On 3/06/2014 11:25 a.m., Development Team wrote: > I am astonished. > It seems that the core of my problem was ipv6; > .... > TCP_MISS_ABORTED: > "1401736785.584 20020 127.0.0.1 TCP_MISS_ABORTED/000 0 GET > http://www.google.com/url? - HIER_DIRECT/2607:f8b0:400f:801::1013 -" > (I just noticed the unexpected ip6 type address. I do not know if that is > relevant. I will now try to disable ipv6.) > .... > > I disabled ipv6 in /etc/sysctl.d/99-sysctl.conf and now http[s] works as > expected for manually configured clients. Why would this be? > No matter. That log says that Squid successfully contacted the upstream server, even sent the request out, but no response came back for over 20 seconds. A common sight when ICMP is being blocked and breaking Path-MTU discovery (PMTUd). ICMP is not optional, even for IPv4, no matter what enyone else says. There *are* some very specific ICMP codes which are good to block, but most of ICMP is critical for correct operation of TCP. > > Now I am going to try and restore the transparent proxy. I added the > intercept attribute to the http_port confing, and now even without tweaking > the firewall, I am getting "Forwarding loop detected" warnings. Clients get > access denied pages.... > Note the need for separate forward-proxy and intercept-proxy listening ports in Squid is a MUST. Forward-proxy is the better mode of operation, if you have clients already using it leave them. Add the interception as a secondary http(s)_port for the clients that cannot be configured with the proxy. Amos
