Re: [squid-users] TCP_MISS_ABORTED after upgrade to 3.2 form 3.1

From: dweimer <dweimer_at_dweimer.net>
Date: Thu, 24 Jan 2013 00:50:56 -0600

On 2013-01-23 20:28, dweimer wrote:
> On 2013-01-23 17:05, dweimer wrote:
>> On 2013-01-23 13:59, dweimer wrote:
>>> On 2013-01-23 13:48, dweimer wrote:
>>>> We are having an issue with a web based employment application
>>>> form
>>>> after upgrading our reverse proxy from 3.1.20 to 3.2.6. The proxy
>>>> logs the following:
>>>>
>>>> 1358969527.735 300778 75.91.238.15 TCP_MISS/400 459 POST
>>>> https://...
>>>>
>>>> Some do go through but very slowly, any ideas what would cause
>>>> this?
>>>>
>>>> The form is a simple form on a Plone server with Apache 2.2.23 in
>>>> between handling the HTTPS on the back end server.
>>>
>>> Oops, copied one of the few that works, instead of one of the many
>>> that failed, the log that shows up when failed is at
>>> TCP_MISS_ABORTED.
>>>
>>> 1358969226.938 63434 75.91.238.15 TCP_MISS_ABORTED/000 0 POST
>>> https://...
>>
>> Another update, I have confirmed that uploads to our PHP based File
>> Management Application (http://ajaxplorer.info) are also triggering
>> the same problem. This is running on Apache 2.2.23 on the same
>> server
>> as the Squid application. I don't have any non HTTPS forms behind
>> this reverse proxy to verify if the problem is only on the https
>> side
>> or not. We have verified that both applications work correctly when
>> connecting directly to them and not going through the reverse proxy.
>> I have also verified that it works fine using Squid 3.2.6 as a
>> forward
>> proxy on the client side when accessing the applications directly.
>> So
>> its something specific to the reverse proxy setup.
>>
>> There's just one https_port line:
>>
>> https_port 10.50.20.10:443 accel
>> cert=/usr/local/etc/squid/certs/myserver.crt
>> key=/usr/local/etc/squid/certs/myserver.key
>> options=NO_SSLv2:NO_TLSv1:CIPHER_SERVER_PREFERENCE
>> cipher=RC4:!MD5:!aNULL:!EDH defaultsite=www.mydefaultdomain.com
>>
>> I do have multiple SSL sites using a ucc certifcate, the cache peer
>> lines look like the following, just different IPs,
>> cache_peer_domains,
>> and acache_peer_access lists:
>>
>> cache_peer 127.0.0.1 parent 443 0 ssl no-query no-digest
>> no-netdb-exchange originserver name=local_ssl_parent
>> sslcapath=/usr/local/share/certs sslflags=DONT_VERIFY_PEER
>> cache_peer_domain local_ssl_parent www.mydefaultsite.com
>> cache_peer_access local_ssl_parent allow defaultsite SSL
>>
>> Is there any type of maximum post size setting that could be causing
>> this, I didn't see anything looking through the configuration
>> options.
>> All downloads appear to be fine, some forms to submit data work just
>> fine, but those are very small forms. So I am wondering if there is
>> some sort of post size limit I am hitting that didn't exist in the
>> 3.1
>> branch.
>
> After more testing, creating a simple file upload form on with PHP, I
> have traced it down to only HTTPS, works fine with HTTP, and only if
> the post is over a certain size, haven't confirmed which size it
> breaks at, I know 3.04k fails at and 2.2k works.

Well its a good thing this server is virtual, because if it was a
physical server I would be throwing it out the window. I removed squid
3.2.6, installed 3.1.23. Same problem, is there any known issue doing
HTTPS reverse proxies on FreeBSD 9.1? Because the only difference
between this one now and the original server I upgraded from is FreeBSD
9.1 instead of FreeBSD 9.0-p4.

I am switching over to to old server and hoping the problem doesn't
exist on it as well.

-- 
Thanks,
    Dean E. Weimer
    http://www.dweimer.net/
Received on Thu Jan 24 2013 - 06:51:04 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 24 2013 - 12:00:04 MST