Re: [squid-users] Strange 503 on https sites

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 28 Jun 2011 11:46:30 +1200

 On Mon, 27 Jun 2011 15:40:10 +0800, ICT Department wrote:
> Hi,
>
>
>
> I am very confused now as to why 99% of https access has 503, even
> yahoo
> which is very fast..
>
> This problem arises when my network is at peak use. This problem
> arises when
> I upgraded my connection from
>
> Copper connection 4mbps to Fiber optic 6mbps. Hope could someone
> point me
> to the right direction. Thank you.
>

 503 is "Service Unable". On CONNECT requests for Squid that means the
 TCP connection to that IP address could not be opened. The 59 second
 duration for those requests indicate a TCP setup timeout is happening.

 Next steps I'd look at is PMTU issues between you and that server.

 Squid-3.1 does IPv6. So if you have that incorrectly disabled Squid
 could be failing to connect to that IPv4-only destination over an IPv6
 socket.
 NP: (rant warning) if you followed most any online tutorial for
 disabling IPv6 in RHEL. Most only go so far as to make the kernel drop
 IPv6 packets. Rather than actually turning the OFF kernel control which
 would inform the relevant software that it cannot use IPv6 ports. So it
 sends a packet, and waits... and waits...
  (and yes I know you are connecting to an IPv4 host. Linux "hybrid
 stack" which Squid uses can use IPv6 sockets to contact IPv4 space).

>
> Access.log
>
> 1309159630.003 59632 192.168.100.33 TCP_MISS/503 0 CONNECT
> 124.102.69.115:443 - DIRECT/124.102.69.115 -
>
> 1309159630.003 59629 192.168.100.33 TCP_MISS/503 0 CONNECT
> 140.127.205.122:443 - DIRECT/140.127.205.122 -
>
> 1309159632.000 59480 192.168.100.33 TCP_MISS/503 0 CONNECT
> 218.226.219.106:443 - DIRECT/218.226.219.106 -
>
> 1309159632.000 59996 192.168.10.105 TCP_MISS/503 0 CONNECT
> login.yahoo.com:443 - DIRECT/124.108.120.31 -
>
> 1309159636.001 59997 192.168.100.84 TCP_MISS/503 0 CONNECT
> www.facebook.com:443 - DIRECT/69.171.228.11 -
>
> 1309159644.000 59906 192.168.100.58 TCP_MISS/503 0 CONNECT
> us.data.toolbar.yahoo.com:443 - DIRECT/98.137.53.23 -
>
> 1309159656.002 59085 192.168.100.33 TCP_MISS/503 0 CONNECT
> 118.167.16.72:443 - DIRECT/118.167.16.72 -
>
>
>
> My squid is compiled with
>
> Squid Cache: Version 3.1.12
>
> configure options: '--build=i686-redhat-linux-gnu'
> '--host=i686-redhat-linux-gnu' '--target=i386-redhat-linux-gnu'
> '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
> '--bindir=/usr/bin'
> '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--includedir=/usr/include'
> '--libdir=/usr/lib' '--libexecdir=/usr/libexec'
> '--sharedstatedir=/usr/com'
> '-mandir=/usr/share/man' '--infodir=/usr/share/info'
> '--exec_prefix=/usr'
> '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
> '--localstatedir=/var'
> '--datadir=/usr/share' '--sysconfdir=/etc/squid'
> '--enable-removal-policies=heap,lru'
> '--enable-storeio=aufs,diskd,ufs'
> '--enable-ssl' '--with-openssl=/usr/kerberos' '--enable-delay-pools'
> '--enable-linux-netfilter' '--with-pthreads'
> '--enable-ntlm-auth-helpers=fakeauth'
>
> '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group'
> '--enable-auth=basic,digest,ntlm,negotiate'
> '--enable-negotiate-auth-helpers=squid_kerb_auth'
> '--enable-digest-auth-helpers=password'
> '--with-winbind-auth-challenge'
> '--enable-useragent-log' '--enable-referer-log'
> '--disable-dependency-tracking'
> '--enable-cachemgr-hostname=localhost'
> '--enable-underscores' '--enable-useragent_log'
>
> '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain
> -NTLM,SASL' '--enable-cache-digests' '--disable-ident-lookups'
> '--with-large-files' '--enable-gnuregex'
> '--disable-follow-x-forwarded-for'
> '--enable-fd-config' '--with-maxfd=16384' '--enable-internal-dns'
> 'build_alias=i686-redhat-linux-gnu'
> 'host_alias=i686-redhat-linux-gnu'
> 'target_alias=i386-redhat-linux-gnu' --with-squid=/root/squid-3.1.12
> --enable-ltdl-convenience

 Amos
Received on Mon Jun 27 2011 - 23:46:34 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 28 2011 - 12:00:02 MDT