Search squid archive

Re: TCP_MISS_ABORTED/502

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2024-07-12 13:38, Ben Toms wrote:

Where would I find those headers?

If you have access to the parent Squid proxy, they will be in its debugging cache.log. You can also get them by capturing network packets between the parent Squid and origin, but for HTTPS traffic that requires giving Wireshark the associated master keys, which may be possible with Squid v6, but not trivial (see tls_key_log in Squid; Apache may have better support for this). Finally, one can configure Apache to log them (sorry, I do not remember the details).

Again, the child Squid does not see these headers yet (AFAICT), so they are not the reason things do not currently "work" in your tests.


Looking at the origin servers apache logs.. it’s sending a 200 response.

I am aware. We need the headers that go with that 200 OK response. For example, if it has Cache-Control:public, then Squid may be able to cache it despite authentication.


HTH,

Alex.


On Fri, 12 Jul 2024 at 18:26, Alex Rousskov wrote:

    On 2024-07-12 13:03, Ben Toms wrote:

     > So the issue seems to be caching content that requires authentication

    The client is getting an error response from Squid. That error is
    probably not related to caching decisions. I do not recommend focusing
    on caching at this stage of triage. I recommend addressing that
    error first.


     > The question here is, can squid cache items that require
    authentication
     > to access?

    Yes, in some cases. To know whether your case qualifies, I asked for
    the
    response headers. That led to the discovery that there are none (from
    child Squid point of view). If you really want to investigate the
    caching angle in parallel with solving ERR_READ_ERROR/WITH_SERVER, then
    try to obtain HTTP response headers that the origin server responds (to
    the parent cache) with.


    HTH,

    Alex.


     > *From: *Ben Toms <ben@xxxxxxxxxxx <mailto:ben@xxxxxxxxxxx>>
     > *Date: *Friday, 12 July 2024 at 17:56
     > *To: *Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx
    <mailto:rousskov@xxxxxxxxxxxxxxxxxxxxxxx>>,
     > squid-users@xxxxxxxxxxxxxxxxxxxxx
    <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
    <squid-users@xxxxxxxxxxxxxxxxxxxxx
    <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>>
     > *Subject: *Re:  TCP_MISS_ABORTED/502
     >
     > So, with the below config:
     >
     > https_port 443 accel protocol=HTTPS
    tls-cert=/usr/local/squid/client.pem
     > tls-key=/usr/local/squid/client.key
     >
     > cache_peer public.server.fqdn parent 443 0 no-query originserver
     > no-digest no-netdb-exchange tls login=PASSTHRU name=myAccel
     > forceddomain=public.server.fqdn
     >
     > acl our_sites dstdomain local.server.fqdn
     >
     > http_access allow our_sites
     >
     > cache_peer_access myAccel allow our_sites
     >
     > cache_peer_access myAccel deny all
     >
     > cache_dir ufs /usr/local/squid/var/cache 100000 16 256
     >
     > cache_mem 500 MB
     >
     > maximum_object_size_in_memory 50000 KB
     >
     > refresh_pattern .               0       20%     4320
     >
     > debug_options 11,2
     >
     > I can see the below in /var/log/squid/cache.log
     >
     > ----------
     >
     > 2024/07/12 16:49:57.056 kid1| 11,2| http.cc(1263) readReply: conn12
     > local=client.ip:56670 remote=public.ip.of.public.server:443
     > FIRSTUP_PARENT FD 14 flags=1: read failure: (0) No error.
     >
     > 2024/07/12 16:49:57.056 kid1| 11,2| Stream.cc(273)
    sendStartOfMessage:
     > HTTP Client conn9 local=client.ip:443
    remote=local.server.ip:59158 FD 13
     > flags=1
     >
     > 2024/07/12 16:49:57.056 kid1| 11,2| Stream.cc(274)
    sendStartOfMessage:
     > HTTP Client REPLY:
     >
     > ---------
     >
     > HTTP/1.1 502 Bad Gateway
     >
     > Server: squid/6.6
     >
     > Mime-Version: 1.0
     >
     > Date: Fri, 12 Jul 2024 16:49:57 GMT
     >
     > Content-Type: text/html;charset=utf-8
     >
     > Content-Length: 3629
     >
     > X-Squid-Error: ERR_READ_ERROR 0
     >
     > Vary: Accept-Language
     >
     > Content-Language: en
     >
     > Cache-Status: local.server;detail=mismatch
     >
     > Via: 1.1 local.server (squid/6.6)
     >
     > Connection: keep-alive
     >
     > ----------
     >
     > The apache server still shows a 200 for the request:
     >
     > [12/Jul/2024:17:49:57 +0100] "GET /path/to/file HTTP/1.1" 200
    10465 "-"
     > "curl/8.7.1"
     >
     > And this is when testing via:
     >
     > curl -D - https://local.server.fqdn/path/to/file
    <https://local.server.fqdn/path/to/file>
     > <https://local.server.fqdn/path/to/file
    <https://local.server.fqdn/path/to/file>> -H "Authorization: Basic
     > base64auth" -o /dev/null
     >
     > Regards,
     >
     > Ben.
     >
     > *From: *Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx
    <mailto:rousskov@xxxxxxxxxxxxxxxxxxxxxxx>>
     > *Date: *Friday, 12 July 2024 at 17:36
     > *To: *Ben Toms <ben@xxxxxxxxxxx <mailto:ben@xxxxxxxxxxx>>,
    squid-users@xxxxxxxxxxxxxxxxxxxxx
    <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
     > <squid-users@xxxxxxxxxxxxxxxxxxxxx
    <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>>
     > *Subject: *Re:  TCP_MISS_ABORTED/502
     >
     > On 2024-07-12 12:14, Ben Toms wrote:
     >
     >> Which log should those be found?
     >
     > cache.log (if they are present)
     >
     >
     >> Can’t see “HTTP Server RESPONSE” in the access.log or cache.log.
     >
     > Sigh. This is one of the reasons I avoid asking folks to study logs
     > themselves, even ALL,2 logs...
     >
     > If that line is not in cache.log, then child Squid probably did not
     > receive a response from parent Squid, or could not parse that
    response.
     > A full debugging log should give us more information.
     >
     > Alex.
     >
     >
     >> *From: *squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx
    <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>> on
     >> behalf of Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx
    <mailto:rousskov@xxxxxxxxxxxxxxxxxxxxxxx>>
     >> *Date: *Friday, 12 July 2024 at 17:11
     >> *To: *squid-users@xxxxxxxxxxxxxxxxxxxxx
    <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
    <squid-users@xxxxxxxxxxxxxxxxxxxxx
    <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>>
     >> *Subject: *Re:  TCP_MISS_ABORTED/502
     >>
     >> On 2024-07-12 11:38, Ben Toms wrote:
     >>> Think I made the changes Alex requested:
     >>>
     >>> 12/Jul/2024:15:36:31 +0000.640 local.server.ip
    TCP_MISS_ABORTED/502 3974
     >>> GET https://local.server.fqdn/path/to/file
    <https://local.server.fqdn/path/to/file>
     > <https://local.server.fqdn/path/to/file
    <https://local.server.fqdn/path/to/file>>
     >> <https://local.server.fqdn/path/to/file
    <https://local.server.fqdn/path/to/file>
     > <https://local.server.fqdn/path/to/file
    <https://local.server.fqdn/path/to/file>>> -
     >>> FIRSTUP_PARENT/public.ip.of.public.server text/html
     >>> ERR_READ_ERROR/WITH_SERVER
     >>
     >> Thank you for using Squid v6 for this test.
     >>
     >> Unfortunately, due to Squid logging bugs, ERR_READ_ERROR/WITH_SERVER
     >> does not always mean what it says. For example, parent Squid
    could have
     >> closed the child-parent connection prematurely, but there could
    be other
     >> reasons. A full debugging log should give us more information.
     >>
     >>
     >>> 2024/07/12 14:57:08.678 kid1| 11,2| Stream.cc(274)
    sendStartOfMessage:
     >>> HTTP Client REPLY:
     >>
     >> This is a child proxy response to the client. We need parent
    response to
     >> the child proxy. Look for "HTTP Server RESPONSE" lines instead.
