Pages sometimes load as a mess of random (?) symbols

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Pages sometimes load as a mess of random (?) symbols

Grey
This post was updated on .
Hi,
I'm running Squid version 3.5.23 with caching disabled.
Sometimes when accessing various websites using Chrome (the sites that cause this problem
are always the same, such as www.tomshardware.com for example) the page
doesn't load correctly until after a page refresh, after which it shows
without error.
When loaded the first time the only thing that appears is a random mess of
symbols like this:

���v�H� ���~5m���
�d��%�l����Ze��@6I�P�m}g^c^o�䋈L�7Qi�n��"�\"3c����[����Ł�M��{���/��
NZ�?��~o��n� ��z���v���褮6���9�vC�S��Cp9��0 �� {T:v�~ߩ�E;�b�
���a������(�z�� �='��)Oh�ޅ�t9_�F����$��~�s��;
���[�,<=x�@x���+A�s��~�n׉b?i�o^�!7������DH.�~KL����9u�S�^�,x�Y��˃7O�~��w��e�Z녎�G
�p� NZ_·��+�����۞��a���oԗ�g'�� ����Q���h�&A8�$�@�_�{!��]Щ�
���/�N$�-�n}�χa�Ļ_./�xr��\�׫�5�Jʚ�U��z|48ދ�da�ׯ��JY��%�=�/
1mQl�p�Ž�
G�W�?��Q�u��w�Z�&��w�TatG�q5��E�=Z0I�K]|�}q��o���.'���u��ý��>���TD���W�Y�b��=l%l�B��WI9'~��O�$~�"���s��Z<�Ђ
d}Θ��oW2�Z��U@��9̞矊�[���R!���| �y�� zȊ��sap����A �I �
���GQ��u���I�ʼn�~��Q�i����K���U��Q�*ⳗƒG�^ O� �>�o�>x�%h�v�S�
�B�l���j�c@� VaLҗ�cI[���D���-�wߓ[�nˊ�!��g›��N�����s-����P/`cɭ
³JU��d�F�: ��ܹ}�Ss���E%���T��d��@3�� �y�|�J��ǀp���W1-)�� gA���x^����
����!Q�8E����ak�����݇����$�0a�HD]g��2���*R:q�9��8 �4j�R%h٭u|�ɏk�1
Z�J�⭈H-�Fᙀ�t�O�\��_DB4@`�H�TUhŮJ"���)��a'>��EXӷo' c�vލށ�:m$ʤҬ"pJ���74
%�>���;-���"R��4�4��3p�bŁ��Hun��ܾ��S�C9��"�chR�PN-�4��Vl�*�[
�c\�V��������i�~VK�~08�� x��
�?���5�L&v8nM�^����x'�|'z�3�~M��05�id��#^���u:Ȩ�;�v��
�Ro\X��-1ŋ.\���[��❡t�.��)50`g������I���<}음�;N� ����"i_
ko�B\��S�R�@r��@�L"��v�v�+��u���Z:[�%@'h�ɗ8�H[�N2��1
`Ʊ&�Ț�5��kOTN��9}�8������}�%�ՙ�ʈ'c�DN��������� #`X��
q^8I�T,\����=�:qw�nw����-�mLt)e0�!�E��A�G�+�q���x�9��&
���%H��q�������n����]�g~�S��wV�7kw?AU�B�D4u *~�<"��
��N�]���>�C���Aŗn/���\2�j^�]Sx�J�@"ܢ~~6x�%�v�U��폾��p_�M�J(��*�
�{B�#��� :=Iޱ$ʢ�E� 4R��!cWp���]��j�Zq$TKI8
c��|z�츗����N3e�l?<����� �r$�88�l��A�L��I��xթ �
��n�nz�ìfX��x��8K-sP�X�Znŗ@��3�/��|�&7��i6CMD�P��<�FQ�!W"}i�?^2��t�&Ҹ�]��(m:3����@B
D� ��A y(�� \���Ԭ���C����e{����W�����k �4�#�Q��:�V�>!ǫ��Å��
����y �(/o��X���s0����NPBę�`!lS$� $�~~I�հ�~��t&�-DJ�̜\� _l�2ͮq�
ī;��l��"w(�I7�Z�X�DG ��Ϝg\��}e���td��9�a<��\jG���E��'�)��]�}�
��#}�EE/+0kd�A��:����K�^��{��W�Q�=���o:!�H��a�T��u �!_��U�S��e]
a�A�;�E�����Ҍƅ�bx��I����l�Kj�a�=�d*��S�n7�A�sT����HN���K�b0'-.f�
n�Ԑ��J�B���������3�����y�s�u�7z��X�%`&wOR_OB����(9F��=�
NZGǹ6₼�_��E�>�BR%G��2�x��!iߝ���: WaZ���:��a�5t� z�?���W{�
�^��K0z�WO��ZH0 p��ŭ]�r�!�2��ߑ�� �N��7 '���
�����cQ��,������3`r��e8(��0� %&7(�!)3�*���$�?i��
���ƾ��=��ne(��R{,w[��us%�P��@D���A����
�|�ӳ������~����5���l��[�۷�)�T���3
�>{�R��T������h�Y���`0�]��Z؎�������/;.��C� �'//�^�
��N.n�ƿ5��V���W���U�J���$��!t��J�}�1��
@�Dž]��ܲ�jt�ۋ�F��L�o��Qt�:��#�j� �
[�[��r�aV�<6a��K�3�Ъ_�6���/���A��t�� >��a,ïE����F��Qpp-�V�w���� �
�h�W�?�g��K�w��p(�R���|n���W�6
�hn�èT����ơ��f�R'�w=��A�+Ō�a�KŹ*���ؙ��I�����?Ƥ_���Ci���z�`�-��D�s��
T4�v/l��Y�����
O�(����`s��@AN8��E�n�ȧ/�a�]�_CjPj�B��RJr+��7c�$s��؝�����Hh��*Z)c�$r֜2�-�����
"��<�9Ķ `��WA��{����1�O@ ��x�4�F$���������Q�%C.�J=t�R�
���Q��ܥ��"�o�<��_��J���� ����4��R(g��mwydH_���d�S~��/L��E&w
���R5�<���L7=�/�����$�o�q.�/���-���Z�́�qox�P�f4T�N�s�X$q2�
I��!2�۷#V2h!��1ޖ�����.R�Zd�%�6Gsb�(W�
�둲j�rb$&�J�}��h�j�zRu����[�#�Uz+5w�H���EqA��,�L\fb ym b)�4Ce
�3dR�<�2n[FZ�v��8��<�O�)�e�����[�4���$}�zk�����>/��E1�Of|+�`�)�g(%�wz��wn�0�>��Cz���s��M�A�
0%�� ̀��{~�
�o�P�y(&�z+�]ܠ�1dF�'�*/��3z��[�5��:�*:�fqN����&{���S*9l�3��L��U�j�>s(��f^u�V��f�~�^q��
��qq)�4`��}���� 4-@'T󃞏w�7 ��TX�~t`�_.A�v#��G��ր��x0�Lu��z��

