Re: [squid-users] CLOSE_WAIT

From: Steve Hill <steve_at_opendium.com>
Date: Wed, 09 Jan 2013 12:28:04 +0000

On 09/01/13 10:14, Steve Hill wrote:

> I have a busy Squid 3.2.3 server that constantly has a huge number of
> connections tied up in CLOSE_WAIT (i.e. at the moment it has 364
> ESTABLISHED but 3622 in CLOSE_WAIT).
>
> tcp 1 0 ::ffff:172.23.3.254:8080 ::ffff:172.23.2.158:49615
> CLOSE_WAIT 32303/(squid-1)

Further to this, it appears that this is triggered by ICAP REQMOD
rewrites of CONNECT requests:

1. Client sends a "CONNECT foo.example.com:443 HTTP/1.1" request to the
proxy.
2. Squid passes the request to the ICAP REQMOD service.
3. The ICAP REQMOD service wants to deny the request, so rewrites the
request.
4. Squid returns a "403 Forbidden" response to the client in clear text
(this is allowed, as it is seen by the client as a response from the
proxy rather than a response from the web server, although very few
clients actually display the page contents these days due to security
restrictions).
5. The client sends a FIN
At this point, the socket stays open on the Squid server - Squid never
closes it and there is 1 byte in the socket's rx queue. I have no idea
what that 1 byte is though - Since all requests are terminated with a
\r\n maybe squid doesn't read the \n ?)

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com
Direct contacts:
    Instant messager: xmpp:steve_at_opendium.com
    Email:            steve_at_opendium.com
    Phone:            sip:steve_at_opendium.com
Sales / enquiries contacts:
    Email:            sales_at_opendium.com
    Phone:            +44-844-9791439 / sip:sales_at_opendium.com
Support contacts:
    Email:            support_at_opendium.com
    Phone:            +44-844-4844916 / sip:support_at_opendium.com
Received on Wed Jan 09 2013 - 12:28:19 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 10 2013 - 12:00:03 MST