On Fri, Aug 9, 2019 at 2:37 PM Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 8/9/19 1:37 PM, Tom Karches wrote:
> On Fri, Aug 9, 2019 at 11:38 AM Alex Rousskov wrote:
> Ok, here is the info from the real trace. First time with #dns_v4_first
> on commented out, 2nd time "dns_v4_ first on" is active. Difference is
> with no "dns_v4_first on" directive, I get a RR_CONNECT_FAIL 111. When
> active, I get a RR_CONNECT_FAIL 101.
BTW, it may be easier for you to read --trace--ascii output.
I didn't see anything additional using the ascii option, though it is easier to read
Both are ERR_CONNECT_FAIL errors ("connection reset by peer" and
"connection refused"). Your Squid cannot connect to where it needs to
connect in order to establish a TCP tunnel. It could be a Squid
misconfiguration, a routing problem, insufficient capabilities, and many
other things.
I suggest checking cache.log for WARNINGs and ERRORs. After arriving at
a clean cache.log, I would use a packet capture (or similar) to see
where Squid is trying to connect (and which local address it is
connecting from). That information may be enough to figure out why Squid
cannot connect successfully.
This is what I am seeing from cache.log when I attempt the proxy :
2019/08/09 16:19:08.127 kid1| 33,2| client_side.cc(817) swanSong: local=127.0.0.1:3128 remote=127.0.0.1:33428 flags=1
Right now my debug is set to ALL,1 33,2. Is there a better set of options to provide me more visibility of what might be wrong?
Here is our config file, in case that helps. If it's something obvious I'm not seeing. We have some whitelists, but I am running with those turned off until this is working so I won't include them here. Thanks for the help.
Tom
# squid config file - 2019-08-09
# Timeouts
connect_timeout 2 minutes # For CDWG Vendor
debug_options ALL,1 33,2
dns_v4_first on
acl SSL_ports port 443
acl SSL_ports port 1443 # b2b-test.apple.com:1443
acl SSL_ports port 3079 # bci.stapleslink.com special port
acl SSL_ports port 4443 # pascal.apple.com:4443
acl SSL_ports port 993 # IMAP from Stat application to Gmail
acl SSL_ports port 22 # Allow SSH and SFTP to proxy/connect
acl SSL_ports port 8443 # redhat cap port
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 5228 # google services
acl Safe_ports port 1935 # cam steamer port
acl Safe_ports port 8443 # redhat cap port
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
icp_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 2048 16 256
# Default configuration value for cache_mem
#cache_mem 256 MB
cache deny all
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
max_filedescriptors 65000
# Timeouts
connect_timeout 2 minutes # For CDWG Vendor
debug_options ALL,1 33,2
dns_v4_first on
acl SSL_ports port 443
acl SSL_ports port 1443 # b2b-test.apple.com:1443
acl SSL_ports port 3079 # bci.stapleslink.com special port
acl SSL_ports port 4443 # pascal.apple.com:4443
acl SSL_ports port 993 # IMAP from Stat application to Gmail
acl SSL_ports port 22 # Allow SSH and SFTP to proxy/connect
acl SSL_ports port 8443 # redhat cap port
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 5228 # google services
acl Safe_ports port 1935 # cam steamer port
acl Safe_ports port 8443 # redhat cap port
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
icp_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 2048 16 256
# Default configuration value for cache_mem
#cache_mem 256 MB
cache deny all
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
max_filedescriptors 65000
--
Thomas Karches
NCSU OIT CSI - Systems Specialist
NCSU OIT CSI - Systems Specialist
M.E Student - Technology Education
Hillsborough 319 / 919.515.5508
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users