On 3/06/2014 11:25 a.m., Development Team wrote:
> I am astonished.
> It seems that the core of my problem was ipv6;
> ....
> TCP_MISS_ABORTED:
> "1401736785.584 20020 127.0.0.1 TCP_MISS_ABORTED/000 0 GET
> http://www.google.com/url? - HIER_DIRECT/2607:f8b0:400f:801::1013 -"
> (I just noticed the unexpected ip6 type address. I do not know if that is
> relevant. I will now try to disable ipv6.)
> ....
>
> I disabled ipv6 in /etc/sysctl.d/99-sysctl.conf and now http[s] works as
> expected for manually configured clients. Why would this be?
> No matter.
That log says that Squid successfully contacted the upstream server,
even sent the request out, but no response came back for over 20
seconds. A common sight when ICMP is being blocked and breaking Path-MTU
discovery (PMTUd).
ICMP is not optional, even for IPv4, no matter what enyone else says.
There *are* some very specific ICMP codes which are good to block, but
most of ICMP is critical for correct operation of TCP.
>
> Now I am going to try and restore the transparent proxy. I added the
> intercept attribute to the http_port confing, and now even without tweaking
> the firewall, I am getting "Forwarding loop detected" warnings. Clients get
> access denied pages....
>
Note the need for separate forward-proxy and intercept-proxy listening
ports in Squid is a MUST.
Forward-proxy is the better mode of operation, if you have clients
already using it leave them. Add the interception as a secondary
http(s)_port for the clients that cannot be configured with the proxy.
Amos
Received on Tue Jun 03 2014 - 04:21:24 MDT
This archive was generated by hypermail 2.2.0 : Wed Jun 04 2014 - 12:00:06 MDT