Re: Error 503, only when passing through squid

[Philippe Combes <Philippe.Combes@xxxxxxxxxxx>]

Hi,

and thanks for replying.

> What's the output of "http_proxy=http://localhost:3128 wget -O /dev/null
> -S http://www.google.fr/";?
----------------------
# http_proxy=http://localhost:3128 wget -O /dev/null -S http://www.google.fr/
--00:23:13--  http://www.google.fr/
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:3128... connected.
Proxy request sent, awaiting response...
  HTTP/1.0 503 Service Unavailable
  Server: squid/2.6.STABLE6
  Date: Wed, 04 Mar 2009 23:23:13 GMT
  Content-Type: text/html
  Content-Length: 1137
  Expires: Wed, 04 Mar 2009 23:23:13 GMT
  X-Squid-Error: ERR_DNS_FAIL 0
  X-Cache: MISS from gw-gridmip.cict.fr
  X-Cache-Lookup: MISS from gw-gridmip.cict.fr:3128
  Via: 1.0 gw-gridmip.cict.fr:3128 (squid/2.6.STABLE6)
  Proxy-Connection: close
00:23:13 ERROR 503: Service Unavailable.
----------------------

Actually, it seems that squid only takes the first DNS listed in /etc/resolv.conf. If it fails, then 
it does not contact the second one. wget does.
The first DNS listed is actually localhost, dedicated to the LAN. I should configure it to forward 
the requests that it cannot resolve to some masters and then send back the answer.
I do not know yet how to do, but the important thing here is that it is no squid problem.

Thanks again for your tip.

Philippe


Chris Robertson a écrit :
> Philippe Combes wrote:
> > Hi all,
> >
> > I am a newbie to squid. And I have struggled with its configuration 
> > file for several days, until I got all the desired acl's correctly set.
> > Then I tried my configuration using wget and... 503.
> > I fell back to a minimal totally open configuration:
> > ----------------------
> > http_port 3128
> > emulate_httpd_log on
> > debug_options ALL,5
> > negative_ttl 0
> >
> > acl all src 0.0.0.0/0.0.0.0
> > acl allsites dst 0.0.0.0/0.0.0.0
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl to_localhost dst 127.0.0.0/8
> > acl SSL_ports port 443 563
> > acl Safe_ports port 80 20 21 443 563 70 210 1025-65535
> > acl CONNECT method CONNECT
> > acl mysite src localhost 192.168.0.0/30 172.16.112.0/24
> >
> > http_access allow CONNECT
> > http_access allow Safe_ports
> > http_access allow all
> > http_access allow allsites
> > http_reply_access allow all
> >
> > coredump_dir /var/spool/squid
> > ----------------------
> >
> > But still, I get:
> > ----------------------
> > # wget -O - http://www.google.fr/ > /dev/null
> > --22:29:34--  http://www.google.fr/
> > Resolving www.google.fr... 74.125.39.147, 74.125.39.99, 74.125.39.103, 
> > ...
> > Connecting to www.google.fr|74.125.39.147|:80... connected.
> > HTTP request sent, awaiting response... 200 OK
> > Length: unspecified [text/html]
> > Saving to: `STDOUT'
> >
> >     [ <=>                                                            ] 
> > 5,852       --.-K/s   in 0.02s
> >
> > 22:29:35 (266 KB/s) - `-' saved [5852]
> >
> > ######## everything is OK so far
> >
> > # http_proxy=http://localhost:3128 wget -O - http://www.google.fr/ > 
> > /dev/null
> > --22:30:31--  http://www.google.fr/
> > Resolving localhost... 127.0.0.1
> > Connecting to localhost|127.0.0.1|:3128... connected.
> > Proxy request sent, awaiting response... 503 Service Unavailable
> > 22:30:31 ERROR 503: Service Unavailable.
> > ----------------------
> >
> > Obviously, it is bound to squid. I run CentOS on x86_64 architecture. 
> > I do not join the log files here, because I found them not very 
> > helpful, only logging that there was an 503, without giving more 
> > information about it.
> > I really do not know what to try now, and any clue would be very 
> > welcome and helpful.
>
> What's the output of "cat /selinux/enforce"?

