Hi All,
I observed there is a difference in tcp state machine in both
working(without squid) and Not working scenario.(without squid)
State machine in working scenario (without squid)
----------------------------------------------------
client Server
SYN
--------------->
SYN + ACK
<-------------------------
ACK
-------------------------->
GET
--------------------------->
ACK
<----------------------------
TCP segment of a resembled PDU (MTU 1514)
<---------------------------
HTTP/1.1 200 ok (MTU 293)
<------------------------
then connection terminates
State machine in Not-working scenario (with squid)
----------------------------------------------------
client Server
SYN
--------------->
SYN + ACK
<-------------------------
ACK
-------------------------->
GET
--------------------------->
ACK
<----------------------------
SYN + ACK
<---------------------------
RST
------------------------>
TCP previous segment not captured
<------------------------------
RST
------------------------>
TCP last segment not captured
<------------------------------
.........
TCP segment of a resembled PDU (MTU 1514)
<-------------------------
TCP segment of a resembled PDU (MTU 1514)
<-------------------------
HTTP/1.0 504 Gateway timeout (MTU 1050)
<-----------------------------
then connection terminates
In case of squid running ,
1) Why web-server is sending "SYN+ACK" instead of "TCP last segment
not captured" PDU?
2) Why there is a delay in sending "TCP last segment not captured" PDU?
Moreover I could see there is a variation in HTTP version (1.0 and 1.1) .
Please share your views on this
Regards,
Saravanan N
On Mon, Aug 12, 2013 at 11:47 PM, SaRaVanAn
<saravanan.nagarajan87@xxxxxxxxx> wrote:
> Hi Team,
> I setup an apache web server and squid3 running on the same machine
> . But when I try to access the web-server pages from client machine, I
> always ended up in the ERR_CONNETC_FAIL error. I tried all the
> alternatives and configurations from Google , but it was not helping
> me to solve the issue.
>
> Error
>
> 1376330104.848 179954 172.30.11.122 TCP_MISS/504 3880 GET
> http://172.30.11.124/logs/access.log - DIRECT/172.30.11.124
> text/html [Host: 172.30.11.124\r\nUser-Agent: Mozilla/5.0 (X11; Linux
> i686; rv:10.0.12) Gecko/20130109 Firefox/10.0.
> 12\r\nAccept: text/html,application/xhtml+
> xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language:
> en-us,en;q=0.5\r\nA
> ccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\n] [HTTP/1.0
> 504 Gateway Time-out\r\nServer: squid/3.1.20\r
> \nMime-Version: 1.0\r\nDate: Mon, 12 Aug 2013 17:55:04
> GMT\r\nContent-Type: text/html\r\nContent-Length: 3506\r\nX-Sq
> uid-Error: ERR_CONNECT_FAIL 110\r\nVary:
> Accept-Language\r\nContent-Language: en-us\r\n\r]
>
> Topology
> ----------------
> 172.30.11.122(client ) ---------- 172.30.11.124 (webserver and squid3 running)
>
> Squid version and OS
> --------------------------------
> squid3 -v
> Squid Cache: Version 3.1.20
>
> Debian wheezy(7.0)
>
> Iptable rules
> ---------------------
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 3129
>
> IP rules
> --------------
> ip -f inet rule add fwmark 1 lookup 100
> ip -f inet route add local default dev eth0 table 100
>
> squid.conf
> --------------
> acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> acl SSL_ports port 443
> acl SSL_ports port 563
> acl SSL_ports port 873
> acl Safe_ports port 80
> acl Safe_ports port 21
> acl Safe_ports port 443
> acl Safe_ports port 70
> acl Safe_ports port 210
> acl Safe_ports port 1025-65535
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl Safe_ports port 631
> acl Safe_ports port 873
> acl Safe_ports port 901
> acl purge method PURGE
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_reply_access allow all
> http_port 3128
> http_port 3129 tproxy
> hierarchy_stoplist cgi-bin ?
