Squid - Can't visit (government site and Banking Site) - Please help

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid - Can't visit (government site and Banking Site) - Please help

russel0901
I am having a problem on my squid proxy

this settings is allow all but i can't visit sites like bancnetonline, rcbc,
philhealth (govt and bank site)

sometimes it can be visited, sometimes not... (weird???)

Please Help thank you.


here is my squid conf...

max_filedesc 4096
request_header_access X-Forwarded-For allow all
via off
httpd_suppress_version_string on

http_port 3333
icp_port 3535

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 32 MB
maximum_object_size 5480 KB
cache_dir ufs /home/squidcache 6000 16 256
#cache_dir ufs /home/squidcache2 6000 16 256
cache_access_log /home/squidcache/access.log
cache_log /dev/null
cache_store_log none
ftp_user [hidden email]
dns_defnames on
request_body_max_size 10000 MB
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
negative_ttl 1 minute
negative_dns_ttl 5 minute
connect_timeout 60 minute
read_timeout 5 minute
request_timeout 60 second
client_lifetime 4 hour
half_closed_clients off
pconn_timeout 240 second
shutdown_lifetime 5 second
#acl localhost src 127.0.0.1/32 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443 563 8003 8000 8080 8020 8021 8030 8031 8053 9053
acl Safe_ports port 80 81 88 21 443 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl PURGE method purge
acl manager proto cache_object
acl apache src 10.20.0.245

acl QUERY urlpath_regex -i owa
acl QUERY2 urlpath_regex cgi-bin \?
acl QUERY3 urlpath_regex -i php
acl dontcache dstdomain "/etc/squid/dontcache"
no_cache deny QUERY
no_cache deny QUERY2
no_cache deny QUERY3
always_direct allow dontcache


#allowed sites
acl blockedsites dstdomain "/etc/squid/blockedsites"
acl allowedsites dstdomain "/etc/squid/authorizedsites"
acl tahiti src 172.16.20.254/32
acl elmo src 10.20.0.254/32
acl mnlnet2 src "/etc/squid/authorized"


http_access allow dontcache
http_access allow manager apache
http_access allow all
http_access allow elmo
#http_access allow localhost
#http_access allow purge localhost
#http_access allow manager localhost
http_access allow mnlnet2
http_access allow tahiti
http_access deny !Safe_ports
#http_access deny manager
http_access deny CONNECT !SSL_ports
http_access deny purge
http_access deny blockedsites


#icp_access  allow  localhost
icp_access allow all
icp_access allow elmo
icp_access allow tahiti
icp_access allow mnlnet2
miss_access allow all

cache_mgr xxxxxx

cache_effective_user squid
cache_effective_group squid
visible_hostname xxxxxx
append_domain .globalsources.com
memory_pools off
log_icp_queries off
client_db off

check_hostnames off



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid - Can't visit (government site and Banking Site) - Please help

Amos Jeffries
Administrator
On 25/04/20 9:09 am, russel0901 wrote:
> I am having a problem on my squid proxy
>

Which version of Squid are you using?
Output of squid -v would be best if you can provide.


> this settings is allow all but i can't visit sites like bancnetonline, rcbc,
> philhealth (govt and bank site)
>
> sometimes it can be visited, sometimes not... (weird???)
>
> Please Help thank you.
>

Following is a free review of your config settings.

To actually determine your problem we will need log records of a failing
transaction. At least access.log entries you see for it, and maybe also
something from cache.log if that is not enough.

... which brings me to the first problem in your config.

"cache_log /dev/null" is a very bad idea. This completely hides all
information about problems from *you* - the problems still exist, still
seen by everyone else involved.
 All this does is erase most of your ability to troubleshoot.

If your objective is reduced log verbosity use this setting instead:
  debug_options ALL,0

That reduces cache.log contents to mentions about critical failures of
Squid.


>
> here is my squid conf...
>
> max_filedesc 4096

Why so low? and why the deprecated RedHat experimental directive?

Current squid.conf directive is max_filedescriptors. It is a backup to
the --with-max-filedescriptors build option and system ulimit setup.



> request_header_access X-Forwarded-For allow all

This is pointless. All it does is waste CPU cycles on every request
through Squid.