No such file :)


> What's the output of "http_proxy=http://localhost:3128 wget -O /dev/null 
> -S http://www.google.fr/";?
# http_proxy=http://localhost:3128 wget -O /dev/null -S http://www.google.fr/
--00:23:13--  http://www.google.fr/
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:3128... connected.
Proxy request sent, awaiting response...
  HTTP/1.0 503 Service Unavailable
  Server: squid/2.6.STABLE6
  Date: Wed, 04 Mar 2009 23:23:13 GMT
  Content-Type: text/html
  Content-Length: 1137
  Expires: Wed, 04 Mar 2009 23:23:13 GMT
  X-Squid-Error: ERR_DNS_FAIL 0
  X-Cache: MISS from gw-gridmip.cict.fr
  X-Cache-Lookup: MISS from gw-gridmip.cict.fr:3128
  Via: 1.0 gw-gridmip.cict.fr:3128 (squid/2.6.STABLE6)
  Proxy-Connection: close
00:23:13 ERROR 503: Service Unavailable.


> Also you might want to change your debug options to "ALL,1 5,5" to just 
> get verbose logging related to the socket operations.  The debug logging 
> will appear in the cache_log.

I increased the debug logging level as you suggested and, because of the output above, I added:
dns_nameservers 127.0.0.1
for the nameserver of the squid host is also a DNS. Same error.
I isolated the part in cache.log that seems to be related to the request above (before and after 
having added the dns_nameserver, it is the same, for /etc/resolv.conf points at 127.0.0.1 too):
--------------
2009/03/05 00:23:12| commSetSelect: FD 10 type 1
2009/03/05 00:23:12| comm_add_close_handler: FD 12, handler=0x42948f, data=0x140a6858
2009/03/05 00:23:12| commSetTimeout: FD 12 timeout 300
2009/03/05 00:23:12| commSetSelect: FD 12 type 1
2009/03/05 00:23:12| comm_accept: FD 10: (11) Resource temporarily unavailable
2009/03/05 00:23:13| comm_select: timeout 194
2009/03/05 00:23:13| commSetTimeout: FD 12 timeout 86400
2009/03/05 00:23:13| comm_open: FD 13 is a new socket
2009/03/05 00:23:13| comm_add_close_handler: FD 13, handler=0x434d26, data=0x140a7278
2009/03/05 00:23:13| commSetTimeout: FD 13 timeout 60
2009/03/05 00:23:13| commConnectStart: FD 13, www.google.fr:80
2009/03/05 00:23:13| comm_add_close_handler: FD 13, handler=0x42ac97, data=0x140a6b58
2009/03/05 00:23:13| commSetSelect: FD 5 type 1
2009/03/05 00:23:13| commSetSelect: FD 12 type 1
2009/03/05 00:23:13| comm_select: timeout 194
2009/03/05 00:23:13| commConnectDnsHandle: Unknown host: www.google.fr
2009/03/05 00:23:13| comm_remove_close_handler: FD 13, handler=0x42ac97, data=0x140a6b58
2009/03/05 00:23:13| commSetTimeout: FD 13 timeout -1
2009/03/05 00:23:13| commConnectFree: FD 13
2009/03/05 00:23:13| comm_close: FD 13
2009/03/05 00:23:13| commCallCloseHandlers: FD 13
2009/03/05 00:23:13| commCallCloseHandlers: ch->handler=0x434d26
2009/03/05 00:23:13| comm_write: FD 12: sz 1524: hndl 0x424c00: data 0x1412e0c8.
2009/03/05 00:23:13| commSetSelect: FD 12 type 2
2009/03/05 00:23:13| comm_select: timeout 193
2009/03/05 00:23:13| commHandleWrite: FD 12: off 0, sz 1524.
2009/03/05 00:23:13| commHandleWrite: write() returns 1524
2009/03/05 00:23:13| comm_close: FD 12
2009/03/05 00:23:13| commCallCloseHandlers: FD 12
2009/03/05 00:23:13| commCallCloseHandlers: ch->handler=0x42948f
----------------

> > Thanks in advance,
> >
> > Philippe
>
> Chris