But other URLs at wiki.squid-cache.org work? Adrian On Wed, Apr 09, 2008, C. Ham wrote: > It's a problem which started up between 1 and 2 months ago, though I'm > unfortunately unsure exactly when so I can't tie it to a particular > update or similar. > > Before I submit a bug, it might be best to check I'm not just being > thick. To clarify, it seems there may well be two issues: > > http://wiki.squid-cache.org/SquidFaq/SquidAcl gives "(110) Connection > timed out" eventually. Checking a Wireshark dump shows that no traffic > above the tcp layer occurs: no actual HTTP requests get made, just a lot > of syns and acks with the same sort of errors as for this next address. > > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 does > actually load, though on closer inspection, they're are various tcp > issues showing up in the network dump: "A segment before this frame was > lost," "Duplicate to the ACK in frame: 65," & "This frame is a > (suspected) out-of-order segment." > > Both issues are (sadly) reproducible 100% at the minute, tested on > Firefox 2.0.x & Fedora core 8 (x86_64) fully patched and IE 6 on WinXP > pro (x86_32) fully patched. > > Beneath is also the contents of /proc/sys/net/ipv4/tcp_* in case I've > missed some ECN / window scaling / MTU / etc. type thing. > > Much obliged, > > > Callum. > > > > Contents of /proc/sys/net/ipv4/tcp_* : > > /proc/sys/net/ipv4/tcp_abc > > /proc/sys/net/ipv4/tcp_abort_on_overflow > > /proc/sys/net/ipv4/tcp_adv_win_scale > > /proc/sys/net/ipv4/tcp_allowed_congestion_control > > /proc/sys/net/ipv4/tcp_app_win > > /proc/sys/net/ipv4/tcp_available_congestion_control > > /proc/sys/net/ipv4/tcp_base_mss > > /proc/sys/net/ipv4/tcp_congestion_control > > /proc/sys/net/ipv4/tcp_dma_copybreak > > /proc/sys/net/ipv4/tcp_dsack > > /proc/sys/net/ipv4/tcp_ecn > > /proc/sys/net/ipv4/tcp_fack > > /proc/sys/net/ipv4/tcp_fin_timeout > > /proc/sys/net/ipv4/tcp_frto > > /proc/sys/net/ipv4/tcp_frto_response > > /proc/sys/net/ipv4/tcp_keepalive_intvl > > /proc/sys/net/ipv4/tcp_keepalive_probes > > /proc/sys/net/ipv4/tcp_keepalive_time > > /proc/sys/net/ipv4/tcp_low_latency > > /proc/sys/net/ipv4/tcp_max_orphans > > /proc/sys/net/ipv4/tcp_max_ssthresh > > /proc/sys/net/ipv4/tcp_max_syn_backlog > > /proc/sys/net/ipv4/tcp_max_tw_buckets > > /proc/sys/net/ipv4/tcp_mem > > /proc/sys/net/ipv4/tcp_moderate_rcvbuf > > /proc/sys/net/ipv4/tcp_mtu_probing > > /proc/sys/net/ipv4/tcp_no_metrics_save > > /proc/sys/net/ipv4/tcp_orphan_retries > > /proc/sys/net/ipv4/tcp_reordering > > /proc/sys/net/ipv4/tcp_retrans_collapse > > /proc/sys/net/ipv4/tcp_retries1 > > /proc/sys/net/ipv4/tcp_retries2 > > /proc/sys/net/ipv4/tcp_rfc1337 > > /proc/sys/net/ipv4/tcp_rmem > > /proc/sys/net/ipv4/tcp_sack > > /proc/sys/net/ipv4/tcp_slow_start_after_idle > > /proc/sys/net/ipv4/tcp_stdurg > > /proc/sys/net/ipv4/tcp_synack_retries > > /proc/sys/net/ipv4/tcp_syncookies > > /proc/sys/net/ipv4/tcp_syn_retries > > /proc/sys/net/ipv4/tcp_timestamps > > /proc/sys/net/ipv4/tcp_tso_win_divisor > > /proc/sys/net/ipv4/tcp_tw_recycle > > /proc/sys/net/ipv4/tcp_tw_reuse > > /proc/sys/net/ipv4/tcp_window_scaling > > /proc/sys/net/ipv4/tcp_wmem > > /proc/sys/net/ipv4/tcp_workaround_signed_windows > > > 0 > > 0 > > 2 > > cubic reno > > 31 > > cubic reno > > 512 > > cubic > > 4096 > > 1 > > 0 > > 1 > > 30 > > 0 > > 