Any idea on what could be the cause of this?



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Pages sometimes load as a mess of random (?) symbols

Yuri Voinov
There where no idea till you show your configs. Thelepathy on vacation.


04.10.2017 20:13, Grey пишет:

> Hi,
> I'm running Squid version 3.5.23 with caching disabled.
> Sometimes when accessing various websites (the sites that cause this problem
> are always the same, such as www.tomshardware.com for example) the page
> doesn't load correctly until after a page refresh, after which it shows
> without error.
> When loaded the first time the only thing that appears is a random mess of
> symbols like this:
>
> ���v�H� ���~5m���
> �d��%�l����Ze��@6I�P�m}g^c^o�䋈L�7Qi�n��"�\"3c����[����Ł�M��{���/��
> NZ�?��~o��n� ��z���v���褮6���9�vC�S��Cp9��0 �� {T:v�~ߩ�E;�b�
> ���a������(�z�� �='��)Oh�ޅ�t9_�F����$��~�s��;
> ���[�,<=x�@x���+A�s��~�n׉b?i�o^�!7������DH.�~KL����9u�S�^�,x�Y��˃7O�~��w��e�Z녎�G
> �p� NZ_·��+�����۞��a���oԗ�g'�� ����Q���h�&A8�$�@�_�{!��]Щ�
> ���/�N$�-�n}�χa�Ļ_./�xr��\�׫�5�Jʚ�U��z|48ދ�da�ׯ��JY��%�=�/
> 1mQl�p�Ž�
> G�W�?��Q�u��w�Z�&��w�TatG�q5��E�=Z0I�K]|�}q��o���.'���u��ý��>���TD���W�Y�b��=l%l�B��WI9'~��O�$~�"���s��Z<�Ђ
> d}Θ��oW2�Z��U@��9̞矊�[���R!���| �y�� zȊ��sap����A �I �
> ���GQ��u���I�ʼn�~��Q�i����K���U��Q�*ⳗƒG�^ O� �>�o�>x�%h�v�S�
> �B�l���j�c@� VaLҗ�cI[���D���-�wߓ[�nˊ�!��g›��N�����s-����P/`cɭ
> ³JU��d�F�: ��ܹ}�Ss���E%���T��d��@3�� �y�|�J��ǀp���W1-)�� gA���x^����
> ����!Q�8E����ak�����݇����$�0a�HD]g��2���*R:q�9��8 �4j�R%h٭u|�ɏk�1
> Z�J�⭈H-�Fᙀ�t�O�\��_DB4@`�H�TUhŮJ"���)��a'>��EXӷo' c�vލށ�:m$ʤҬ"pJ���74
> %�>���;-���"R��4�4��3p�bŁ��Hun��ܾ��S�C9��"�chR�PN-�4��Vl�*�[
> �c\�V��������i�~VK�~08�� x��
> �?���5�L&v8nM�^����x'�|'z�3�~M��05�id��#^���u:Ȩ�;�v��
> �Ro\X��-1ŋ.\���[��❡t�.��)50`g������I���<}음�;N� ����"i_
> ko�B\��S�R�@r��@�L"��v�v�+��u���Z:[�%@'h�ɗ8�H[�N2��1
> `Ʊ&�Ț�5��kOTN��9}�8������}�%�ՙ�ʈ'c�DN��������� #`X��
> q^8I�T,\����=�:qw�nw����-�mLt)e0�!�E��A�G�+�q���x�9��&
> ���%H��q�������n����]�g~�S��wV�7kw?AU�B�D4u *~�<"��
> ��N�]���>�C���Aŗn/���\2�j^�]Sx�J�@"ܢ~~6x�%�v�U��폾��p_�M�J(��*�
> �{B�#��� :=Iޱ$ʢ�E� 4R��!cWp���]��j�Zq$TKI8
