Re: Some websites doesn't work with squid anymore

Yuri <yvoinov@xxxxxxxxx> · Mon, 27 Jun 2016 20:38:10 +0600

    Yet another non-porn site: reddit.com
    Let's check.

    root @ cthulhu / # dig reddit.com 

      ; <<>> DiG 9.6-ESV-R11-P6 <<>> reddit.com

      ;; global options: +cmd

      ;; Got answer:

      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
      21722

      ;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 0,
      ADDITIONAL: 0

      ;; QUESTION SECTION:

      ;reddit.com.                    IN      A

      ;; ANSWER SECTION:

      reddit.com.             86398   IN      A       198.41.209.143

      reddit.com.             86398   IN      A       198.41.208.138

      reddit.com.             86398   IN      A       198.41.209.136

      reddit.com.             86398   IN      A       198.41.209.139

      reddit.com.             86398   IN      A       198.41.208.141

      reddit.com.             86398   IN      A       198.41.208.137

      reddit.com.             86398   IN      A       198.41.208.139

      reddit.com.             86398   IN      A       198.41.208.143

      reddit.com.             86398   IN      A       198.41.208.140

      reddit.com.             86398   IN      A       198.41.209.137

      reddit.com.             86398   IN      A       198.41.209.138

      reddit.com.             86398   IN      A       198.41.209.140

      reddit.com.             86398   IN      A       198.41.209.141

      reddit.com.             86398   IN      A       198.41.208.142

      reddit.com.             86398   IN      A       198.41.209.142

      ;; Query time: 0 msec

      ;; SERVER: 127.0.0.1#53(127.0.0.1)

      ;; WHEN: Mon Jun 27 20:32:22 ALMT 2016

      ;; MSG SIZE  rcvd: 268

      root @ cthulhu / # ping reddit.com

      reddit.com is alive

    Seems all ok, right?
    Well, le'ts check TCP connectivity:
    Test with telnet:

      root @ cthulhu / # telnet reddit.com 443

      Trying 198.41.208.142...

      Connected to reddit.com.

      Escape character is '^]'.

      ^C^]

      telnet> 

      I.e., tcp socket opens.

    root @ cthulhu / # wget -S http://reddit.com

      --2016-06-27 20:33:13--  http://reddit.com/

      Connecting to 127.0.0.1:3128... connected.

      Proxy request sent, awaiting response... 

        HTTP/1.1 301 Moved Permanently

        Date: Mon, 27 Jun 2016 14:33:13 GMT

        Set-Cookie:
      __cfduid=d486371096ba68bc7f5ba663e5d723bf21467037993; expires=Tue,
      27-Jun-17 14:33:13 GMT; path=/; domain=.reddit.com; HttpOnly

        Location: https://www.reddit.com/

        X-Content-Type-Options: nosniff

        Server: cloudflare-nginx

        CF-RAY: 2b999ce3a5854f08-DME

        Via: ICAP/1.0 cthulhu (C-ICAP/0.4.3 SquidClamav/Antivirus
      service )

        X-Cache: MISS from cthulhu

        X-Cache-Lookup: MISS from cthulhu:3128

        Transfer-Encoding: chunked

        Connection: keep-alive

      Location: https://www.reddit.com/ [following]

      --2016-06-27 20:33:13--  https://www.reddit.com/

      Connecting to 127.0.0.1:3128... connected.

    .... and long-long time waiting for unknown.......

    Browser says: ERR_TIMED_OUT

    How to explain this?

      27.06.2016 20:32, Amos Jeffries пишет:

      [ Please reply to the mailing list I dont do private support except for
paying customers. And you have not arranged for that in advance. ]

On 28/06/2016 2:06 a.m., Adam Wright wrote:

        - Ok, ISP will see my http traffic, but will the ISP see which websites I'm
surfing?

      If anyone can see HTTP traffic they can see what the traffic is about.

        - Browser is using the proxy. But access.log only shows the websites which
the browser connected successfully. For example I see cisco.com which I
entered minutes ago for Yuri.

1467035091.072  15004 85.107.208.29 TCP_MISS/200 246 CONNECT
supportforums.cisco.com:443 yeni DIRECT/141.101.115.192

      The proxy log records every transaction through the proxy, at the time
that transaction completed. Whether it succeeded or not. Anything that
get started is prone to being logged.

In the case above it was a CONNECT tunnel transferring some TLS wrapped
protocol - probably HTTPS, SPDY or WebSockets on port 443. It took
15.004 seconds to do whatever took 246 bytes to transfer.

So nothing in the log indicates either the browser is *not* using the
proxy for those transactions, or they are still ongoing as far as Squid
is concerned.

It could be a case of browser using SPDY, QUICK or WebSockets protocols
instead of HTTP inside a TLS tunnel, or directly without the proxy.
Particularly if Chrome is involved.

The case of ongoing connections is unfortunate. You can tune Squid
timeouts somewhat to make the proxy more sensitive and do its failover
to working destinations faster. But otherwise its a browser specific
problem that can only be fixed by the browser.

It might be that whatever was happening inside that tunnel above got
stuck and timed out. To Squid the tunnel is opaque, so any type of error
in there is strictly between the browser and server.

The tiny size on that log entry makes me suspect its TLS handshake
hanging and a 15sec timeout somewhere closes it down. If so the issue is
not Squid, its whatever in the server or browser is causing the TLS to hang.

        - Right now I'm using maxthon, it also says "Error code 101
(net::ERR_CONNECTION_RESET)" while I try to connect to those xxx websites.

      That seems to mean the proxy is closing the connection. But that would
mean the proxy is aware of it ending and record in the log what
transaction finished with aborting the connection.

If there no log record, thats a very strong sign that the browser is not
using the proxy for that request.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users