0 > > 75 > > 9 > > 1800 > > 0 > > 32768 > > 0 > > 64 > > 180000 > > 390144 520192 780288 > 1 > > 0 > > 0 > > 0 > > 5 > > 1 > > 3 > > 15 > > 0 > > 4096 87380 4194304 > > 0 > > 1 > > 0 > > 3 > > 1 > > 6 > > 0 > > 3 > > 0 > > 0 > > 0 > > 4096 16384 4194304 > > 0 > > > > > On Wed, 2008-04-09 at 20:02 +0800, Adrian Chadd wrote: > > On Wed, Apr 09, 2008, C. Ham wrote: > > > Like http://wiki.squid-cache.org/SquidFaq/SquidAcl & > > > > Is that reproducable for you 100%? If so, could you please take a wireshark/tcpdump > > snapshot of the traffic exchange from server to Squid and then put it into the > > Squid bugzilla? > > > > Thanks, > > > > > > Adrian > > > > > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 for a > > > start. Both load fine if I bypass Squid, but neither will load properly > > > if I try and retrieve them via Squid. They'll take between 5 & 15 > > > minutes to arrive and when they do, the content is usually partial and > > > the layout decidedly wrong. > > > > > > I've trawled though all the usual: ECN, tcp windows, OS specific things > > > and have set Wireshark loose on it. The networks dumps just show Yahoo > > > mail working fine for the initial logon and subsequent referrals, but as > > > soon as it leaves the SSL session having verified the session > > > authentication and tries to retrieve the actual mail front page, > > > (http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 for > > > example) it slows to a crawl. Other than the speed I can't see anything > > > actually going wrong. > > > > > > I also get this on a variety of other sites, especially > > > www.guardian.co.uk and sometimes www.direct.gov.uk. > > > > > > Any help would be much appreciated as I've got disgruntled students / > > > tutors / staff and I'm very much in need of gruntling them again. If > > > that's a word. If not, I'll settle for quietening them down. > > > > > > Thanks, > > > > > > > > > Callum. > > > > > > > > > Stuff of note: > > > > > > Browsers: IE 6.x & Firefox 2.0.X > > > Fedora Core 7. > > > Kernel 2.6.23.15-80.fc7 on an i686 - Intel(R) Xeon - GNU/Linux. > > > squid-2.6.STABLE16-4.fc7 (Fc7 rpm). > > > > > > Non defaults from squid.conf: > > > > > > http_port 10.3.0.1:3128 > > > hierarchy_stoplist cgi-bin ? > > > acl QUERY urlpath_regex cgi-bin \? showFolder asp > > > no_cache deny QUERY > > > cache_mem 512 MB > > > cache_swap_low 50 > > > cache_swap_high 95 > > > maximum_object_size 8192 KB > > > cache_dir ufs /var/spool/squid 10000 16 256 > > > cache_dir ufs /var/spool/squid2 10000 16 256 > > > cache_access_log /var/log/squid/access.log > > > debug_options ALL,3 > > > dns_nameservers 10.3.0.1 10.3.0.2 > > > redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf > > > auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b > > > "dc=quack,dc=org,dc=local" -D > > > "cn=LDAP_guest,OU=ADMIN,DC=quack,DC=org,DC=local" -w "XXXXXX" -f > > > sAMAccountName=%s -h 10.3.0.3 > > > auth_param basic children 5 > > > auth_param basic realm "Donkey Centre" > > > auth_param basic credentialsttl 5 minutes > > > auth_param basic children 5 > > > auth_param basic realm Squid proxy-caching web server > > > auth_param basic credentialsttl 2 hours > > > auth_param basic casesensitive off > > > external_acl_type InetUsersGroup %LOGIN /usr/lib/squid/squid_ldap_group > > > -R -b "dc=quack,dc=org,dc=local" -D > > > "cn=LDAP_guest,OU=ADMIN,DC=quack,DC=org,DC=local" -w "XXXXXX" -f > > > "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=% > > > a,ou=users,dc=quack,dc=org,dc=local))" -h 10.3.0.2 > > > refresh_pattern ^ftp: 1440 20% 10080 > > > refresh_pattern ^gopher: 1440 0% 1440 > > > refresh_pattern . 0 20% 4320 > > > acl all src 0.0.0.0/0.0.0.0 > > > acl manager proto cache_object > > > acl localhost src 127.0.0.1/255.255.255.255 > > > acl to_localhost dst 127.0.0.0/8 > > > acl SSL_ports port 443 563 2083 > > > acl localip src 10.0.0.0/8 > > > acl PURGE method PURGE > > > acl apache src 10.0.0.0/8 > > > acl localnet proxy_auth REQUIRED src 10.0.0.0/8 > > > acl InetAccess external InetUsersGroup SquidUsers > > > acl CONNECT method CONNECT > > > http_access allow PURGE localhost > > > http_access allow manager localip > > > http_access allow manager apache > > > http_access allow InetAccess > > > http_access deny manager > > > http_access deny !Safe_ports > > > http_access deny CONNECT !SSL_ports > > > acl our_networks src 10.0.0.0/8 > > > http_access allow our_networks > > > http_access allow localhost > > > http_access deny all > > > http_reply_access allow all > > > icp_access allow all > > > cache_mgr postmaster@xxxxxxxxxxxxxxxxxxx > > > mail_from squid@xxxxxxxxxxxxxxxxxxx > > > visible_hostname gate.quack.ducks.com.etc > > > cachemgr_passwd XXXXXX all > > > coredump_dir /var/spool/squid > > > extension_methods REPORT MERGE MKACTIVITY CHECKOUT > > > > > > > > > Excerpt from cache.log following request for > > > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0: > > > > > > 2008/04/08 15:57:00| fwdConnectStart: > > > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 > > > 2008/04/08 15:57:00| fwdConnectStart: got addr 0.0.0.0, tos 0 > > > 2008/04/08 15:57:00| fd_open FD 39 > > > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 > > > 2008/04/08 15:57:00| cbdataLock: 0x8cdd798 > > > 2008/04/08 15:57:00| commSetTimeout: FD 39 timeout 60 > > > 2008/04/08 15:57:00| commConnectStart: FD 39, uk.mc260.mail.yahoo.com:80 > > > 2008/04/08 15:57:00| cbdataLock: 0x8cdd798 > > > 2008/04/08 15:57:00| cbdataLock: 0x8cdd7e8 > > > 2008/04/08 15:57:00| cbdataLock: 0x8cdd7e8 > > > 2008/04/08 15:57:00| cbdataValid: 0x8cdd7e8 > > > 2008/04/08 15:57:00| ipcacheCycleAddr: uk.mc260.mail.yahoo.com now at > > > 87.248.111.187 > > > 2008/04/08 15:57:00| cbdataUnlock: 0x8cdd7e8 > > > 2008/04/08 15:57:00| cbdataUnlock: 0x8cdd798 > > > 2008/04/08 15:57:00| storeUnlockObject: key > > > '27D91622B3E024FF88542C1541F6B2D3' count=3 > > > 2008/04/08 15:57:00| cbdataFree: 0x8bec610 > > > 2008/04/08 15:57:00| cbdataFree: Freeing 0x8bec610 > > > 2008/04/08 15:57:00| cbdataUnlock: 0x8d094a8 > > > 2008/04/08 15:57:00| cbdataUnlock: 0x8d8c0e0 > > > 2008/04/08 15:57:00| cbdataFree: 0x8bd9a90 > > > 2008/04/08 15:57:00| cbdataFree: Freeing 0x8bd9a90 > > > 2008/04/08 15:57:00| cbdataFree: 0x8d127a0 > > > 2008/04/08 15:57:00| cbdataFree: 0x8d127a0 has 1 locks, not freeing > > > 2008/04/08 15:57:00| cbdataUnlock: 0x8d127a0 > > > 2008/04/08 15:57:00| cbdataUnlock: Freeing 0x8d127a0 > > > 2008/04/08 15:57:00| comm_select: timeout 488 > > > 2008/04/08 15:57:00| cbdataUnlock: 0x8cdd7e8 > > > 2008/04/08 15:57:00| commSetTimeout: FD 39 timeout -1 > > > 2008/04/08 15:57:00| commConnectFree: FD 39 > > > 2008/04/08 15:57:00| cbdataFree: 