> c��|z�츗����N3e�l?<����� �r$�88�l��A�L��I��xթ �
> ��n�nz�ìfX��x��8K-sP�X�Znŗ@��3�/��|�&7��i6CMD�P��<�FQ�!W"}i�?^2��t�&Ҹ�]��(m:3����@B
> D� ��A y(�� \���Ԭ���C����e{����W�����k �4�#�Q��:�V�>!ǫ��Å��
> ����y �(/o��X���s0����NPBę�`!lS$� $�~~I�հ�~��t&�-DJ�̜\� _l�2ͮq�
> ī;��l��"w(�I7�Z�X�DG ��Ϝg\��}e���td��9�a<��\jG���E��'�)��]�}�
> ��#}�EE/+0kd�A��:����K�^��{��W�Q�=���o:!�H��a�T��u �!_��U�S��e]
> a�A�;�E�����Ҍƅ�bx��I����l�Kj�a�=�d*��S�n7�A�sT����HN���K�b0'-.f�
> n�Ԑ��J�B���������3�����y�s�u�7z��X�%`&wOR_OB����(9F��=�
> NZGǹ6₼�_��E�>�BR%G��2�x��!iߝ���: WaZ���:��a�5t� z�?���W{�
> �^��K0z�WO��ZH0 p��ŭ]�r�!�2��ߑ�� �N��7 '���
> �����cQ��,������3`r��e8(��0� %&7(�!)3�*���$�?i��
> ���ƾ��=��ne(��R{,w[��us%�P��@D���A����
> �|�ӳ������~����5���l��[�۷�)�T���3
> �>{�R��T������h�Y���`0�]��Z؎�������/;.��C� �'//�^�
> ��N.n�ƿ5��V���W���U�J���$��!t��J�}�1��
> @�Dž]��ܲ�jt�ۋ�F��L�o��Qt�:��#�j� �
> [�[��r�aV�<6a��K�3�Ъ_�6���/���A��t�� >��a,ïE����F��Qpp-�V�w���� �
> �h�W�?�g��K�w��p(�R���|n���W�6
> �hn�èT����ơ��f�R'�w=��A�+Ō�a�KŹ*���ؙ��I�����?Ƥ_���Ci���z�`�-��D�s��
> T4�v/l��Y�����
> O�(����`s��@AN8��E�n�ȧ/�a�]�_CjPj�B��RJr+��7c�$s��؝�����Hh��*Z)c�$r֜2�-�����
> "��<�9Ķ `��WA��{����1�O@ ��x�4�F$���������Q�%C.�J=t�R�
> ���Q��ܥ��"�o�<��_��J���� ����4��R(g��mwydH_���d�S~��/L��E&w
> ���R5�<���L7=�/�����$�o�q.�/���-���Z�́�qox�P�f4T�N�s�X$q2�
> I��!2�۷#V2h!��1ޖ�����.R�Zd�%�6Gsb�(W�
> �둲j�rb$&�J�}��h�j�zRu����[�#�Uz+5w�H���EqA��,�L\fb ym b)�4Ce
> �3dR�<�2n[FZ�v��8��<�O�)�e�����[�4���$}�zk�����>/��E1�Of|+�`�)�g(%�wz��wn�0�>��Cz���s��M�A�
> 0%�� ̀��{~�
> �o�P�y(&�z+�]ܠ�1dF�'�*/��3z��[�5��:�*:�fqN����&{���S*9l�3��L��U�j�>s(��f^u�V��f�~�^q��
> ��qq)�4`��}���� 4-@'T󃞏w�7 ��TX�~t`�_.A�v#��G��ր��x0�Lu��z��
>
> Any idea on what could be the cause of this?
>
>
>
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Pages sometimes load as a mess of random (?) symbols

Antony Stone
On Wednesday 04 October 2017 at 16:16:10, Yuri wrote:

> There where no idea till you show your configs. Thelepathy on vacation.

Show us what appears in the access log as well, both for the first load
(gibberish) and the reload (good text).

Antony.