> via off
> httpd_suppress_version_string on
>
> http_port 3333
> icp_port 3535
>
> hierarchy_stoplist cgi-bin ?

This is pointless. It is the default setting for all Squid-3 and later
versions.

> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY

QUERY is obsolete and actually somewhat harmful in current Squid.

For much improved caching you can add the missing refresh_pattern
mentioned below, then erase these and all other rules using QUERY ACL name.


> cache_mem 32 MB
> maximum_object_size 5480 KB
> cache_dir ufs /home/squidcache 6000 16 256
> #cache_dir ufs /home/squidcache2 6000 16 256
> cache_access_log /home/squidcache/access.log

This directive has been deprecated since early Squid-2.
Current Squid use:
  access_log /home/squidcache/access.log


> cache_log /dev/null

Already mentioned the problems with this. Please revert it to the
default for your Squid version. You will need this log to investigate
the current problem.


> cache_store_log none

This is pointless. It is the default for all current Squid.

> ftp_user [hidden email]
> dns_defnames on
> request_body_max_size 10000 MB
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440

Missing pattern:

  refresh_pattern -i (/cgi-bin/|\?) 0     0%      0


> refresh_pattern .               0       20%     4320
> negative_ttl 1 minute
> negative_dns_ttl 5 minute
> connect_timeout 60 minute
> read_timeout 5 minute
> request_timeout 60 second
> client_lifetime 4 hour
> half_closed_clients off
> pconn_timeout 240 second
> shutdown_lifetime 5 second
> #acl localhost src 127.0.0.1/32 ::1
> #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> acl SSL_ports port 443 563 8003 8000 8080 8020 8021 8030 8031 8053 9053
> acl Safe_ports port 80 81 88 21 443 563 70 210 1025-65535
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl PURGE method purge

Do you or clients actually use PURGE method requests?

It would be worth looking into why. That old Squid custom extension to
HTTP is deprecated.

Current Squid obey HTTP/1.1 caching far better than old Squid-2 and
earlier versions. You can use Cache-Control:no-cache *request* header to
update cache contents better than PURGE ever could.

Also, HTCP protocol is better for cache management with HTTP/1.1 than
either PURGE or ICP protocol. If you can find or adapt tools to use that
protocol they will be much better off.




> acl manager proto cache_object

This is also a deprecated manager ACL definition. This implies that your
Squid is quite old. Please upgrade to a more current version.


> acl apache src 10.20.0.245
>
> acl QUERY urlpath_regex -i owa
> acl QUERY2 urlpath_regex cgi-bin \?
> acl QUERY3 urlpath_regex -i php
> acl dontcache dstdomain "/etc/squid/dontcache"
> no_cache deny QUERY
> no_cache deny QUERY2
> no_cache deny QUERY3

"no_cache" is deprecated. Above rules are actually doing "cache deny".


It would be worth investigating why any URL containing the letters "owa"
or "php" are apparently trying to be forced to cache.

Please notice these ACL regex match if those letters occur *anywhere* in
the URL path portion. That includes 'folder' , 'filename', query-string,
and fragment strings. Also in non-HTTP URLs which have 'path' portions
and such.


> always_direct allow dontcache

This is a routing control directive. ACL called 'dontcache' is confusing
as reason to prevent routing to cache_peer - which do not exist in this
config anyway.

As a result of this any domain not listed in "dontcache" ACL will be
prevented from service by this proxy.

If that is actually what you want to happen, it would be better
configuring this:

 http_access deny !dontcache

... but you have explicitly put the exact opposite in your http_access
rules below. Which implies these rules are completely broken.


>
> #allowed sites
> acl blockedsites dstdomain "/etc/squid/blockedsites"
> acl allowedsites dstdomain "/etc/squid/authorizedsites"
> acl tahiti src 172.16.20.254/32
> acl elmo src 10.20.0.254/32
> acl mnlnet2 src "/etc/squid/authorized"
>
>
> http_access allow dontcache
> http_access allow manager apache
> http_access allow all

All following http_access rules are pointless.

Since all previous http_access rules are 'allow' they are also pointless
waste of CPU cycles.

This is an open proxy, with no logging. As such the only security
protection you have is the miss_access which *breaks* a huge amount of
traffic. If it were not for that your network would be completely open
to any type of attack.



> http_access allow elmo
> #http_access allow localhost
> #http_access allow purge localhost
> #http_access allow manager localhost
> http_access allow mnlnet2
> http_access allow tahiti
> http_access deny !Safe_ports
> #http_access deny manager
> http_access deny CONNECT !SSL_ports
> http_access deny purge
> http_access deny blockedsites
>
>
> #icp_access  allow  localhost
> icp_access allow all

None of the following icp_access rules have any effect.

This proxy does not have any cache_peer to send ICP traffic to.


> icp_access allow elmo
> icp_access allow tahiti
> icp_access allow mnlnet2
> miss_access allow all

This miss_access is pointless. It is the default behaviour of Squid.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid - Can't visit (government site and Banking Site) - Please help

russel0901
Hi, upon checking I am using squid version 3.1 on CentOS 6.10



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid - Can't visit (government site and Banking Site) - Please help

Antony Stone
On Sunday 26 April 2020 at 15:14:40, russel0901 wrote:

> Hi, upon checking I am using squid version 3.1 on CentOS 6.10

Wow, that's impressive (in a way).

Squid 3.1 was released ten years ago (29 March 2010).

On Wednesday 15 August 2012 at 13:29:07, Amos Jeffries wrote:

> The Squid HTTP Proxy team is very pleased to announce the availability
> of the Squid-3.2.1 release.
>
> Support for Squid-3.1 bug fixes has now officially ceased. Bugs in 3.1
> will continue to be fixed, however the fixes will be added to the 3.2
> series. All users of Squid-3.1 are encouraged to plan for upgrades.

The current stable version of Squid is 4.11

I recommend you upgrade.  Aside from anything else, you're not going to find
many people in a position to help out with such an old version, as well as the
fact that it alomst certainly doesn't support certain features required by
modern web browsers or servers.

Regards,


Antony.

--
I lay awake all night wondering where the sun went, and then it dawned on me.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid - Can't visit (government site and Banking Site) - Please help

Matus UHLAR - fantomas
In reply to this post by russel0901
On 26.04.20 08:14, russel0901 wrote:
>Subject: Re: [squid-users] Squid - Can't visit (government site and Banking
> Site) - Please help
>
>Hi, upon checking I am using squid version 3.1 on CentOS 6.10

1. It is nice to mention your problem in mail body, not only in Subject:

2. As already advised, upgrade. CendOT 6.10 will only last 7 month from now.

3. Are you trying fo filter HTTPS  connections using sslbump?
   in such case, upgrade is even more important.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid - Can't visit (government site and Banking Site) - Please help

russel0901
okay will try to upgarde...

our goal is to have a squid proxy that will allow all website (without any
restriction)

reason: I only need the squid proxy to monitor the website visit of the user
via sqstat and SARG (squid analyze report generator)

Problem: all website is okay only government site and banking sites is
having a problem...

upon checking on the access.log  (HTTP 200 0 Connect) that is the result of
the website if i can't connect to to it.

weird problem: sometimes the website can be visited and sometimes not



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid - Can't visit (government site and Banking Site) - Please help

Matus UHLAR - fantomas
On 27.04.20 02:17, russel0901 wrote:
>okay will try to upgarde...
>
>our goal is to have a squid proxy that will allow all website (without any
>restriction)

this is the standard behaviour. Note that you should only allow your
clients, not clients from the internet

>reason: I only need the squid proxy to monitor the website visit of the user
>via sqstat and SARG (squid analyze report generator)
>
>Problem: all website is okay only government site and banking sites is
>having a problem...

this is indicating that you have some blocing implemented

>upon checking on the access.log  (HTTP 200 0 Connect) that is the result of
>the website if i can't connect to to it.

200 it code for success, apparently the connection was successful.


>weird problem: sometimes the website can be visited and sometimes not

logs can say more.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid - Can't visit (government site and Banking Site) - Please help

russel0901
In reply to this post by Matus UHLAR - fantomas
I made a new Config and upgrade to CentOS 8.1xxx and Squid 4.4

STILL CAN'T VISIT THE WEBSITE (GOVT SITE AND BANKING SITES)


This is my Squid.conf

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged)
machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10       # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT


http_access allow all
http_access allow localhost manager
http_access allow localnet
http_access allow localhost
http_access deny !Safe_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access deny CONNECT !SSL_ports
http_access deny manager


http_access deny all


http_port 3333

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
cache_dir ufs /home/squidcache 100 16 256
cache_access_log /home/squidcache/access.log

# Leave coredumps in the first cache dir
coredump_dir /home/squidcache

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid
cache_effective_group squid




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid - Can't visit (government site and Banking Site) - Please help

Matus UHLAR - fantomas
On 27.04.20 07:31, russel0901 wrote:
>I made a new Config and upgrade to CentOS 8.1xxx and Squid 4.4
>
>STILL CAN'T VISIT THE WEBSITE (GOVT SITE AND BANKING SITES)

stop shouting...
what is your error message and what is the message in logs?
what do your clients have configured in browsers?

are you aware that your first access directive is "http_access allow all"
which makes you open proxy?

>This is my Squid.conf
>
>#
># Recommended minimum configuration:
>#
>
># Example rule allowing access from your local networks.
># Adapt to list your (internal) IP networks from where browsing
># should be allowed
>acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
>acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
>acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
>acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged)
>machines
>acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
>acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
>acl localnet src fc00::/7       # RFC 4193 local private network range
>acl localnet src fe80::/10       # RFC 4291 link-local (directly plugged)
>machines
>
>acl SSL_ports port 443
>acl Safe_ports port 80 # http
>acl Safe_ports port 21 # ftp
>acl Safe_ports port 443 # https
>acl Safe_ports port 70 # gopher
>acl Safe_ports port 210 # wais
>acl Safe_ports port 1025-65535 # unregistered ports
>acl Safe_ports port 280 # http-mgmt
>acl Safe_ports port 488 # gss-http
>acl Safe_ports port 591 # filemaker
>acl Safe_ports port 777 # multiling http
>acl CONNECT method CONNECT
>
>
>http_access allow all
>http_access allow localhost manager
>http_access allow localnet
>http_access allow localhost
>http_access deny !Safe_ports
>
># We strongly recommend the following be uncommented to protect innocent
># web applications running on the proxy server who think the only
># one who can access services on "localhost" is a local user
>#http_access deny to_localhost
>
>#
># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>#
>
># Example rule allowing access from your local networks.
># Adapt localnet in the ACL section to list your (internal) IP networks
># from where browsing should be allowed
>http_access deny CONNECT !SSL_ports
>http_access deny manager
>
>
>http_access deny all
>
>
>http_port 3333
>
># Uncomment and adjust the following to add a disk cache directory.
>#cache_dir ufs /var/spool/squid 100 16 256
>cache_dir ufs /home/squidcache 100 16 256
>cache_access_log /home/squidcache/access.log
>
># Leave coredumps in the first cache dir
>coredump_dir /home/squidcache
>
>#
># Add any of your own refresh_pattern entries above these.
>#
>refresh_pattern ^ftp: 1440 20% 10080
>refresh_pattern ^gopher: 1440 0% 1440
>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>refresh_pattern . 0 20% 4320
>cache_effective_user squid
>cache_effective_group squid


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid - Can't visit (government site and Banking Site) - Please help

russel0901
Hi again... sorry i was not shouting just making the message capitalize.

the message on my logs is...

TCP_TUNNEL/200 39 CONNECT www.bancnetonline.com:443 -
HIER_DIRECT/203.131.77.194 -

but still i can't visit the site...

weird problem: sometimes the website can be visited but rarely happen, most
of the time its not..

upon pinging the server i can't ping the said server..

also (www.rcbc.com) i can't visit the said site but i can ping the website,
weird right?

note: we don't have any configuration of the browser (just default only)



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid - Can't visit (government site and Banking Site) - Please help

Matus UHLAR - fantomas
On 27.04.20 10:17, russel0901 wrote:
>Hi again... sorry i was not shouting just making the message capitalize.
>
>the message on my logs is...
>
>TCP_TUNNEL/200 39 CONNECT www.bancnetonline.com:443 -
>HIER_DIRECT/203.131.77.194 -

this means that the proxy was asked to connect to destination server and
succeeded.

