On Wed, Apr 09, 2008, C. Ham wrote: > Like http://wiki.squid-cache.org/SquidFaq/SquidAcl & Is that reproducable for you 100%? If so, could you please take a wireshark/tcpdump snapshot of the traffic exchange from server to Squid and then put it into the Squid bugzilla? Thanks, Adrian > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 for a > start. Both load fine if I bypass Squid, but neither will load properly > if I try and retrieve them via Squid. They'll take between 5 & 15 > minutes to arrive and when they do, the content is usually partial and > the layout decidedly wrong. > > I've trawled though all the usual: ECN, tcp windows, OS specific things > and have set Wireshark loose on it. The networks dumps just show Yahoo > mail working fine for the initial logon and subsequent referrals, but as > soon as it leaves the SSL session having verified the session > authentication and tries to retrieve the actual mail front page, > (http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 for > example) it slows to a crawl. Other than the speed I can't see anything > actually going wrong. > > I also get this on a variety of other sites, especially > www.guardian.co.uk and sometimes www.direct.gov.uk. > > Any help would be much appreciated as I've got disgruntled students / > tutors / staff and I'm very much in need of gruntling them again. If > that's a word. If not, I'll settle for quietening them down. > > Thanks, > > > Callum. > > > Stuff of note: > > Browsers: IE 6.x & Firefox 2.0.X > Fedora Core 7. > Kernel 2.6.23.15-80.fc7 on an i686 - Intel(R) Xeon - GNU/Linux. > squid-2.6.STABLE16-4.fc7 (Fc7 rpm). > > Non defaults from squid.conf: > > http_port 10.3.0.1:3128 > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? showFolder asp > no_cache deny QUERY > cache_mem 512 MB > cache_swap_low 50 > cache_swap_high 95 > maximum_object_size 8192 KB > cache_dir ufs /var/spool/squid 10000 16 256 > cache_dir ufs /var/spool/squid2 10000 16 256 > cache_access_log /var/log/squid/access.log > debug_options ALL,3 > dns_nameservers 10.3.0.1 10.3.0.2 > redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf > auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b > "dc=quack,dc=org,dc=local" -D > "cn=LDAP_guest,OU=ADMIN,DC=quack,DC=org,DC=local" -w "XXXXXX" -f > sAMAccountName=%s -h 10.3.0.3 > auth_param basic children 5 > auth_param basic realm "Donkey Centre" > auth_param basic credentialsttl 5 minutes > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours > auth_param basic casesensitive off > external_acl_type InetUsersGroup %LOGIN /usr/lib/squid/squid_ldap_group > -R -b "dc=quack,dc=org,dc=local" -D > "cn=LDAP_guest,OU=ADMIN,DC=quack,DC=org,DC=local" -w "XXXXXX" -f > "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=% > a,ou=users,dc=quack,dc=org,dc=local))" -h 10.3.0.2 > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 563 2083 > acl localip src 10.0.0.0/8 > acl PURGE method PURGE > acl apache src 10.0.0.0/8 > acl localnet proxy_auth REQUIRED src 10.0.0.0/8 > acl InetAccess external InetUsersGroup SquidUsers > acl CONNECT method CONNECT > http_access allow PURGE localhost > http_access allow manager localip > http_access allow manager apache > http_access allow InetAccess > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > acl our_networks src 10.0.0.0/8 > http_access allow our_networks > http_access allow localhost > http_access deny all > http_reply_access allow all > icp_access allow all > cache_mgr postmaster@xxxxxxxxxxxxxxxxxxx > mail_from squid@xxxxxxxxxxxxxxxxxxx > visible_hostname gate.quack.ducks.com.etc > cachemgr_passwd XXXXXX all > coredump_dir /var/spool/squid > extension_methods REPORT MERGE MKACTIVITY CHECKOUT > > > Excerpt from cache.log following request for > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0: > > 2008/04/08 