[squid-users] SSL Stops responding from James P. Ashton on 2011-01-19 (squid-users)

From: James P. Ashton <james_at_gitflorida.com>
Date: Wed, 19 Jan 2011 16:53:27 -0500 (EST)

Hi all,
It appears that after about 2 months of up time I has a pair of squid servers stop servicing SSL at the same time. Both are running CentOS 5.5 fully updated.

Version: 3.0.STABLE25-1.el5 (from the rpmforge repository)

Servers are default CentOS 5.5 install with no packages or package groups installed outside of base. Only squid from rpmforge.
They are Dell 2950s with Solid state cache drives. 16G of ram each.
They are running in accelerator mode. The config is posted below.
They are behind a load balancer. The traffic to about a dozen sites are balanced across these 2 servers.

No errors in the error log, No errors in the cache log and nothing in the access log other than no requests for any SSL domains. It appears as if the requests were simply not getting to squid.

Netstat showed 2 connections to port 443. Both were off-site addresses.

Restarting squid solved the issue. Connections were getting through immediately.

All this time non SSL (Port 80 / HTTP) requests were working with no problems.

Any thoughts on this?

Thanks in advance for any ideas.
James

Config
====================================

http_port 80 accel vhost #For IP xxx.xxx.xxx.101

https_port xxx.xxx.xxx.101:443 cert=/root/SSL/9696421.crt key=/root/SSL/xxxxxmediagroup.com.key cafile=/root/SSL/9696421.ca-bundle options=NO_SSLv2 accel vhost cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2

https_port xxx.xxx.xxx.103:443 cert=/root/SSL/multi-domain.crt key=/root/SSL/multi-domain.key cafile=/root/SSL/multi-domain.ca-bundle options=NO_SSLv2 accel vhost cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2

# Test Server
# Production Servers
cache_peer xxx.xxx.xxx.21 parent 80 0 no-query no-digest originserver login=PASS name=default1 round-robin
cache_peer xxx.xxx.xxx.22 parent 80 0 no-query no-digest originserver login=PASS name=default2 round-robin
cache_peer xxx.xxx.xxx.23 parent 80 0 no-query no-digest originserver login=PASS name=default3 round-robin
cache_peer xxx.xxx.xxx.24 parent 80 0 no-query no-digest originserver login=PASS name=default4 round-robin
cache_peer xxx.xxx.xxx.25 parent 80 0 no-query no-digest originserver login=PASS name=default5 round-robin
#
# xxxxxuser
cache_peer xxx.xxx.xxx.61 parent 80 0 no-query no-digest originserver login=PASS name=puser1 round-robin
cache_peer xxx.xxx.xxx.62 parent 80 0 no-query no-digest originserver login=PASS name=puser2 round-robin
cache_peer xxx.xxx.xxx.63 parent 80 0 no-query no-digest originserver login=PASS name=puser3 round-robin
cache_peer xxx.xxx.xxx.64 parent 80 0 no-query no-digest originserver login=PASS name=puser4 round-robin
cache_peer xxx.xxx.xxx.72 parent 80 0 no-query no-digest originserver login=PASS name=puser5 round-robin
#
# xxxxxMedia
cache_peer xxx.xxx.xxx.51 parent 80 0 no-query no-digest originserver login=PASS name=kmedia1 round-robin
cache_peer xxx.xxx.xxx.52 parent 80 0 no-query no-digest originserver login=PASS name=kmedia2 round-robin
cache_peer xxx.xxx.xxx.53 parent 80 0 no-query no-digest originserver login=PASS name=kmedia3 round-robin
cache_peer xxx.xxx.xxx.54 parent 80 0 no-query no-digest originserver login=PASS name=kmedia4 round-robin
cache_peer xxx.xxx.xxx.70 parent 80 0 no-query no-digest originserver login=PASS name=kmedia5 round-robin
#
# xxxxxworld
cache_peer xxx.xxx.xxx.66 parent 80 0 no-query no-digest originserver login=PASS name=pworld1 round-robin
cache_peer xxx.xxx.xxx.67 parent 80 0 no-query no-digest originserver login=PASS name=pworld2 round-robin
cache_peer xxx.xxx.xxx.68 parent 80 0 no-query no-digest originserver login=PASS name=pworld3 round-robin
cache_peer xxx.xxx.xxx.69 parent 80 0 no-query no-digest originserver login=PASS name=pworld4 round-robin
cache_peer xxx.xxx.xxx.73 parent 80 0 no-query no-digest originserver login=PASS name=pworld5 round-robin
#
# xxxxxTraining
cache_peer xxx.xxx.xxx.56 parent 80 0 no-query no-digest originserver login=PASS name=ktrain1 round-robin
cache_peer xxx.xxx.xxx.57 parent 80 0 no-query no-digest originserver login=PASS name=ktrain2 round-robin
cache_peer xxx.xxx.xxx.58 parent 80 0 no-query no-digest originserver login=PASS name=ktrain3 round-robin
cache_peer xxx.xxx.xxx.59 parent 80 0 no-query no-digest originserver login=PASS name=ktrain4 round-robin
cache_peer xxx.xxx.xxx.71 parent 80 0 no-query no-digest originserver login=PASS name=ktrain5 round-robin
#
# Ad Server
cache_peer xxx.xxx.xxx.30 parent 80 0 no-query no-digest originserver login=PASS name=adserver1 round-robin
#
acl PURGE method PURGE
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
#acl all src 0.0.0.0/0.0.0.0
#