> 04.10.2017 20:13, Grey пишет:
> > Hi,
> > I'm running Squid version 3.5.23 with caching disabled.
> > Sometimes when accessing various websites (the sites that cause this
> > problem are always the same, such as www.tomshardware.com for example)
> > the page doesn't load correctly until after a page refresh, after which
> > it shows without error.
> > When loaded the first time the only thing that appears is a random mess
> > of symbols like this:
> >
> > ���v�H� ���~5m���
> > �d��%�l����Ze��@6I�P�m}g^c^o�䋈L�7Qi�n��"�\"3c����[����Ł�M��{���/��
> > NZ�?��~o��n� ��z���v���褮6���9�vC�S��Cp9��0 �� {T:v�~ߩ�E;�b�
> > ���a������(�z�� �='��)Oh�ޅ�t9_�F����$��~�s��;
> > ���[�,<=x�@x���+A�s��~�n׉b?i�o^�!7������DH.�~KL����9u�S�^�,x�Y��˃7O�~
> > ��w��e�Z녎�G �p�
> > NZ_·��+�����۞��a���oԗ�g'�� ����Q���h�&A8�$�@�_�{!��]Щ�
> > ���/�N$�-�n}�χa�Ļ_./�xr��\�׫�5�Jʚ�U��z|48ދ�da�ׯ��JY��%�=�/
> > 1mQl�p�Ž�
> > G�W�?��Q�u��w�Z�&��w�TatG�q5��E�=Z0I�K]|�}q��o���.'���u��ý��>���T
> > D���W�Y�b��=l%l�B��WI9'~��O�$~�"���s��Z<�Ђ
> > d}Θ��oW2�Z��U@��9̞矊�[���R!���| �y�� zȊ��sap����A �I �
> > ���GQ��u���I�ʼn�~��Q�i����K���U��Q�*ⳗƒG�^ O� �>�o�>x�%h�v�S�
> > �B�l���j�c@� VaLҗ�cI[���D���-�wߓ[�nˊ�!��g›��N�����s-����P/`cɭ
> > ³JU��d�F�: ��ܹ}�Ss���E%���T��d��@3�� �y�|�J��ǀp���W1-)��
gA���x^���

> > �
> > ����!Q�8E����ak�����݇����$�0a�HD]g��2���*R:q�9��8 �4j�R%h٭u|�ɏ
> > k�1 Z�J�⭈H-�Fᙀ�t�O�\��_DB4@`�H�TUhŮJ"���)��a'>��EXӷo'
> > c�vލށ�:m$ʤҬ"pJ���74
> > %�>���;-���"R��4�4��3p�bŁ��Hun��ܾ��S�C9��"�chR�PN-�4��Vl�*�[
> > �c\�V��������i�~VK�~08�� x��
> > �?���5�L&v8nM�^����x'�|'z�3�~M��05�id��#^���u:Ȩ�;�v��
> > �Ro\X��-1ŋ.\���[��❡t�.��)50`g������I���<}음�;N� ����"i_
> > ko�B\��S�R�@r��@�L"��v�v�+��u���Z:[�%@'h�ɗ8�H[�N2��1
> > `Ʊ&�Ț�5��kOTN��9}�8������}�%�ՙ�ʈ'c�DN��������� #`X��
> > q^8I�T,\����=�:qw�nw����-�mLt)e0�!�E��A�G�+�q���x�9��&
> > ���%H��q�������n����]�g~�S��wV�7kw?AU�B�D4u *~�<"��
> > ��N�]���>�C���Aŗn/���\2�j^�]Sx�J�@"ܢ~~6x�%�v�U��폾��p_�M�J(��
> > *� �{B�#��� :=Iޱ$ʢ�E� 4R��!cWp���]��j�Zq$TKI8
> > c��|z�츗����N3e�l?<����� �r$�88�l��A�L��I��xթ �
> > ��n�nz�ìfX��x��8K-sP�X�Znŗ@��3�/��|�&7��i6CMD�P��<�FQ�!W"}i�?^2��t�
> > &Ҹ�]��(m:3����@B D� ��A y(�� \���Ԭ���C����e{����W�����k
> > �4�#�Q��:�V�>!ǫ��Å�� ����y
> > �(/o��X���s0����NPBę�`!lS$� $�~~I�հ�~��t&�-DJ�̜\� _l�2ͮq�
> > ī;��l��"w(�I7�Z�X�DG ��Ϝg\��}e���td��9�a<��\jG���E��'�)��]�}�
> > ��#}�EE/+0kd�A��:����K�^��{��W�Q�=���o:!�H��a�T��u �!_��U�S��e]
> > a�A�;�E�����Ҍƅ�bx��I����l�Kj�a�=�d*��S�n7�A�sT����HN���K�b0'-.
> > f� n�Ԑ��J�B���������3�����y�s�u�7z��X�%`&wOR_OB����(9F��=�
> > NZGǹ6₼�_��E�>�BR%G��2�x��!iߝ���: WaZ���:��a�5t� z�?���W{�
> > �^��K0z�WO��ZH0 p��ŭ]�r�!�2��ߑ�� �N��7 '���
> > �����cQ��,������3`r��e8(��0� %&7(�!)3�*���$�?i��
> > ���ƾ��=��ne(��R{,w[��us%�P��@D���A����
> > �|�ӳ������~����5���l��[�۷�)�T���3
> > �>{�R��T������h�Y���`0�]��Z؎�������/;.��C� �'//�^�
> > ��N.n�ƿ5��V���W���U�J���$��!t��J�}�1��
> > @�Dž]��ܲ�jt�ۋ�F��L�o��Qt�:��#�j� �
> > [�[��r�aV�<6a��K�3�Ъ_�6���/���A��t�� >��a,ïE����F��Qpp-�V�w����
> > � �h�W�?�g��K�w��p(�R���|n���W�6
> > �hn�èT����ơ��f�R'�w=��A�+Ō�a�KŹ*���ؙ��I�����?Ƥ_���Ci���z�`�-��D�s��
> > T4�v/l��Y�����
> > O�(����`s��@AN8��E�n�ȧ/�a�]�_CjPj�B��RJr+��7c�$s��؝�����Hh��*Z)c�
> > $r֜2�-����� "��<�9Ķ `��WA��{����1�O@
> > ��x�4�F$���������Q�%C.�J=t�R�
> > ���Q��ܥ��"�o�<��_��J���� ����4��R(g��mwydH_���d�S~��/L��E&w
> > ���R5�<���L7=�/�����$�o�q.�/���-���Z�́�qox�P�f4T�N�s�X$q2�
> > I��!2�۷#V2h!��1ޖ�����.R�Zd�%�6Gsb�(W�
> > �둲j�rb$&�J�}��h�j�zRu����[�#�Uz+5w�H���EqA��,�L\fb ym b)�4Ce
> > �3dR�<�2n[FZ�v��8��<�O�)�e�����[�4���$}�zk�����>/��E1�Of|+�`�)�g(%�
> > wz��wn�0�>��Cz���s��M�A� 0%�� ̀��{~�
> > �o�P�y(&�z+�]ܠ�1dF�'�*/��3z��[�5��:�*:�fqN����&{���S*9l�3��L��U�j�>
> > s(��f^u�V��f�~�^q�� ��qq)�4`��}���� 4-@'T󃞏w�7
> > ��TX�~t`�_.A�v#��G��ր��x0�Lu��z��
> >
> > Any idea on what could be the cause of this?