15:57:00| fwdConnectStart: > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 > 2008/04/08 15:57:00| fwdConnectStart: got addr 0.0.0.0, tos 0 > 2008/04/08 15:57:00| fd_open FD 39 > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 > 2008/04/08 15:57:00| cbdataLock: 0x8cdd798 > 2008/04/08 15:57:00| commSetTimeout: FD 39 timeout 60 > 2008/04/08 15:57:00| commConnectStart: FD 39, uk.mc260.mail.yahoo.com:80 > 2008/04/08 15:57:00| cbdataLock: 0x8cdd798 > 2008/04/08 15:57:00| cbdataLock: 0x8cdd7e8 > 2008/04/08 15:57:00| cbdataLock: 0x8cdd7e8 > 2008/04/08 15:57:00| cbdataValid: 0x8cdd7e8 > 2008/04/08 15:57:00| ipcacheCycleAddr: uk.mc260.mail.yahoo.com now at > 87.248.111.187 > 2008/04/08 15:57:00| cbdataUnlock: 0x8cdd7e8 > 2008/04/08 15:57:00| cbdataUnlock: 0x8cdd798 > 2008/04/08 15:57:00| storeUnlockObject: key > '27D91622B3E024FF88542C1541F6B2D3' count=3 > 2008/04/08 15:57:00| cbdataFree: 0x8bec610 > 2008/04/08 15:57:00| cbdataFree: Freeing 0x8bec610 > 2008/04/08 15:57:00| cbdataUnlock: 0x8d094a8 > 2008/04/08 15:57:00| cbdataUnlock: 0x8d8c0e0 > 2008/04/08 15:57:00| cbdataFree: 0x8bd9a90 > 2008/04/08 15:57:00| cbdataFree: Freeing 0x8bd9a90 > 2008/04/08 15:57:00| cbdataFree: 0x8d127a0 > 2008/04/08 15:57:00| cbdataFree: 0x8d127a0 has 1 locks, not freeing > 2008/04/08 15:57:00| cbdataUnlock: 0x8d127a0 > 2008/04/08 15:57:00| cbdataUnlock: Freeing 0x8d127a0 > 2008/04/08 15:57:00| comm_select: timeout 488 > 2008/04/08 15:57:00| cbdataUnlock: 0x8cdd7e8 > 2008/04/08 15:57:00| commSetTimeout: FD 39 timeout -1 > 2008/04/08 15:57:00| commConnectFree: FD 39 > 2008/04/08 15:57:00| cbdataFree: 0x8cdd7e8 > 2008/04/08 15:57:00| cbdataFree: Freeing 0x8cdd7e8 > 2008/04/08 15:57:00| cbdataValid: 0x8cdd798 > 2008/04/08 15:57:00| fwdConnectDone: FD 39: > 'http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0' > 2008/04/08 15:57:00| fwdDispatch: FD 34: Fetching 'GET > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0' > 2008/04/08 15:57:00| httpStart: "GET > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0"; > 2008/04/08 15:57:00| storeLockObject: key > '27D91622B3E024FF88542C1541F6B2D3' count=4 > 2008/04/08 15:57:00| cbdataLock: 0x8cead28 > 2008/04/08 15:57:00| commSetTimeout: FD 39 timeout 86400 > 2008/04/08 15:57:00| getMaxAge: > 'http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0' > 2008/04/08 15:57:00| cbdataLock: 0x8cead28 > 2008/04/08 15:57:00| cbdataUnlock: 0x8cdd798 > 2008/04/08 15:57:00| comm_select: timeout 433 > 2008/04/08 15:57:00| cbdataValid: 0x8cead28 > 2008/04/08 15:57:00| commSetTimeout: FD 39 timeout 900 > 2008/04/08 15:57:00| cbdataUnlock: 0x8cead28 > 2008/04/08 15:57:00| comm_select: timeout 433 > 2008/04/08 15:57:00| ctx: enter level 0: > 'http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0' > 2008/04/08 15:57:00| httpProcessReplyHeader: key > '27D91622B3E024FF88542C1541F6B2D3' > 2008/04/08 15:57:00| httpProcessReplyHeader: HTTP CODE: 200 > 2008/04/08 15:57:00| storeExpireNow: '27D91622B3E024FF88542C1541F6B2D3' > 2008/04/08 15:57:00| storeGet: looking up > 88ECBC523E9AEA95834A7F145E64EC69 > 2008/04/08 15:57:00| storeGet: looking up > 199F1E34B1E329E02396FA9A41720E7A > 2008/04/08 15:57:00| ctx: exit level 0 > 2008/04/08 15:57:00| InvokeHandlers: 27D91622B3E024FF88542C1541F6B2D3 > 2008/04/08 15:57:00| InvokeHandlers: checking client #0 > 2008/04/08 15:57:00| cbdataLock: 0x8d87958 > 2008/04/08 15:57:00| storeClientCopy2: 27D91622B3E024FF88542C1541F6B2D3 > 2008/04/08 15:57:00| storeClientCopy3: Copying from memory > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > 2008/04/08 15:57:00| clientBuildReplyHeader: can't keep-alive, unknown > body size > 2008/04/08 15:57:00| cbdataLock: 0x88e9558 > 2008/04/08 15:57:00| cbdataLock: 0x8d8c0e0 > 2008/04/08 15:57:00| aclMatchAclList: checking all > 2008/04/08 15:57:00| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' > 2008/04/08 15:57:00| aclMatchIp: '10.2.2.16' found > 2008/04/08 15:57:00| aclMatchAclList: returning 1 > 2008/04/08 15:57:00| httpReplyBodyBuildSize: Setting maxBodySize to 0 > 2008/04/08 15:57:00| cbdataUnlock: 0x8d8c0e0 > 2008/04/08 15:57:00| cbdataUnlock: 0x88e9558 > 2008/04/08 15:57:00| cbdataFree: 0x8bd9a90 > 2008/04/08 15:57:00| cbdataFree: Freeing 0x8bd9a90 > 2008/04/08 15:57:00| clientSendMoreHeaderData: Appending 1628 bytes > after 414 bytes of headers > 2008/04/08 15:57:00| cbdataLock: 0x8d094a8 > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > 2008/04/08 15:57:00| cbdataLock: 0x88e9a18 > 2008/04/08 15:57:00| cbdataLock: 0x8d8c0e0 > 2008/04/08 15:57:00| cbdataLock: 0x8cd8750 > 2008/04/08 15:57:00| cbdataValid: 0x88e9a18 > 2008/04/08 15:57:00| aclCheck: checking 'http_reply_access allow all' > 2008/04/08 15:57:00| aclMatchAclList: checking all > 2008/04/08 15:57:00| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' > 2008/04/08 15:57:00| aclMatchIp: '10.2.2.16' found > 2008/04/08 15:57:00| aclMatchAclList: returning 1 > 2008/04/08 15:57:00| aclCheck: match found, returning 1 > 2008/04/08 15:57:00| cbdataUnlock: 0x88e9a18 > 2008/04/08 15:57:00| aclCheckCallback: answer=1 > 2008/04/08 15:57:00| cbdataValid: 0x8cd8750 > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > 2008/04/08 15:57:00| The reply for GET > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 is > ALLOWED, because it matched 'all' > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > 2008/04/08 15:57:00| cbdataFree: 0x8cd8750 > 2008/04/08 15:57:00| cbdataFree: 0x8cd8750 has 1 locks, not freeing > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > 2008/04/08 15:57:00| cbdataLock: 0x8d094a8 > 2008/04/08 15:57:00| cbdataUnlock: 0x8d094a8 > 2008/04/08 15:57:00| cbdataUnlock: 0x8cd8750 > 2008/04/08 15:57:00| cbdataUnlock: Freeing 0x8cd8750 > 2008/04/08 15:57:00| cbdataUnlock: 0x8d8c0e0 > 2008/04/08 15:57:00| cbdataFree: 0x8bd9a90 > 2008/04/08 15:57:00| cbdataFree: Freeing 0x8bd9a90 > 2008/04/08 15:57:00| cbdataUnlock: 0x8d094a8 > 2008/04/08 15:57:00| cbdataUnlock: 0x8d87958 > 2008/04/08 15:57:00| commSetTimeout: FD 39 timeout 900 > 2008/04/08 15:57:01| comm_select: timeout 350 > 2008/04/08 15:57:01| cbdataValid: 0x8d094a8 > 2008/04/08 15:57:01| storeClientCopy: 27D91622B3E024FF88542C1541F6B2D3, > seen 2042, want 2042, size 4096, cb 0x806cc8f, cbdata 0x8d094a8 > 2008/04/08 15:57:01| cbdataLock: 0x8d094a8 > 2008/04/08 15:57:01| cbdataLock: 0x8d87958 > 2008/04/08 15:57:01| storeClientCopy2: 27D91622B3E024FF88542C1541F6B2D3 > 2008/04/08 15:57:01| storeClientCopy3: Waiting for more > 2008/04/08 15:57:01| cbdataUnlock: 0x8d87958 > 2008/04/08 15:57:01| cbdataUnlock: 0x8d094a8 > 2008/04/08 15:57:01| comm_select: timeout 350 > 2008/04/08 15:57:01| fd_open FD 76 HTTP Request > 2008/04/08 15:57:01| cbdataLock: 0x88e58a8 > 2008/04/08 15:57:01| cbdataLock: 0x8db16e8 > 2008/04/08 15:57:01| commSetTimeout: FD 76 timeout 300 > 2008/04/08 15:57:01| aclMatchAclList: checking all > 2008/04/08 15:57:01| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' > 2008/04/08 15:57:01| aclMatchIp: '10.2.2.16' found > 2008/04/08 15:57:01| aclMatchAclList: returning 1 > 2008/04/08 15:57:01| comm_select: timeout 331 > 2008/04/08 15:57:01| cbdataLock: 0x8db16e8 > 2008/04/08 15:57:01| parseHttpRequest: req_hdr = {Host: mail.yimg.com > User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.8.1.13) > Gecko/20080325 Fedora/2.0.0.13-1.fc8 Firefox/2.0.0.13 > Accept: image/png,*/*;q=0.5 > Accept-Language: en-gb > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Proxy-Connection: keep-alive > Referer: http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 > Proxy-Authorization: Basic XXXXXXXXXXXXXXX > > } -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