acl our_sites dstdomain origin.xxxxxmediagroup.com
acl our_sites dstdomain streamorigin.xxxxxmediagroup.com
acl our_sites dstdomain xxxxxtrainingonline.com
acl our_sites dstdomain www.xxxxxtrainingonline.com
acl our_sites dstdomain images.xxxxxmediagroup.com
acl our_sites dstdomain xxxxxfinishingtouches.com
acl our_sites dstdomain www.xxxxxfinishingtouches.com
acl our_sites dstdomain media.xxxxxmediagroup.com
acl our_sites dstdomain origin-media.xxxxxmediagroup.com
acl our_sites dstdomain www.media.xxxxxmediagroup.com
acl our_sites dstdomain www.scottxxxxx.com
acl our_sites dstdomain scottxxxxx.com
acl our_sites dstdomain www.xxxxxtv.com
acl our_sites dstdomain xxxxxtv.com
acl our_sites dstdomain www.planetxxxxx.com
acl our_sites dstdomain planetxxxxx.com
acl our_sites dstdomain xxxxxusertv.com
acl our_sites dstdomain www.xxxxxusertv.com
#acl our_sites dstdomain layersmagazine.com
#acl our_sites dstdomain www.layersmagazine.com
acl our_sites dstdomain www.worldwidephotowalk.com
acl our_sites dstdomain worldwidephotowalk.com
acl our_sites dstdomain www.mattkloskowski.com
acl our_sites dstdomain mattkloskowski.com
#acl our_sites dstdomain xxxxxtraininglive.com
#acl our_sites dstdomain www.xxxxxtraininglive.com
acl our_sites dstdomain xxxxxtv.com
acl our_sites dstdomain www.xxxxxtv.com
#acl our_sites dstdomain xxxxxkillertips.com
#acl our_sites dstdomain www.xxxxxkillertips.com
acl our_sites dstdomain xxxxxelementskillertips.com
acl our_sites dstdomain www.xxxxxelementskillertips.com
acl our_sites dstdomain xxxxxhalloffame.com
acl our_sites dstdomain www.xxxxxhalloffame.com
acl our_sites dstdomain xxxxxkillertips.com
acl our_sites dstdomain www.xxxxxkillertips.com
acl our_sites dstdomain xxxxxonline.com
acl our_sites dstdomain www.xxxxxonline.com
acl our_sites dstdomain xxxxxuserawards.com
acl our_sites dstdomain www.xxxxxuserawards.com
acl our_sites dstdomain scottxxxxxbooks.com
acl our_sites dstdomain www.scottxxxxxbooks.com
acl our_sites dstdomain wheretheprosshoot.com
acl our_sites dstdomain www.wheretheprosshoot.com

acl adserver dstdomain cache.ads.xxxxxmediagroup.com

acl ktrain dstdomain xxxxxtraining.com
acl ktrain dstdomain www.xxxxxtraining.com
acl ktrain dstdomain secure.xxxxxtraining.com

acl puser dstdomain www.xxxxxuser.com
acl puser dstdomain secure.xxxxxuser.com
acl puser dstdomain cache.xxxxxuser.com
acl puser dstdomain xxxxxuser.com

acl kmedia dstdomain xxxxxmediagroup.com
acl kmedia dstdomain www.xxxxxmediagroup.com
acl kmedia dstdomain secure.xxxxxmediagroup.com
acl kmedia dstdomain layersmagazine.com
acl kmedia dstdomain www.layersmagazine.com
acl kmedia dstdomain xxxxxkillertips.com
acl kmedia dstdomain www.xxxxxkillertips.com
acl kmedia dstdomain xxxxxtraininglive.com
acl kmedia dstdomain www.xxxxxtraininglive.com
#acl kmedia dstdomain xxxxxworld.com
#acl kmedia dstdomain www.xxxxxworld.com
acl kmedia dstdomain larryscheapshots.com
acl kmedia dstdomain www.larryscheapshots.com

