squid box, coming from source port 80 of the remote host I was making the connections too. And no amount of nat tweaks or changes to the ruleset would make the page work.
Then, after staring at the FAQ (section 11.51) for the seventeenth, the I finally began to comprehend the words I was reading ;o)
"Disable any advanced TCP features on the Squid system"
And then dim memories of hardening the box back in Jan 2003 rose to the surface. In /etc/sysctl.conf I had the following setting:
net.inet.tcp.blackhole=2
Sure enough, deactivating this parameter by running the command
/sbin/sysctl net.inet.tcp.blackhole=0
... fixed the problem immediately. Didn't even have to restart squid. If someone could update the FAQ with this information it might possibly save someone else grief.
Thanks, David