> cache_mem 256 MB
> cache_dir ufs /var/spool/squid3 1000 16 256
> maximum_object_size 20480 KB
> access_log /var/log/squid3/access.log
> cache_log /var/log/squid3/cache.log
> mime_table /usr/share/squid3/mime.conf
> log_mime_hdrs on
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
> acl apache rep_header Server ^Apache
> hosts_file /etc/hosts
> coredump_dir /var/spool/squid3
> acl localnet src 172.30.11.0/24
> http_access allow localhost
> http_access allow localnet
> cache allow all
> request_header_access Allow allow all
> request_header_access Authorization allow all
> request_header_access WWW-Authenticate allow all
> request_header_access Proxy-Authorization allow all
> request_header_access Proxy-Authenticate allow all
> request_header_access Cache-Control allow all
> request_header_access Content-Encoding allow all
> request_header_access Content-Length allow all
> request_header_access Content-Type allow all
>
> Tcpdump
> ----------------
> tcpdump -i eth0 "port 80"
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 23:23:35.965778 IP 172.30.11.124.http > 172.30.11.122.42895: Flags
> [S.], seq 147932214, ack 1341835953, win 14480, options [mss
> 1460,sackOK,TS val 6510344 ecr 6510344,nop,wscale 5], length 0
> 23:23:35.965904 IP 172.30.11.122.42895 > 172.30.11.124.http: Flags
> [R], seq 1341835953, win 0, length 0
> 23:24:04.896138 IP 172.30.11.124.http > 172.30.11.122.37138: Flags
> [S.], seq 111903872, ack 124904408, win 14480, options [mss
> 1460,sackOK,TS val 6517576 ecr 6517576,nop,wscale 5], length 0
> 23:24:04.896263 IP 172.30.11.122.37138 > 172.30.11.124.http: Flags
> [R], seq 124904408, win 0, length 0
> 23:24:05.893767 IP 172.30.11.124.http > 172.30.11.122.37138: Flags
> [S.], seq 127491883, ack 124904408, win 14480, options [mss
> 1460,sackOK,TS val 6517826 ecr 6517826,nop,wscale 5], length 0
> 23:24:05.893885 IP 172.30.11.122.37138 > 172.30.11.124.http: Flags
> [R], seq 124904408, win 0, length 0
> 23:24:07.897766 IP 172.30.11.124.http > 172.30.11.122.37138: Flags
> [S.], seq 158804355, ack 124904408, win 14480, options [mss
> 1460,sackOK,TS val 6518327 ecr 6518327,nop,wscale 5], length 0
> 23:24:07.898048 IP 172.30.11.122.37138 > 172.30.11.124.http: Flags
> [R], seq 124904408, win 0, length 0
> 23:24:11.901791 IP 172.30.11.124.http > 172.30.11.122.37138: Flags
> [S.], seq 221367156, ack 124904408, win 14480, options [mss
> 1460,sackOK,TS val 6519328 ecr 6519328,nop,wscale 5], length 0
> 23:24:11.901913 IP 172.30.11.122.37138 > 172.30.11.124.http: Flags
> [R], seq 124904408, win 0, length 0
> 23:24:19.917797 IP 172.30.11.124.http > 172.30.11.122.37138: Flags
> [S.], seq 346617285, ack 124904408, win 14480, options [mss
> 1460,sackOK,TS val 6521332 ecr 6521332,nop,wscale 5], length 0
> 23:24:19.917920 IP 172.30.11.122.37138 > 172.30.11.124.http: Flags
> [R], seq 124904408, win 0, length 0
> 23:24:35.965795 IP 172.30.11.124.http > 172.30.11.122.37138: Flags
> [S.], seq 597367243, ack 124904408, win 14480, options [mss
> 1460,sackOK,TS val 6525344 ecr 6525344,nop,wscale 5], length 0
> 23:24:35.965906 IP 172.30.11.122.37138 > 172.30.11.124.http: Flags
> [R], seq 124904408, win 0, length 0
> 23:25:04.848090 IP 172.30.11.124.http > 172.30.11.122.44872: Flags
> [.], seq 622394574:622396022, ack 3117157865, win 486, options
> [nop,nop,TS val 6532564 ecr 1130451999], length 1448
> 23:25:04.848123 IP 172.30.11.124.http > 172.30.11.122.44872: Flags
> [.], seq 1448:2896, ack 1, win 486, options [nop,nop,TS val 6532564
> ecr 1130451999], length 1448
> 23:25:04.848143 IP 172.30.11.124.http > 172.30.11.122.44872: Flags
> [P.], seq 2896:3880, ack 1, win 486, options [nop,nop,TS val 6532564
> ecr 1130451999], length 984
> 23:25:04.848480 IP 172.30.11.122.44872 > 172.30.11.124.http: Flags
> [.], ack 1448, win 274, options [nop,nop,TS val 1130631953 ecr
> 6532564], length 0
> 23:25:04.848572 IP 172.30.11.122.44872 > 172.30.11.124.http: Flags
> [.], ack 2896, win 319, options [nop,nop,TS val 1130631953 ecr
> 6532564], length 0
> 23:25:04.848667 IP 172.30.11.122.44872 > 172.30.11.124.http: Flags
> [.], ack 3880, win 364, options [nop,nop,TS val 1130631953 ecr
> 6532564], length 0
> 23:26:59.848715 IP 172.30.11.122.44872 > 172.30.11.124.http: Flags
> [F.], seq 1, ack 3880, win 364, options [nop,nop,TS val 1130746953 ecr
> 6532564], length 0
> 23:26:59.848866 IP 172.30.11.124.http > 172.30.11.122.44872: Flags
> [F.], seq 3880, ack 2, win 486, options [nop,nop,TS val 6561314 ecr
> 1130746953], length 0
> 23:26:59.849005 IP 172.30.11.122.44872 > 172.30.11.124.http: Flags
> [.], ack 3881, win 364, options [nop,nop,TS val 1130746954 ecr
> 6561314], length 0
>
>
>
> Moreover its taking long time to respond "connection failed error
> message in browser". Without tproxy rules, webserver is working like
> Gem.
> I really don't know what is going on and What I did wrong.
> Please help me since I m new to squid.
>
> Regards,
> Saravanan N