acl pworld dstdomain www.xxxxxworld.com
acl pworld dstdomain secure.xxxxxworld.com
acl pworld dstdomain xxxxxworld.com
#
http_access allow our_sites
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
#
# Main Pool
cache_peer_access default1 allow our_sites
cache_peer_access default1 deny all
cache_peer_access default2 allow our_sites
cache_peer_access default2 deny all
cache_peer_access default3 allow our_sites
cache_peer_access default3 deny all
cache_peer_access default4 allow our_sites
cache_peer_access default4 deny all
cache_peer_access default4 allow our_sites
cache_peer_access default4 deny all
cache_peer_access default5 allow our_sites
cache_peer_access default5 deny all
#
#
cache_peer_access ktrain1 allow ktrain
cache_peer_access ktrain1 deny all
cache_peer_access ktrain2 allow ktrain
cache_peer_access ktrain2 deny all
cache_peer_access ktrain3 allow ktrain
cache_peer_access ktrain3 deny all
cache_peer_access ktrain4 allow ktrain
cache_peer_access ktrain4 deny all
cache_peer_access ktrain4 allow ktrain
cache_peer_access ktrain4 deny all
cache_peer_access ktrain5 allow ktrain
cache_peer_access ktrain5 deny all
#
#
cache_peer_access puser1 allow puser
cache_peer_access puser1 deny all
cache_peer_access puser2 allow puser
cache_peer_access puser2 deny all
cache_peer_access puser3 allow puser
cache_peer_access puser3 deny all
cache_peer_access puser4 allow puser
cache_peer_access puser4 deny all
cache_peer_access puser4 allow puser
cache_peer_access puser4 deny all
cache_peer_access puser5 allow puser
cache_peer_access puser5 deny all
#
#
cache_peer_access kmedia1 allow kmedia
cache_peer_access kmedia1 deny all
cache_peer_access kmedia2 allow kmedia
cache_peer_access kmedia2 deny all
cache_peer_access kmedia3 allow kmedia
cache_peer_access kmedia3 deny all
cache_peer_access kmedia4 allow kmedia
cache_peer_access kmedia4 deny all
cache_peer_access kmedia4 allow kmedia
cache_peer_access kmedia4 deny all
cache_peer_access kmedia5 allow kmedia
cache_peer_access kmedia5 deny all
#
#
cache_peer_access pworld1 allow pworld
cache_peer_access pworld1 deny all
cache_peer_access pworld2 allow pworld
cache_peer_access pworld2 deny all
cache_peer_access pworld3 allow pworld
cache_peer_access pworld3 deny all
cache_peer_access pworld4 allow pworld
cache_peer_access pworld4 deny all
cache_peer_access pworld4 allow pworld
cache_peer_access pworld4 deny all
cache_peer_access pworld5 allow pworld
cache_peer_access pworld5 deny all
#
#
cache_peer_access adserver1 allow adserver
cache_peer_access adserver1 deny all
#
#
visible_hostname squid1.xxxxxmediagroup.com
#
#
refresh_pattern (phpmyadmin|process|register|login|contact|signup|admin|gateway|ajax|account|cart|checkout|members) 0 10% 0
refresh_pattern (blog|feed) 300 20% 4320 ignore-no-cache ignore-no-store ignore-reload
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600 50% 7200 override-expire ignore-no-cache ignore-no-store ignore-private ignore-reload
refresh_pattern -i \.(iso|avi|wav|mp3|mpeg|swf|flv|x-flv)$ 1440 40% 40320 override-expire ignore-no-cache ignore-no-store ignore-private ignore-reload
refresh_pattern -i \.mp4$ 1440 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private ignore-reload
refresh_pattern -i \.(css|js)$ 300 40% 7200 override-expire ignore-no-cache ignore-no-store ignore-private ignore-reload
refresh_pattern -i \.(html|htm)$ 300 40% 7200
refresh_pattern (/cgi-bin/|\?) 300 20% 4320
refresh_pattern . 0 40% 40320
#
#
cache_effective_user squid
cache_mem 1500 MB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
maximum_object_size_in_memory 128 KB
maximum_object_size 1000 MB
cache_dir aufs /caches/cache1 30000 64 256
debug_options ALL,1
cache_store_log none
pipeline_prefetch on
#
#
shutdown_lifetime 1 second
httpd_suppress_version_string on
access_log /var/log/squid/squid-access.log squid
#access_log none
Received on Wed Jan 19 2011 - 22:15:27 MST

This archive was generated by hypermail 2.2.0 : Sun Jan 23 2011 - 12:00:03 MST