--
Numerous psychological studies over the years have demonstrated that the
majority of people genuinely believe they are not like the majority of people.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Pages sometimes load as a mess of random (?) symbols

Amos Jeffries
Administrator
 >> 04.10.2017 20:13, Grey пишет:
 >>> Hi,
 >>> I'm running Squid version 3.5.23 with caching disabled.
 >>> Sometimes when accessing various websites (the sites that cause this
 >>> problem are always the same, such as www.tomshardware.com for example)
 >>> the page doesn't load correctly until after a page refresh, after which
 >>> it shows without error.
 >>> When loaded the first time the only thing that appears is a random mess
 >>> of symbols like this:
 >>>


On 05/10/17 03:24, Antony Stone wrote:
> On Wednesday 04 October 2017 at 16:16:10, Yuri wrote:
>
>> There where no idea till you show your configs. Thelepathy on vacation.
>
> Show us what appears in the access log as well, both for the first load
> (gibberish) and the reload (good text).
>
 > Antony.
 >

And when it occurs paste the URL into the tool at <https://redbot.org/>.
If it says the server has broken Vary headers that is probably the problem.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Pages sometimes load as a mess of random (?) symbols

Grey
Sorry for not including enough informatio nin the first place.

1. Here's my config, keep in mind it's a test server that will eventually
replace the one (not updated) we're using right now so the configuration is
kinda bare-bones:

### TESTSQUID1 ###

http_port 3128
dns_v4_first on
pinger_enable off
netdb_filename none

error_default_language it
cache_mgr [hidden email]

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -r -d
auth_param negotiate children 150
auth_param negotiate keep_alive on

external_acl_type ProxyUser children-max=75 %LOGIN
/usr/lib/squid/ext_kerberos_ldap_group_acl -g [hidden email] -D
TEST.LOCAL -S testldap
acl ProxyUser external ProxyUser

acl AUTH proxy_auth REQUIRED
http_access deny !AUTH all

http_access deny !Safe_ports all
http_access deny CONNECT !SSL_ports all
http_access allow localhost manager
http_access deny manager all
http_access allow localhost all

acl destsquid dstdomain .testquid1 .testsquid2
http_access allow destsquid all

http_access allow ProxyUser all
http_access deny all

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=1
icap://testicap:1344/REQ-Service
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=0
icap://testicap:1344/resp
adaptation_access service_resp allow all

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

2. This is the access log when first loading the page:

1507185342.611      0 99.99.99.99 TCP_DENIED/407 5179 GET
http://www.tomshardware.com/ - HIER_NONE/- text/html
1507185344.121   1473 99.99.99.99 TCP_MISS/200 48225 GET
http://www.tomshardware.com/ testuser HIER_DIRECT/23.40.112.227 text/html

And this is the one after reloading:

1507185356.932    187 99.99.99.99 TCP_MISS/200 47858 GET
http://www.tomshardware.com/ testuser HIER_DIRECT/23.40.112.227 text/html
1507185357.425      0 99.99.99.99 TCP_DENIED/407 4440 GET
http://platform.twitter.com/widgets.js - HIER_NONE/- text/html
1507185357.482     13 99.99.99.99 TCP_MISS/200 2019 GET
http://www.tomshardware.com/medias/favicon/favicon-32x32.png? testuser
HIER_DIRECT/23.40.112.227 image/png
1507185357.548     61 99.99.99.99 TCP_REFRESH_UNMODIFIED/304 516 GET
http://platform.twitter.com/widgets.js testuser HIER_DIRECT/199.96.57.6 -
1507185357.565      0 99.99.99.99 TCP_DENIED/407 4178 CONNECT
www.tomshardware.com:443 - HIER_NONE/- text/html
1507185357.924      0 99.99.99.99 TCP_DENIED/407 4190 CONNECT
syndication.twitter.com:443 - HIER_NONE/- text/html

3. The result of the test at redbot
(https://redbot.org/?uri=http%3A%2F%2Fwww.tomshardware.com%2F if you want to
check it yourself) is:

General
The Pragma header is deprecated.
The Content-Length header is correct.
Content Negotiation (Content Negotiation response )
The resource doesn't send Vary consistently.
The response body is different when content negotiation happens.
Content negotiation for gzip compression is supported, saving 86%.
Caching
Pragma: no-cache is a request directive, not a response directive.
This response can't be stored by a cache.

