Search squid archive

Re: me.com TCP_MISS/503

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 22 Feb 2011 07:37:27 -0800 (PST), nickcx wrote:
Hi List,

I'm trying to get access to me.com working on my test proxy, but I keep getting a timeout in my browsers: (110) Connection timed out. Access log shows TCP_MISS/503. I have tried disabling various things to see if I can get it working: authentication, send direct â even allow all at the top but
no joy.

On 3stable20 I've had this working ok..

Any help/pointers gratefully received,


"Connection timed out" usually means the network connectivity is broken or lagging a lot.

There are two differences between 3.0 and 3.1 in the TCP connection area. One is that 3.1 will attempt to use IPv6 when the website presents an AAAA address. ** That particular site appears to only be presenting A from here, so this is unlikely. But you may be getting AAAA so check the IPs yourself.

The other is that 3.1 sends slightly larger packets, so things like Path-MTU are more important to be working correctly.

Of course, these are only relevant if the problem can be displayed on one version then immediately not be present on the other. If by "had this working" you mean last week or months ago, then there could have been basic Internet changes you are not aware of between you and the website.

Amos

Thanks
===

Squid 3.1.8 conf:


<snip>
cache_store_log none squid
cache_log /var/log/squid/cache.log squid

NP: these last two log directive only take one parameter, the "squid" there is not needed.

<snip>

# Blocks CONNECT method to IP addresses (Blocks Skype amongst other things)
acl StopDirectIP url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+

IPv6 is spreading. This pattern needs to be updated.

There is a new recommended pattern at http://wiki.squid-cache.org/ConfigExamples/Chat/Skype page.

You can omit the "443" port at the end of that wiki example to retain the port matching looseness of your current rule.


# MSN Messenger Allow IP ACL
acl IP_MSNMessenger src "/etc/squid/ACL/IPADDRESSES/IP_MSNMESSENGER.txt"


Allowing a whole machine access by IP if it uses MSN seems a bit excessive. You may be interesetd in http://wiki.squid-cache.org/ConfigExamples/Chat/MsnMessenger or any of the other configs at http://wiki.squid-cache.org/ConfigExamples/Chat

<snip>

## SEND DIRECT ALLOW
always_direct allow SENDDIRECT_DstDomains
always_direct allow SENDDIRECT_IPAddresses

<snip>
###### CATCH ALL DENY ######
never_direct allow all
snmp_access deny all

NP: "never_direct deny all" as the only never_direct entry will combine with always_direct for those bypasses and cause those requests to block with a "Cannot forward" error. Since they both MUST NOT go to a peer and MUST NOT go direct to an IP there is no path left to choose from.

The way to implement what you appear to want is with:

  always_direct allow SENDDIRECT_DstDomains
  always_direct allow SENDDIRECT_IPAddresses

  never_direct deny SENDDIRECT_IPAddresses
  never_direct deny SENDDIRECT_DstDomains
  never_direct allow all


Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux