On Tue, 22 Feb 2011 07:37:27 -0800 (PST), nickcx wrote:
> Hi List,
>
> I'm trying to get access to me.com working on my test proxy, but I
> keep
> getting a timeout in my browsers: (110) Connection timed out. Access
> log
> shows TCP_MISS/503. I have tried disabling various things to see if I
> can
> get it working: authentication, send direct – even allow all at the
> top but
> no joy.
>
> On 3stable20 I've had this working ok..
>
> Any help/pointers gratefully received,
>
"Connection timed out" usually means the network connectivity is broken
or lagging a lot.
There are two differences between 3.0 and 3.1 in the TCP connection
area.
One is that 3.1 will attempt to use IPv6 when the website presents an
AAAA address.
** That particular site appears to only be presenting A from here, so
this is unlikely. But you may be getting AAAA so check the IPs yourself.
The other is that 3.1 sends slightly larger packets, so things like
Path-MTU are more important to be working correctly.
Of course, these are only relevant if the problem can be displayed on
one version then immediately not be present on the other. If by "had
this working" you mean last week or months ago, then there could have
been basic Internet changes you are not aware of between you and the
website.
Amos
> Thanks
> ===
>
> Squid 3.1.8 conf:
>
>
<snip>
> cache_store_log none squid
> cache_log /var/log/squid/cache.log squid
NP: these last two log directive only take one parameter, the "squid"
there is not needed.
<snip>
>
> # Blocks CONNECT method to IP addresses (Blocks Skype amongst other
> things)
> acl StopDirectIP url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
IPv6 is spreading. This pattern needs to be updated.
There is a new recommended pattern at
http://wiki.squid-cache.org/ConfigExamples/Chat/Skype page.
You can omit the "443" port at the end of that wiki example to retain
the port matching looseness of your current rule.
>
> # MSN Messenger Allow IP ACL
> acl IP_MSNMessenger src
> "/etc/squid/ACL/IPADDRESSES/IP_MSNMESSENGER.txt"
>
Allowing a whole machine access by IP if it uses MSN seems a bit
excessive.
You may be interesetd in
http://wiki.squid-cache.org/ConfigExamples/Chat/MsnMessenger
or any of the other configs at
http://wiki.squid-cache.org/ConfigExamples/Chat
<snip>
>
> ## SEND DIRECT ALLOW
> always_direct allow SENDDIRECT_DstDomains
> always_direct allow SENDDIRECT_IPAddresses
>
<snip>
> ###### CATCH ALL DENY ######
> never_direct allow all
> snmp_access deny all
NP: "never_direct deny all" as the only never_direct entry will combine
with always_direct for those bypasses and cause those requests to block
with a "Cannot forward" error.
Since they both MUST NOT go to a peer and MUST NOT go direct to an IP
there is no path left to choose from.
The way to implement what you appear to want is with:
always_direct allow SENDDIRECT_DstDomains
always_direct allow SENDDIRECT_IPAddresses
never_direct deny SENDDIRECT_IPAddresses
never_direct deny SENDDIRECT_DstDomains
never_direct allow all
Amos
Received on Wed Feb 23 2011 - 00:50:53 MST
This archive was generated by hypermail 2.2.0 : Thu Feb 24 2011 - 12:00:03 MST