So it indeed seems that this could be the problem, right? Anything I can do
on my end to resolve/mitigate it?
Thanks for your help.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Pages sometimes load as a mess of random (?) symbols

Amos Jeffries
Administrator
On 05/10/17 19:42, Grey wrote:

> Sorry for not including enough informatio nin the first place.
>
> 1. Here's my config, keep in mind it's a test server that will eventually
> replace the one (not updated) we're using right now so the configuration is
> kinda bare-bones:
>
> ### TESTSQUID1 ###
>
> http_port 3128
> dns_v4_first on
> pinger_enable off
> netdb_filename none
>
> error_default_language it
> cache_mgr [hidden email]
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -r -d
> auth_param negotiate children 150
> auth_param negotiate keep_alive on
>
> external_acl_type ProxyUser children-max=75 %LOGIN
> /usr/lib/squid/ext_kerberos_ldap_group_acl -g [hidden email] -D
> TEST.LOCAL -S testldap
> acl ProxyUser external ProxyUser
>
> acl AUTH proxy_auth REQUIRED
> http_access deny !AUTH all

So two problems.
1) 'all' here means clients with incorrect OR missing auth credentials
do not get challenged for working credentials. Since any sane client
security system will not present credentials until told they are
necessary the above should rightfully prevent *any* secure clients from
using this proxy.

2) your custom config lines should be placed below the default security
settings. This is especially important for ACLs like auth which involve
a lot of background work. The default settings are there to block things
like DoS or attacks that can be trivially and quickly denied, and to do
so with minimal CPU expense.

>
> http_access deny !Safe_ports all
> http_access deny CONNECT !SSL_ports all
> http_access allow localhost manager
> http_access deny manager all
> http_access allow localhost all

If you place the "allow localhost" above the "deny manager" you can
remove one extra line of checks.

>
> acl destsquid dstdomain .testquid1 .testsquid2
> http_access allow destsquid all

The 'all' ACL is a pointless waste of CPU cycles on all of the lines above.

>
> http_access allow ProxyUser all
The 'all' ACL here *might* prevent unauthenticated clients from being
challenged for credentials like the 'deny !AUTH' line did. But YMMV. It
either does that or is pointless.

The current 3.5 provides the %un format code which should not generate
an auth challenge. That should eliminate the need for the all-hack here.


> http_access deny all
>
> icap_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_encode off
> icap_client_username_header X-Authenticated-User
> icap_preview_enable on
> icap_preview_size 1024
> icap_service service_req reqmod_precache bypass=1
> icap://testicap:1344/REQ-Service
> adaptation_access service_req allow all
> icap_service service_resp respmod_precache bypass=0
> icap://testicap:1344/resp
> adaptation_access service_resp allow all
>
> coredump_dir /var/spool/squid
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> 2. This is the access log when first loading the page:
>
> 1507185342.611      0 99.99.99.99 TCP_DENIED/407 5179 GET
> http://www.tomshardware.com/ - HIER_NONE/- text/html
> 1507185344.121   1473 99.99.99.99 TCP_MISS/200 48225 GET
> http://www.tomshardware.com/ testuser HIER_DIRECT/23.40.112.227 text/html
>
> And this is the one after reloading:
>

By "reloading" do you mean:

  * using a testing tool that sends an identical repeat request? or
  * clicking + pressing enter in a browser address bar? or
  * pressing the browser reload button? or
  * pressing the force-refresh (F5) button? or
  * holding shift while doing any of the above?

Only the first two above methods will perform a clean HTTP test request.
The others all deliver cache controls to force specific cache behaviour
which void the test results.


> 1507185356.932    187 99.99.99.99 TCP_MISS/200 47858 GET
> http://www.tomshardware.com/ testuser HIER_DIRECT/23.40.112.227 text/html
> 1507185357.425      0 99.99.99.99 TCP_DENIED/407 4440 GET
> http://platform.twitter.com/widgets.js - HIER_NONE/- text/html
> 1507185357.482     13 99.99.99.99 TCP_MISS/200 2019 GET
> http://www.tomshardware.com/medias/favicon/favicon-32x32.png? testuser
> HIER_DIRECT/23.40.112.227 image/png
> 1507185357.548     61 99.99.99.99 TCP_REFRESH_UNMODIFIED/304 516 GET
> http://platform.twitter.com/widgets.js testuser HIER_DIRECT/199.96.57.6 -
> 1507185357.565      0 99.99.99.99 TCP_DENIED/407 4178 CONNECT
> www.tomshardware.com:443 - HIER_NONE/- text/html
> 1507185357.924      0 99.99.99.99 TCP_DENIED/407 4190 CONNECT
> syndication.twitter.com:443 - HIER_NONE/- text/html
>
> 3. The result of the test at redbot
> (https://redbot.org/?uri=http%3A%2F%2Fwww.tomshardware.com%2F if you want to
> check it yourself) is:
>
> General
> The Pragma header is deprecated.
> The Content-Length header is correct.
> Content Negotiation (Content Negotiation response )
> The resource doesn't send Vary consistently.