0x8cdd7e8 > > > 2008/04/08 15:57:00| cbdataFree: Freeing 0x8cdd7e8 > > > 2008/04/08 15:57:00| cbdataValid: 0x8cdd798 > > > 2008/04/08 15:57:00| fwdConnectDone: FD 39: > > > 'http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0' > > > 2008/04/08 15:57:00| fwdDispatch: FD 34: Fetching 'GET > > > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0' > > > 2008/04/08 15:57:00| httpStart: "GET > > > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0" > > > 2008/04/08 15:57:00| storeLockObject: key > > > '27D91622B3E024FF88542C1541F6B2D3' count=4 > > > 2008/04/08 15:57:00| cbdataLock: 0x8cead28 > > > 2008/04/08 15:57:00| commSetTimeout: FD 39 timeout 86400 > > > 2008/04/08 15:57:00| getMaxAge: > > > 'http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0' > > > 2008/04/08 15:57:00| cbdataLock: 0x8cead28 > > > 2008/04/08 15:57:00| cbdataUnlock: 0x8cdd798 > > > 2008/04/08 15:57:00| comm_select: timeout 433 > > > 2008/04/08 15:57:00| cbdataValid: 0x8cead28 > > > 2008/04/08 15:57:00| commSetTimeout: FD 39 timeout 900 > > > 2008/04/08 15:57:00| cbdataUnlock: 0x8cead28 > > > 2008/04/08 15:57:00| comm_select: timeout 433 > > > 2008/04/08 15:57:00| ctx: enter level 0: > > > 'http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0' > > > 2008/04/08 15:57:00| httpProcessReplyHeader: key > > > '27D91622B3E024FF88542C1541F6B2D3' > > > 2008/04/08 15:57:00| httpProcessReplyHeader: HTTP CODE: 200 > > > 2008/04/08 15:57:00| storeExpireNow: '27D91622B3E024FF88542C1541F6B2D3' > > > 2008/04/08 15:57:00| storeGet: looking up > > > 88ECBC523E9AEA95834A7F145E64EC69 > > > 2008/04/08 15:57:00| storeGet: looking up > > > 199F1E34B1E329E02396FA9A41720E7A > > > 2008/04/08 15:57:00| ctx: exit level 0 > > > 2008/04/08 15:57:00| InvokeHandlers: 27D91622B3E024FF88542C1541F6B2D3 > > > 2008/04/08 15:57:00| InvokeHandlers: checking client #0 > > > 2008/04/08 15:57:00| cbdataLock: 0x8d87958 > > > 2008/04/08 15:57:00| storeClientCopy2: 27D91622B3E024FF88542C1541F6B2D3 > > > 2008/04/08 15:57:00| storeClientCopy3: Copying from memory > > > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > > > 2008/04/08 15:57:00| clientBuildReplyHeader: can't keep-alive, unknown > > > body size > > > 2008/04/08 15:57:00| cbdataLock: 0x88e9558 > > > 2008/04/08 15:57:00| cbdataLock: 0x8d8c0e0 > > > 2008/04/08 15:57:00| aclMatchAclList: checking all > > > 2008/04/08 15:57:00| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' > > > 2008/04/08 15:57:00| aclMatchIp: '10.2.2.16' found > > > 2008/04/08 15:57:00| aclMatchAclList: returning 1 > > > 2008/04/08 15:57:00| httpReplyBodyBuildSize: Setting maxBodySize to 0 > > > 2008/04/08 15:57:00| cbdataUnlock: 0x8d8c0e0 > > > 2008/04/08 15:57:00| cbdataUnlock: 0x88e9558 > > > 2008/04/08 15:57:00| cbdataFree: 0x8bd9a90 > > > 2008/04/08 15:57:00| cbdataFree: Freeing 0x8bd9a90 > > > 2008/04/08 15:57:00| clientSendMoreHeaderData: Appending 1628 bytes > > > after 414 bytes of headers > > > 2008/04/08 15:57:00| cbdataLock: 0x8d094a8 > > > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > > > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > > > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > > > 2008/04/08 15:57:00| cbdataLock: 0x88e9a18 > > > 2008/04/08 15:57:00| cbdataLock: 0x8d8c0e0 > > > 2008/04/08 15:57:00| cbdataLock: 0x8cd8750 > > > 2008/04/08 15:57:00| cbdataValid: 