On 2024-07-12 13:38, Ben Toms wrote:
Where would I find those headers?
If you have access to the parent Squid proxy, they will be in its debugging cache.log. You can also get them by capturing network packets between the parent Squid and origin, but for HTTPS traffic that requires giving Wireshark the associated master keys, which may be possible with Squid v6, but not trivial (see tls_key_log in Squid; Apache may have better support for this). Finally, one can configure Apache to log them (sorry, I do not remember the details).
Again, the child Squid does not see these headers yet (AFAICT), so they are not the reason things do not currently "work" in your tests.
Looking at the origin servers apache logs.. it’s sending a 200 response.
I am aware. We need the headers that go with that 200 OK response. For example, if it has Cache-Control:public, then Squid may be able to cache it despite authentication.
HTH, Alex.
On Fri, 12 Jul 2024 at 18:26, Alex Rousskov wrote: On 2024-07-12 13:03, Ben Toms wrote: > So the issue seems to be caching content that requires authentication The client is getting an error response from Squid. That error is probably not related to caching decisions. I do not recommend focusing on caching at this stage of triage. I recommend addressing that error first. > The question here is, can squid cache items that require authentication > to access? Yes, in some cases. To know whether your case qualifies, I asked for the response headers. That led to the discovery that there are none (from child Squid point of view). If you really want to investigate the caching angle in parallel with solving ERR_READ_ERROR/WITH_SERVER, then try to obtain HTTP response headers that the origin server responds (to the parent cache) with. HTH, Alex. > *From: *Ben Toms <ben@xxxxxxxxxxx <mailto:ben@xxxxxxxxxxx>> > *Date: *Friday, 12 July 2024 at 17:56 > *To: *Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx <mailto:rousskov@xxxxxxxxxxxxxxxxxxxxxxx>>, > squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> <squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>> > *Subject: *Re: TCP_MISS_ABORTED/502 > > So, with the below config: > > https_port 443 accel protocol=HTTPS tls-cert=/usr/local/squid/client.pem > tls-key=/usr/local/squid/client.key > > cache_peer public.server.fqdn parent 443 0 no-query originserver > no-digest no-netdb-exchange tls login=PASSTHRU name=myAccel > forceddomain=public.server.fqdn > > acl our_sites dstdomain local.server.fqdn > > http_access allow our_sites > > cache_peer_access myAccel allow our_sites > > cache_peer_access myAccel deny all > > cache_dir ufs /usr/local/squid/var/cache 100000 16 256 > > cache_mem 500 MB > > maximum_object_size_in_memory 50000 KB > > refresh_pattern . 0 20% 4320 > > debug_options 11,2 > > I can see the below in /var/log/squid/cache.log > > ---------- > > 2024/07/12 16:49:57.056 kid1| 11,2| http.cc(1263) readReply: conn12 > local=client.ip:56670 remote=public.ip.of.public.server:443 > FIRSTUP_PARENT FD 14 flags=1: read failure: (0) No error. > > 2024/07/12 16:49:57.056 kid1| 11,2| Stream.cc(273) sendStartOfMessage: > HTTP Client conn9 local=client.ip:443 remote=local.server.ip:59158 FD 13 > flags=1 > > 2024/07/12 16:49:57.056 kid1| 11,2| Stream.cc(274) sendStartOfMessage: > HTTP Client REPLY: > > --------- > > HTTP/1.1 502 Bad Gateway > > Server: squid/6.6 > > Mime-Version: 1.0 > > Date: Fri, 12 Jul 2024 16:49:57 GMT > > Content-Type: text/html;charset=utf-8 > > Content-Length: 3629 > > X-Squid-Error: ERR_READ_ERROR 0 > > Vary: Accept-Language > > Content-Language: en > > Cache-Status: local.server;detail=mismatch > > Via: 1.1 local.server (squid/6.6) > > Connection: keep-alive > > ---------- > > The apache server still shows a 200 for the request: > > [12/Jul/2024:17:49:57 +0100] "GET /path/to/file HTTP/1.1" 200 10465 "-" > "curl/8.7.1" > > And this is when testing via: > > curl -D - https://local.server.fqdn/path/to/file <https://local.server.fqdn/path/to/file> > <https://local.server.fqdn/path/to/file <https://local.server.fqdn/path/to/file>> -H "Authorization: Basic > base64auth" -o /dev/null > > Regards, > > Ben. > > *From: *Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx <mailto:rousskov@xxxxxxxxxxxxxxxxxxxxxxx>> > *Date: *Friday, 12 July 2024 at 17:36 > *To: *Ben Toms <ben@xxxxxxxxxxx <mailto:ben@xxxxxxxxxxx>>, squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > <squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>> > *Subject: *Re: TCP_MISS_ABORTED/502 > > On 2024-07-12 12:14, Ben Toms wrote: > >> Which log should those be found? > > cache.log (if they are present) > > >> Can’t see “HTTP Server RESPONSE” in the access.log or cache.log. > > Sigh. This is one of the reasons I avoid asking folks to study logs > themselves, even ALL,2 logs... > > If that line is not in cache.log, then child Squid probably did not > receive a response from parent Squid, or could not parse that response. > A full debugging log should give us more information. > > Alex. > > >> *From: *squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>> on >> behalf of Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx <mailto:rousskov@xxxxxxxxxxxxxxxxxxxxxxx>> >> *Date: *Friday, 12 July 2024 at 17:11 >> *To: *squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> <squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>> >> *Subject: *Re: TCP_MISS_ABORTED/502 >> >> On 2024-07-12 11:38, Ben Toms wrote: >>> Think I made the changes Alex requested: >>> >>> 12/Jul/2024:15:36:31 +0000.640 local.server.ip TCP_MISS_ABORTED/502 3974 >>> GET https://local.server.fqdn/path/to/file <https://local.server.fqdn/path/to/file> > <https://local.server.fqdn/path/to/file <https://local.server.fqdn/path/to/file>> >> <https://local.server.fqdn/path/to/file <https://local.server.fqdn/path/to/file> > <https://local.server.fqdn/path/to/file <https://local.server.fqdn/path/to/file>>> - >>> FIRSTUP_PARENT/public.ip.of.public.server text/html >>> ERR_READ_ERROR/WITH_SERVER >> >> Thank you for using Squid v6 for this test. >> >> Unfortunately, due to Squid logging bugs, ERR_READ_ERROR/WITH_SERVER >> does not always mean what it says. For example, parent Squid could have >> closed the child-parent connection prematurely, but there could be other >> reasons. A full debugging log should give us more information. >> >> >>> 2024/07/12 14:57:08.678 kid1| 11,2| Stream.cc(274) sendStartOfMessage: >>> HTTP Client REPLY: >> >> This is a child proxy response to the client. We need parent response to >> the child proxy. Look for "HTTP Server RESPONSE" lines instead. >> >> >> HTH, >> >> Alex. >> >> >> >>> --------- >>> >>> HTTP/1.1 502 Bad Gateway >>> >>> Server: squid/6.6 >>> >>> Mime-Version: 1.0 >>> >>> Date: Fri, 12 Jul 2024 14:57:08 GMT >>> >>> Content-Type: text/html;charset=utf-8 >>> >>> Content-Length: 3629 >>> >>> X-Squid-Error: ERR_READ_ERROR 0 >>> >>> Vary: Accept-Language >>> >>> Content-Language: en >>> >>> Cache-Status: squid.host;detail=mismatch >>> >>> Via: 1.1 squid.host (squid/6.6) >>> >>> Connection: keep-alive >>> >>> ---------- >>> >>> Regards, >>> >>> Ben. >>> >>> *From: *squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>> on >>> behalf of Amos Jeffries <squid3@xxxxxxxxxxxxx <mailto:squid3@xxxxxxxxxxxxx>> >>> *Date: *Friday, 12 July 2024 at 15:22 >>> *To: *squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> <squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>> >>> *Subject: *Re: TCP_MISS_ABORTED/502 >>> >>> >>> On 13/07/24 01:52, Alex Rousskov wrote: >>>> On 2024-07-12 08:06, Ben Toms wrote: >>>>> Seems that my issue is similar to - >>>>> https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication> <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication>> <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication> <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication>>> <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication> <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication> <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication>>>> >>>> >>>> You are facing up to two problems: >>>> >>>> 1. Some authenticated responses are not cachable by Squid. Please share >>>> HTTP headers of the response in question. >>>> >>> >>> FYI, those can be obtained by configuring squid.conf with >>> >>> debug_options 11,2 >>> >>> >>> Cheers >>> Amos >>> >>> >>>> 2. TCP_MISS_ABORTED/502 errors may delete a being-cached response. These >>>> can be bogus errors (essentially Squid logging bugs) or real ones (e.g., >>>> due to communication bugs, misconfiguration, or compatibility problems). >>>> I recommend adding %err_code/%err_detail to your logformat and sharing >>>> the corresponding access.log lines (obfuscated as needed). >>>> >>>> Sharing (privately if needed) a pointer to compressed ALL,9 cache.log >>>> while reproducing the issue using a single transaction may help us >>>> resolve all the unknowns: >>>> >>>> https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction> <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction>> <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction> <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction>>> <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction> <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction> <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction>>>> >>>> >>>> >>>> HTH, >>>> >>>> Alex. >>>> >>>> >>> >>> >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> >>> https://lists.squid-cache.org/listinfo/squid-users <https://lists.squid-cache.org/listinfo/squid-users> > <https://lists.squid-cache.org/listinfo/squid-users <https://lists.squid-cache.org/listinfo/squid-users>> >> <https://lists.squid-cache.org/listinfo/squid-users <https://lists.squid-cache.org/listinfo/squid-users> > <https://lists.squid-cache.org/listinfo/squid-users <https://lists.squid-cache.org/listinfo/squid-users>>> >>> <https://lists.squid-cache.org/listinfo/squid-users <https://lists.squid-cache.org/listinfo/squid-users> >> <https://lists.squid-cache.org/listinfo/squid-users <https://lists.squid-cache.org/listinfo/squid-users> > <https://lists.squid-cache.org/listinfo/squid-users <https://lists.squid-cache.org/listinfo/squid-users>>>> >>> >>> >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> >>> https://lists.squid-cache.org/listinfo/squid-users <https://lists.squid-cache.org/listinfo/squid-users> > <https://lists.squid-cache.org/listinfo/squid-users <https://lists.squid-cache.org/listinfo/squid-users>> >> <https://lists.squid-cache.org/listinfo/squid-users <https://lists.squid-cache.org/listinfo/squid-users> > <https://lists.squid-cache.org/listinfo/squid-users <https://lists.squid-cache.org/listinfo/squid-users>>> >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> >> https://lists.squid-cache.org/listinfo/squid-users <https://lists.squid-cache.org/listinfo/squid-users> > <https://lists.squid-cache.org/listinfo/squid-users <https://lists.squid-cache.org/listinfo/squid-users>> >> <https://lists.squid-cache.org/listinfo/squid-users <https://lists.squid-cache.org/listinfo/squid-users> > <https://lists.squid-cache.org/listinfo/squid-users <https://lists.squid-cache.org/listinfo/squid-users>>> >> >
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users