  ^^ this one is what I meant. There are several side effects of this -
mostly just annoying MISS behaviours, but sometimes the wrong
content-type can end up being associated with a cached object and things
appear as you described the problem

Also, IIRC NginX (which appears to be the server for that site) was
known to have several bugs that led to these types of broken
content-type behaviour some years back. I'm not sure if that ever got fixed.


> The response body is different when content negotiation happens.
> Content negotiation for gzip compression is supported, saving 86%.
> Caching
> Pragma: no-cache is a request directive, not a response directive.
> This response can't be stored by a cache.
>
> So it indeed seems that this could be the problem, right? Anything I can do
> on my end to resolve/mitigate it?


I see that the server is already sending out "Cache-Control: no-store"
so the problem is not your Squid but something upstream. Just make sure
you do not override that no-store for these sites and your proxy will
continue not to be adding problems.

It may be the ICAP service mangling the response type from gzip to
text/plain incorrectly (ie without actually unzipping), or removing the
relevant cache-controls.

Or equally likely; a proxy upstream force-caching, thus making itself
*and* yours run afoul of the Vary issue. This is where I suspect the
NginX or some hidden intermediary.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Pages sometimes load as a mess of random (?) symbols

Grey
This post was updated on .
Firstly, thanks a lot for taking the time to check my configuration and
provide such detailed suggestions; I think I've followed all of them and
fixed the problems you pointed out.
We have a Windows domain and all those "all" directives where inherited from
our old proxy server (running Squid verson 3.1.20) and were used to let
domain users not receive any popups asking for credentials, while at the
same time presenting those credentials requests to non-domain users; if I'm
understanding your comments correctly I can safely remove them and get the
same result, am I right?
We were having an issue with authentication too, where domain users
sometimes received a popup asking for credentials (shouldn't happen since I
have only enabled kerberos auth) and would need to click "Cancel" and reload
the page to resume browsing correctly; could the presence of all those "all"
directives have caused that too in your opinion?

The new configuration should result in this if I didn't miss/misunderstand
anything (I've addedd a whitelist rule that I missed earlier):

### TESTSQUID1 ###

http_port 3128
dns_v4_first on
pinger_enable off
netdb_filename none

error_default_language it
cache_mgr helpdesk@test.it

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -r -d
auth_param negotiate children 150
auth_param negotiate children 150 startup=20 idle=10
auth_param negotiate keep_alive on

external_acl_type ProxyUser children-max=75 %LOGIN
/usr/lib/squid/ext_kerberos_ldap_group_acl -g INTERNET@TEST.LOCAL -D
TEST.LOCAL -S testldap
acl ProxyUser external ProxyUser

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny manager

acl destsquid dstdomain .testsquid1 .testsquid2
http_access allow destsquid

acl siti_whitelist dstdomain "/etc/squid/siti_whitelist"

acl AUTH proxy_auth REQUIRED
http_access deny !AUTH

http_access allow siti_whitelist
http_access allow ProxyUser
http_access deny all

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=1
icap://testicap:1344/REQ-Service
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=0
icap://testicap:1344/resp
adaptation_access service_resp allow all

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

Edit: I feel stupid but I think I've found the problem at last... the two test users having the issue have uBlock installed as a Chrome addon, looks like everything works correctly if Chrome is launched without it. That brings me to the next question... do you think there's something I could do to make uBlock and Squid behave correctly? or should I open a bug report on uBlock Github?
Thanks a lot for the patience guys, sorry for kinda wasting your time...

--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Pages sometimes load as a mess of random (?) symbols

Amos Jeffries
Administrator
On 05/10/17 22:32, Grey wrote:
> Firstly, thanks a lot for taking the time to check my configuration and
> provide such detailed suggestions; I think I've followed all of them and
> fixed the problems you pointed out.
> We have a Windows domain and all those "all" directives where inherited from
> our old proxy server (running Squid verson 3.1.20) and were used to let
> domain users not receive any popups asking for credentials, while at the
> same time presenting those credentials requests to non-domain users; if I'm
> understanding your comments correctly I can safely remove them and get the
> same result, am I right?

Most of the 'all' uses were pointless even in the old config. Only the
ones on the lines with AUTH and ProxyUsers ACLs had any effect on popups.


As for your requirement;

If you think about it Squid has zero ways to identify on-domain vs
off-domain users until *after* the user has logged in. Any on-domain
user who sends invalid or no credentials is indistinguishable from a
off-domain user sending invalid or no credentials.

So the config hack did not actually do what you were wanting in the
first place. It just suppresses login challenges for *everybody* without
credentials - as it was designed to do.


Popups are a feature of the client agent being used (aka Browser). The
browser may choose to do it at any time for any reason, though the
popular ones usually only do so if it cannot automatically locate any
credentials to send in response to a challenge.

Whatever was working was due to some other behaviour which may change at
any time regardless of the all hack use. Mostly likely by on-domain
clients sending their credentials up front before any need was mentioned
by the proxy.

FYI: The clients sending their users credentials without a challenge is
*very bad* security practice since they will broadcast those credentials
to anything they connect, not just your proxy.


