Re: [squid-users] me.com TCP_MISS/503

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 23 Feb 2011 13:50:49 +1300

 On Tue, 22 Feb 2011 07:37:27 -0800 (PST), nickcx wrote:
> Hi List,
>
> I'm trying to get access to me.com working on my test proxy, but I
> keep
> getting a timeout in my browsers: (110) Connection timed out. Access
> log
> shows TCP_MISS/503. I have tried disabling various things to see if I
> can
> get it working: authentication, send direct – even allow all at the
> top but
> no joy.
>
> On 3stable20 I've had this working ok..
>
> Any help/pointers gratefully received,
>

 "Connection timed out" usually means the network connectivity is broken
 or lagging a lot.

 There are two differences between 3.0 and 3.1 in the TCP connection
 area.
  One is that 3.1 will attempt to use IPv6 when the website presents an
 AAAA address.
  ** That particular site appears to only be presenting A from here, so
 this is unlikely. But you may be getting AAAA so check the IPs yourself.

  The other is that 3.1 sends slightly larger packets, so things like
 Path-MTU are more important to be working correctly.

 Of course, these are only relevant if the problem can be displayed on
 one version then immediately not be present on the other. If by "had
 this working" you mean last week or months ago, then there could have
 been basic Internet changes you are not aware of between you and the
 website.

 Amos

> Thanks
> ===
>
> Squid 3.1.8 conf:
>
>
 <snip>
> cache_store_log none squid
> cache_log /var/log/squid/cache.log squid

 NP: these last two log directive only take one parameter, the "squid"
 there is not needed.

 <snip>
>
> # Blocks CONNECT method to IP addresses (Blocks Skype amongst other
> things)
> acl StopDirectIP url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+

 IPv6 is spreading. This pattern needs to be updated.

 There is a new recommended pattern at
 http://wiki.squid-cache.org/ConfigExamples/Chat/Skype page.

 You can omit the "443" port at the end of that wiki example to retain
 the port matching looseness of your current rule.

>
> # MSN Messenger Allow IP ACL
> acl IP_MSNMessenger src
> "/etc/squid/ACL/IPADDRESSES/IP_MSNMESSENGER.txt"
>

 Allowing a whole machine access by IP if it uses MSN seems a bit
 excessive.
 You may be interesetd in
 http://wiki.squid-cache.org/ConfigExamples/Chat/MsnMessenger
 or any of the other configs at
 http://wiki.squid-cache.org/ConfigExamples/Chat

 <snip>
>
> ## SEND DIRECT ALLOW
> always_direct allow SENDDIRECT_DstDomains
> always_direct allow SENDDIRECT_IPAddresses
>
 <snip>
> ###### CATCH ALL DENY ######
> never_direct allow all
> snmp_access deny all

 NP: "never_direct deny all" as the only never_direct entry will combine
 with always_direct for those bypasses and cause those requests to block
 with a "Cannot forward" error.
  Since they both MUST NOT go to a peer and MUST NOT go direct to an IP
 there is no path left to choose from.

 The way to implement what you appear to want is with:

   always_direct allow SENDDIRECT_DstDomains
   always_direct allow SENDDIRECT_IPAddresses

   never_direct deny SENDDIRECT_IPAddresses
   never_direct deny SENDDIRECT_DstDomains
   never_direct allow all

 Amos
Received on Wed Feb 23 2011 - 00:50:53 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 24 2011 - 12:00:03 MST