0x88e9a18 > > > 2008/04/08 15:57:00| aclCheck: checking 'http_reply_access allow all' > > > 2008/04/08 15:57:00| aclMatchAclList: checking all > > > 2008/04/08 15:57:00| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' > > > 2008/04/08 15:57:00| aclMatchIp: '10.2.2.16' found > > > 2008/04/08 15:57:00| aclMatchAclList: returning 1 > > > 2008/04/08 15:57:00| aclCheck: match found, returning 1 > > > 2008/04/08 15:57:00| cbdataUnlock: 0x88e9a18 > > > 2008/04/08 15:57:00| aclCheckCallback: answer=1 > > > 2008/04/08 15:57:00| cbdataValid: 0x8cd8750 > > > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > > > 2008/04/08 15:57:00| The reply for GET > > > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 is > > > ALLOWED, because it matched 'all' > > > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > > > 2008/04/08 15:57:00| cbdataFree: 0x8cd8750 > > > 2008/04/08 15:57:00| cbdataFree: 0x8cd8750 has 1 locks, not freeing > > > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > > > 2008/04/08 15:57:00| cbdataLock: 0x8d094a8 > > > 2008/04/08 15:57:00| cbdataUnlock: 0x8d094a8 > > > 2008/04/08 15:57:00| cbdataUnlock: 0x8cd8750 > > > 2008/04/08 15:57:00| cbdataUnlock: Freeing 0x8cd8750 > > > 2008/04/08 15:57:00| cbdataUnlock: 0x8d8c0e0 > > > 2008/04/08 15:57:00| cbdataFree: 0x8bd9a90 > > > 2008/04/08 15:57:00| cbdataFree: Freeing 0x8bd9a90 > > > 2008/04/08 15:57:00| cbdataUnlock: 0x8d094a8 > > > 2008/04/08 15:57:00| cbdataUnlock: 0x8d87958 > > > 2008/04/08 15:57:00| commSetTimeout: FD 39 timeout 900 > > > 2008/04/08 15:57:01| comm_select: timeout 350 > > > 2008/04/08 15:57:01| cbdataValid: 0x8d094a8 > > > 2008/04/08 15:57:01| storeClientCopy: 27D91622B3E024FF88542C1541F6B2D3, > > > seen 2042, want 2042, size 4096, cb 0x806cc8f, cbdata 0x8d094a8 > > > 2008/04/08 15:57:01| cbdataLock: 0x8d094a8 > > > 2008/04/08 15:57:01| cbdataLock: 0x8d87958 > > > 2008/04/08 15:57:01| storeClientCopy2: 27D91622B3E024FF88542C1541F6B2D3 > > > 2008/04/08 15:57:01| storeClientCopy3: Waiting for more > > > 2008/04/08 15:57:01| cbdataUnlock: 0x8d87958 > > > 2008/04/08 15:57:01| cbdataUnlock: 0x8d094a8 > > > 2008/04/08 15:57:01| comm_select: timeout 350 > > > 2008/04/08 15:57:01| fd_open FD 76 HTTP Request > > > 2008/04/08 15:57:01| cbdataLock: 0x88e58a8 > > > 2008/04/08 15:57:01| cbdataLock: 0x8db16e8 > > > 2008/04/08 15:57:01| commSetTimeout: FD 76 timeout 300 > > > 2008/04/08 15:57:01| aclMatchAclList: checking all > > > 2008/04/08 15:57:01| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' > > > 2008/04/08 15:57:01| aclMatchIp: '10.2.2.16' found > > > 2008/04/08 15:57:01| aclMatchAclList: returning 1 > > > 2008/04/08 15:57:01| comm_select: timeout 331 > > > 2008/04/08 15:57:01| cbdataLock: 0x8db16e8 > > > 2008/04/08 15:57:01| parseHttpRequest: req_hdr = {Host: mail.yimg.com > > > User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.8.1.13) > > > Gecko/20080325 Fedora/2.0.0.13-1.fc8 Firefox/2.0.0.13 > > > Accept: image/png,*/*;q=0.5 > > > Accept-Language: en-gb > > > Accept-Encoding: gzip,deflate > > > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > > > Keep-Alive: 300 > > > Proxy-Connection: keep-alive > > > Referer: http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 > > > Proxy-Authorization: Basic XXXXXXXXXXXXXXX > > > > > > } > > -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -