Re: [squid-users] Broken images and connection failures

On Fri, 17 Sep 2004 10:24:59 +1000, Rob H <rob.hadfield@gmail.com> wrote:
> On Thu, 16 Sep 2004 09:05:47 +0200 (CEST), Henrik Nordstrom
> <hno@squid-cache.org> wrote:
> > On Thu, 16 Sep 2004, Rob H wrote:
> >
> > > The problem is that during busy periods many pages are being displayed
> > > with many broken images & frequently the browser (IE6) displays the
> > > "Cannot find server or DNS error" message.
> >
> > First consult your cache.log file to see if there is any obvious
> > complaints from Squid.
> >
>
> Nothing out of the ordinary in the cache.log - just a few entries like this:
> 2004/09/17 09:29:52| urlParse: Illegal character in hostname
> '$$mainrs.privatewebservername'
> 2004/09/17 09:30:06| sslWriteClient: FD 120: write failure: (104)
> Connection reset by peer.
>
> - and I know that these are not related.
>
> However I do think I have narrowed it down to an NTLM or
> authentication issue - it is something I should have spotted a week
> ago, but as is typical - I have overlooked a simple thing whilst
> delving into the complicated.
>
> What I noticed was that firstly the problem was also occuring in non
> peak times also - it just appeared to be less frequent (or there
> weren't as many people screaming at me about it). I started browsing
> pages with 20+ images on them until I got a broken image - found the
> URL of that image and looked for it in the access.log. What I found
> where two TCP_DENIED/407 entries for the missing but no TCP_MISS,
> TCP_HIT (or any other entry related to that particular URL):
>
> 1095301093.729 1 10.49.4.164 TCP_DENIED/407 1660 GET
> http://gallery.yimg.com/c/100wm/11451783.jpg - NONE/- text/html
>
> I repeated this 10 times over a 2 hour period and saw the same result.
>
> I know that because of the NTLM handshake that the log shows two GET's
> resulting in TCP_DENIED entries followed by a GET resulting in a HIT
> or MISS - but in this case it appearingly randomly misses out on
> receiving the third GET.
>
> I have turned off authentication and browsing has been stable for the
> past 20 hours.
>
> My next step is to set up a sniffer to see if it is the client that is
> failing to send the request, or if the client is sending the request
> but squid isn't doing anything with it.
>

Update:
* Even with a TCP_DENIED in the log, Squid was not returning the
ERR_ACCESS_DENIED error page
* Turned off authentication for all & problem dissapeared.
* Using acl's I turned on authentication for requests coming from my IP only:
    acl robtest src 10.x.x.x
    http_access allow robtest AuthorisedUsers Group_WebBrowsers
    http_access allow all
* Turned up Authenticator and External ACL logging as so:
    debug_options ALL,1 29,99 82,2
* Changed max_challenge_reuses and max_challenge_lifetime in case I
was doing something stupid there:
    auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
    auth_param ntlm children 50
    auth_param ntlm max_challenge_reuses 0
    auth_param ntlm 2 minutes

Tailing the cache.log I then noticed different results from times when
a page loaded without any problems to when a page loaded with broken
images. The most glaringly obvious thing that stuck out was a "User
not fully authenticated." line.

The only problem is that I don't know what I am looking at, so I have
put two log excerpts up at http://www.dedicated-web.net/squid/ - one
is from a successful session loading a page with about 15 images, the
other is from a session where a page with about 15 images opened up
with a bunch of broken images.

If someone could tell me what it all means I would appreciate it.

---
Regards,
Rob Hadfield