Re: [squid-users] Squid DNS Issues from Amos Jeffries on 2011-06-27 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 28 Jun 2011 11:17:27 +1200

On Mon, 27 Jun 2011 08:05:59 +0300, Richard Zulu wrote:
> Hey,
> I have squid version 3.1.9 working as a web forward proxy serving
> close to 500 users with over 54000 requests every other day.
> However, of recent, it is failing to communicate with the DNS Server
> completely which leads to few requests being completed.
> This has led to a long queue as to the requests supposed to be
> completed which later causes squid to hang.
> Shifting the very users to another squid cache causes similar
> problems. What could be the issue here?
> Some of the errors generated in the cache.log are here below:

> getsockopt(SO_ORIGINAL_DST) failed on FD 128:

NAT failure.

Could be a couple of things. Some seriously bad, and some only trivial.

  * On Linux if you allow non-NAT clients to access a port marked
"intercept" or "transparent". The ports for direct client->proxy and NAT
connections need to be separate and the NAT one firewalled away so it
cant be accessed directly. See the squid wiki config examples for DNAT
or REDIRECT for the iptables "mangle" rules that protect against these
security vulnerabilities.
  http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
  http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

* On OpenBSD 4.7 or later (may or may not need some patches) it can be
the same as Linux. OR if they have partial but broken SO_ORIGINAL_DST
support it shows up but means only that the OS is broken.

* On other non-Linux systems it is a Squid bug. Means nothing, but I
want to get it fixed/silenced.

> squidaio_queue_request: WARNING - Queue congestion

http://wiki.squid-cache.org/KnowledgeBase/QueueCongestion

> urlParse: URL too large (12404 bytes)

Exactly what it says. URL is too big for Squid to handle. There should
be a 4xx status sent back to the client so it can retry or whatever.

> statusIfComplete: Request not yet fully sent "POST
>
> http://person.com/ims.manage.phtml?__mp[name]=ims:manage&action=bugreport&js_id=47&"

Server or client disconnected halfway through a POST request.

> WARNING: unparseable HTTP header field {Web Server}

http://wiki.squid-cache.org/KnowledgeBase/UnparseableHeader

Amos
Received on Mon Jun 27 2011 - 23:17:32 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 28 2011 - 12:00:02 MDT