> We were having an issue with authentication too, where domain users
> sometimes received a popup asking for credentials (shouldn't happen since I
> have only enabled kerberos auth) and would need to click "Cancel" and reload
> the page to resume browsing correctly; could the presence of all those "all"
> directives have caused that too in your opinion?


The all-hack was preventing Squid from telling the browser what it
needed to login. So the popups themselves were caused by some other
reason unrelated to Squid.

That said, the absence of proper instructions from Squid probably was
involved with the horrible need to cancel and reload the page. The
normal behaviour would have been either silent re-try with other
automatic credentials or a popup that user could login with successfully.


FWIW: It is true that Kerberos tends to have popups less often than
NTLM. But that is just a side-effect of Kerberos being far more
efficient and less fragile than NTLM with its relatively static keytab
value - the NTLM equivalent of keytab is generated fresh on every single
TCP connection with a client connection to the DC, which takes up time
and can be interfered with. So the chance of problems leading to a popup
in Kerberos are far lower, but not gone completely.



>
> The new configuration should result in this if I didn't miss/misunderstand
> anything (I've addedd a whitelist rule that I missed earlier):
>
> ### TESTSQUID1 ###
>
> http_port 3128
> dns_v4_first on
> pinger_enable off
> netdb_filename none
>
> error_default_language it
> cache_mgr [hidden email]
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -r -d
> auth_param negotiate children 150
> auth_param negotiate children 150 startup=20 idle=10
> auth_param negotiate keep_alive on
>
> external_acl_type ProxyUser children-max=75 %LOGIN
> /usr/lib/squid/ext_kerberos_ldap_group_acl -g [hidden email] -D
> TEST.LOCAL -S testldap
> acl ProxyUser external ProxyUser
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny manager
>
> acl destsquid dstdomain .testsquid1 .testsquid2
> http_access allow destsquid
>
> acl siti_whitelist dstdomain "/etc/squid/siti_whitelist"
>

It should be obvious, but just so that it is clearly stated:

Anything which is allowed or denied regardless of user auth (eg the
whitelist?) should be done in an http_access line above the "deny !AUTH"
line.


> acl AUTH proxy_auth REQUIRED
> http_access deny !AUTH
>
> http_access allow siti_whitelist
> http_access allow ProxyUser

If you get unwanted popups after this config update, you can try adding
the all-hack back onto the above line.

> http_access deny all
>
> icap_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_encode off
> icap_client_username_header X-Authenticated-User
> icap_preview_enable on
> icap_preview_size 1024
> icap_service service_req reqmod_precache bypass=1
> icap://testicap:1344/REQ-Service
> adaptation_access service_req allow all
> icap_service service_resp respmod_precache bypass=0
> icap://testicap:1344/resp
> adaptation_access service_resp allow all
>
> coredump_dir /var/spool/squid
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> Getting back to the main problem, i've set "icap_enable off" and reloaded
> Squid, then tried again and got the same problem; since we're not using any
> cache parent and Squid isn't using ICAP at the moment, can I assume there's
> nothing else I can do and just have to ignore the problem?
> The thing that bugs me is that only Chrome seems to be having this
> particular problem... could this even be something linked to a bug or a
> simple behaviour difference between Chrome and IE/Firefox?
> Thanks again for all your patience :)

There is one other thing you can do. That is to enable "debug_options
11,2" for a while and run a test fetching with both browsers.

Squid-3.5 with that debug setting should log the HTTP request headers in
their on-wire format so you can compare what is going on in both client
and server connections for both browsers vs what the browsers think they
received.

That might give you some clues about things to workaround it. Just make
sure that workarounds are done as conservatively as possible so as not
to break other sites in other annoying ways.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Pages sometimes load as a mess of random (?) symbols

Grey
First of all thanks a lot for the heads up on authentication and the config
"review", I've found everything really helpful. I'll keep it all in mind
moving forward.
About the problem I was having, looks like you responded while I was editing
my original message... so I'll quote it here:

I feel stupid but I think I've found the problem at last... the two test
users having the issue have uBlock installed as a Chrome addon, looks like
everything works correctly if Chrome is launched without it. That brings me
to the next question... do you think there's something I could do to make
uBlock and Squid behave correctly? or should I open a bug report on uBlock
Github?
Thanks a lot for the patience guys, sorry for kinda wasting your time...



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Pages sometimes load as a mess of random (?) symbols

Amos Jeffries
Administrator
On 06/10/17 22:47, Grey wrote:

> First of all thanks a lot for the heads up on authentication and the config
> "review", I've found everything really helpful. I'll keep it all in mind
> moving forward.
> About the problem I was having, looks like you responded while I was editing
> my original message... so I'll quote it here:
>
> I feel stupid but I think I've found the problem at last... the two test
> users having the issue have uBlock installed as a Chrome addon, looks like
> everything works correctly if Chrome is launched without it. That brings me
> to the next question... do you think there's something I could do to make
> uBlock and Squid behave correctly? or should I open a bug report on uBlock
> Github?

Definitely talk to the uBlock people. Maybe the chrome ones as well.

That same debug suggestion I tacked on the end of my last response is
still relevant. It will give you more info to work with in your
discussions with them if you can demonstrate what input message is
getting borked.


> Thanks a lot for the patience guys, sorry for kinda wasting your time...

NO problem. It's usually interesting to see whats going on in the world.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users