     >>
     >>
     >> HTH,
     >>
     >> Alex.
     >>
     >>
     >>
     >>> ---------
     >>>
     >>> HTTP/1.1 502 Bad Gateway
     >>>
     >>> Server: squid/6.6
     >>>
     >>> Mime-Version: 1.0
     >>>
     >>> Date: Fri, 12 Jul 2024 14:57:08 GMT
     >>>
     >>> Content-Type: text/html;charset=utf-8
     >>>
     >>> Content-Length: 3629
     >>>
     >>> X-Squid-Error: ERR_READ_ERROR 0
     >>>
     >>> Vary: Accept-Language
     >>>
     >>> Content-Language: en
     >>>
     >>> Cache-Status: squid.host;detail=mismatch
     >>>
     >>> Via: 1.1 squid.host (squid/6.6)
     >>>
     >>> Connection: keep-alive
     >>>
     >>> ----------
     >>>
     >>> Regards,
     >>>
     >>> Ben.
     >>>
     >>> *From: *squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx
    <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>> on
     >>> behalf of Amos Jeffries <squid3@xxxxxxxxxxxxx
    <mailto:squid3@xxxxxxxxxxxxx>>
     >>> *Date: *Friday, 12 July 2024 at 15:22
     >>> *To: *squid-users@xxxxxxxxxxxxxxxxxxxxx
    <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
    <squid-users@xxxxxxxxxxxxxxxxxxxxx
    <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>>
     >>> *Subject: *Re:  TCP_MISS_ABORTED/502
     >>>
     >>>
     >>> On 13/07/24 01:52, Alex Rousskov wrote:
     >>>> On 2024-07-12 08:06, Ben Toms wrote:
     >>>>> Seems that my issue is similar to -
     >>>>>
    https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication> <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication>> <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication> <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication>>> <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication> <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication> <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication <https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication>>>>
     >>>>
     >>>> You are facing up to two problems:
     >>>>
     >>>> 1. Some authenticated responses are not cachable by Squid.
    Please share
     >>>> HTTP headers of the response in question.
     >>>>
     >>>
     >>> FYI, those can be obtained by configuring squid.conf with
     >>>
     >>>     debug_options 11,2
     >>>
     >>>
     >>> Cheers
     >>> Amos
     >>>
     >>>
     >>>> 2. TCP_MISS_ABORTED/502 errors may delete a being-cached
    response. These
     >>>> can be bogus errors (essentially Squid logging bugs) or real
    ones (e.g.,
     >>>> due to communication bugs, misconfiguration, or compatibility
    problems).
     >>>> I recommend adding %err_code/%err_detail to your logformat and
    sharing
     >>>> the corresponding access.log lines (obfuscated as needed).
     >>>>
     >>>> Sharing (privately if needed) a pointer to compressed ALL,9
    cache.log
     >>>> while reproducing the issue using a single transaction may
    help us
     >>>> resolve all the unknowns:
     >>>>
     >>>>
    https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction> <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction>> <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction> <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction>>> <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction> <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction> <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction>>>>
     >>>>
     >>>>
     >>>> HTH,
     >>>>
     >>>> Alex.
     >>>>
     >>>>
     >>>
     >>>
     >>> _______________________________________________
     >>> squid-users mailing list
     >>> squid-users@xxxxxxxxxxxxxxxxxxxxx
    <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
     >>> https://lists.squid-cache.org/listinfo/squid-users
    <https://lists.squid-cache.org/listinfo/squid-users>
     > <https://lists.squid-cache.org/listinfo/squid-users
    <https://lists.squid-cache.org/listinfo/squid-users>>
     >> <https://lists.squid-cache.org/listinfo/squid-users
    <https://lists.squid-cache.org/listinfo/squid-users>
     > <https://lists.squid-cache.org/listinfo/squid-users
    <https://lists.squid-cache.org/listinfo/squid-users>>>
     >>> <https://lists.squid-cache.org/listinfo/squid-users
    <https://lists.squid-cache.org/listinfo/squid-users>
     >> <https://lists.squid-cache.org/listinfo/squid-users
    <https://lists.squid-cache.org/listinfo/squid-users>
     > <https://lists.squid-cache.org/listinfo/squid-users
    <https://lists.squid-cache.org/listinfo/squid-users>>>>
     >>>
     >>>
     >>> _______________________________________________
     >>> squid-users mailing list
     >>> squid-users@xxxxxxxxxxxxxxxxxxxxx
    <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
     >>> https://lists.squid-cache.org/listinfo/squid-users
    <https://lists.squid-cache.org/listinfo/squid-users>
     > <https://lists.squid-cache.org/listinfo/squid-users
    <https://lists.squid-cache.org/listinfo/squid-users>>
     >> <https://lists.squid-cache.org/listinfo/squid-users
    <https://lists.squid-cache.org/listinfo/squid-users>
     > <https://lists.squid-cache.org/listinfo/squid-users
    <https://lists.squid-cache.org/listinfo/squid-users>>>
     >>
     >> _______________________________________________
     >> squid-users mailing list
     >> squid-users@xxxxxxxxxxxxxxxxxxxxx
    <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
     >> https://lists.squid-cache.org/listinfo/squid-users
    <https://lists.squid-cache.org/listinfo/squid-users>
     > <https://lists.squid-cache.org/listinfo/squid-users
    <https://lists.squid-cache.org/listinfo/squid-users>>
     >> <https://lists.squid-cache.org/listinfo/squid-users
    <https://lists.squid-cache.org/listinfo/squid-users>
     > <https://lists.squid-cache.org/listinfo/squid-users
    <https://lists.squid-cache.org/listinfo/squid-users>>>
     >>
     >


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux