Re: [squid-users] Cannot access google search results and other https sites through squid proxy.

From: Amos Jeffries <>
Date: Tue, 03 Jun 2014 16:21:15 +1200

On 3/06/2014 11:25 a.m., Development Team wrote:
> I am astonished.
> It seems that the core of my problem was ipv6;
> ....
> "1401736785.584 20020 TCP_MISS_ABORTED/000 0 GET
> - HIER_DIRECT/2607:f8b0:400f:801::1013 -"
> (I just noticed the unexpected ip6 type address. I do not know if that is
> relevant. I will now try to disable ipv6.)
> ....
> I disabled ipv6 in /etc/sysctl.d/99-sysctl.conf and now http[s] works as
> expected for manually configured clients. Why would this be?
> No matter.

That log says that Squid successfully contacted the upstream server,
even sent the request out, but no response came back for over 20
seconds. A common sight when ICMP is being blocked and breaking Path-MTU
discovery (PMTUd).

ICMP is not optional, even for IPv4, no matter what enyone else says.
There *are* some very specific ICMP codes which are good to block, but
most of ICMP is critical for correct operation of TCP.

> Now I am going to try and restore the transparent proxy. I added the
> intercept attribute to the http_port confing, and now even without tweaking
> the firewall, I am getting "Forwarding loop detected" warnings. Clients get
> access denied pages....

Note the need for separate forward-proxy and intercept-proxy listening
ports in Squid is a MUST.

Forward-proxy is the better mode of operation, if you have clients
already using it leave them. Add the interception as a secondary
http(s)_port for the clients that cannot be configured with the proxy.

Received on Tue Jun 03 2014 - 04:21:24 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 04 2014 - 12:00:06 MDT