>but still i can't visit the site...

well, the connection to the server above was creates (200 code)
what is the error message you see?

>note: we don't have any configuration of the browser (just default only)

what do you mean "Default"? Do you use proxy autodetection?
If not, configure the browser to use the proxy if it helps.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid - Can't visit (government site and Banking Site) - Please help

russel0901
Hi again...

sorry the browser has a configuration, we already static the browser to our
server 10.20.X.X to port 3333


about on the message of error:

This site can’t be reached (on the browser error)

www.bancnetonline.com took too long to respond.

Try:

Checking the connection
Checking the proxy and the firewall
Running Windows Network Diagnostics
ERR_TIMED_OUT


note: sometimes it can be visited and sometimes not.




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid - Can't visit (government site and Banking Site) - Please help

Amos Jeffries
Administrator
ONn 29/04/20 2:56 am, russel0901 wrote:

> Hi again...
>
> sorry the browser has a configuration, we already static the browser to our
> server 10.20.X.X to port 3333
>
>
> about on the message of error:
>
> This site can’t be reached (on the browser error)
>
> www.bancnetonline.com took too long to respond.
> > Try:
>
> Checking the connection
> Checking the proxy and the firewall
> Running Windows Network Diagnostics
> ERR_TIMED_OUT
>

All worth doing to the best of your abilities, regardless of what help
we provide.


Since Squid-4 said 200 status the TCP connection is _setup_ fine -
implying DNS also okay. However, the time that setup takes may be
relevant. Even if successful it may take long enough to impact the other
layers handshakes.

Path-MTU discovery may still be having issues with packet sizes after
TCP establishment. Missing ACK on any packets is the thing to be looking
for on the TCP connections - both client-Squid and Squid-server.


Then there is the TLS layer handshake. This is across the tunnel between
the client and server.
 You can use a TCP packet dump to track the TLS handshake messages
inside the tunnel with wireshark. Or a Squid-4 cache.log at level 9 will
give some indication of what TLS is doing via the I/O sizes. Timing is
again the thing to look for here.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid - Can't visit (government site and Banking Site) - Please help

russel0901
Hi again sir,

deep is kinda deep to absorb on what you said about TLS, handshake and tcp
connection will try to research about this and trace the using tcp packet
dump, wireshark or cache.log of squid.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid - Can't visit (government site and Banking Site) - Please help

russel0901
In reply to this post by Amos Jeffries
Hi again,

as per checking using wireshark on my client-pc

This are my error messages


Client PC  -----  Proxy Server    TCP     54 [TCP Retransmission] 49804 ->
3333 [FIN, ACK] Seq=1 Ack=2 Win=1020 Len=0

Client PC  -----  Proxy Server    TCP     55 [TCP Keep-Alive] 49847 -> 3333
[ACK] Seq=0 Ack=1 Win=65536 Len=1





--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid - Can't visit (government site and Banking Site) - Please help

russel0901
In reply to this post by Amos Jeffries
Hi,

I already resolved my problem....


my problem is on PATH MTU discovery....

may eth0 is set to have a MTU = 1500

and I read on another forums that he set the MTU to 1400.. and it works...

Thank you all for the comments, advise and suggestion, really helpful.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid - Can't visit (government site and Banking Site) - Please help

Amos Jeffries
Administrator
On 7/05/20 7:44 pm, russel0901 wrote:

> Hi,
>
> I already resolved my problem....
>
>
> my problem is on PATH MTU discovery....
>
> may eth0 is set to have a MTU = 1500
>
> and I read on another forums that he set the MTU to 1400.. and it works...
>
> Thank you all for the comments, advise and suggestion, really helpful.
>

I hope you at least understand the reason behind the change working?

Hint: IP encapsulation layers somewhere in the network(s). Probably
4-in-4 or 6-in-4 tunnels.


Cheers
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid - Can't visit (government site and Banking Site) - Please help

russel0901
Hi,

Actually I didn't understand the problem but will take a look into it and
study it about that.....

IP encapsulation layers somewhere in the network(s). Probably
4-in-4 or 6-in-4 tunnels.




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users