Re: [squid-users] udp_incoming_address and udp_outgoing_address from John Doe on 2008-07-01 (squid-users)

From: John Doe <jdmls_at_yahoo.com>
Date: Tue, 1 Jul 2008 07:22:25 -0700 (PDT)

> And they are trying to contact on this address, and allowed by
> icp_access & http_access?

I have:
  acl from_localnetC src 192.168.0.0/16
  icp_access allow from_localnetC
  http_access allow from_localnetC

With udp_outgoing_address 255.255.255.255:
2008/07/01 12:16:39| Accepting ICP messages at 192.168.17.11, port 3130, FD 15.
And now they DO talk to each other... :/
Only thing I changed I think is icp_query_timeout 3000 (instead of 1000)

With two different udp IPs:
2008/07/01 12:18:09| Accepting ICP messages at 192.168.17.11, port 3130, FD 15.
2008/07/01 12:18:09| Outgoing ICP messages on port 3130, FD 16.
Works too.

With same udp IP:
2008/07/01 12:15:09| Accepting ICP messages at 192.168.17.12, port 3130, FD 15.
2008/07/01 12:15:09| Outgoing ICP messages on port 3130, FD 16.
Works too.

It must be the heat but some random errors are driving me nuts...
I did stick with the 255.255... conf.
I use wgets to browse the test website; each query going through a random squid.
For most objects, it works fine.
But constantly for one specific object (brasil.gif) and from time to time other random objects (portugal.gif, italia.gif) I get "403 Forbidden".
Sometimes, instead of "403 Forbidden", I get "200 No headers, assuming HTTP/0.9"

By example, I get:
1214908535.754 0 192.168.17.13 TCP_DENIED/403 1295 GET http://127.0.0.1/img/italia.gif - NONE/- text/html
And 498 times on the 2 other siblings:
1214908535.754 2 192.168.17.13 TCP_MISS/403 1295 GET http://127.0.0.1/img/italia.gif - CD_SIBLING_HIT/192.168.17.12 text/html
1214908535.754 RELEASE -1 FFFFFFFF C4228CE82163A253A41033FDFAEEF902 403 1214908535 -1 1214908535 text/html 1090/1090 GET http://127.0.0.1/img/italia.gif

With more debuging...
498 times all this (I guess, too many lines to count):
2008/07/01 13:40:44| aclCheckFast: list: 0x9c16e70
2008/07/01 13:40:44| aclMatchAclList: checking all
2008/07/01 13:40:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0'
2008/07/01 13:40:44| aclMatchIp: '192.168.17.13' found
2008/07/01 13:40:44| aclMatchAclList: returning 1
2008/07/01 13:40:44| aclCheckFast: list: 0x9c16e48
2008/07/01 13:40:44| aclMatchAclList: checking all
2008/07/01 13:40:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0'
2008/07/01 13:40:44| aclMatchIp: '192.168.17.13' found
2008/07/01 13:40:44| aclMatchAclList: returning 1
2008/07/01 13:40:44| aclCheckFast: list: 0x9c16da0
2008/07/01 13:40:44| aclMatchAclList: checking all
2008/07/01 13:40:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0'
2008/07/01 13:40:44| aclMatchIp: '192.168.17.13' found
2008/07/01 13:40:44| aclMatchAclList: returning 1
2008/07/01 13:40:44| aclCheckFast: list: 0x9c15300
2008/07/01 13:40:44| aclMatchAclList: checking all
2008/07/01 13:40:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0'
2008/07/01 13:40:44| aclMatchIp: '192.168.17.13' found
2008/07/01 13:40:44| aclMatchAclList: returning 1
2008/07/01 13:40:44| aclCheck: checking 'http_reply_access allow all'
2008/07/01 13:40:44| aclMatchAclList: checking all
2008/07/01 13:40:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0'
2008/07/01 13:40:44| aclMatchIp: '192.168.17.13' found
2008/07/01 13:40:44| aclMatchAclList: returning 1
2008/07/01 13:40:44| aclCheck: match found, returning 1
2008/07/01 13:40:44| aclCheckCallback: answer=1
2008/07/01 13:40:44| The reply for GET http://127.0.0.1/img/italia.gif is ALLOWED, because it matched 'all'

But the pseudo-random aspect is annoying...
The problem is not specific to one squid.
To test, I renamed brasil.gif to brasil2.gif and no more 403 on brasil2.gif...
Digest problem?
Hash collision problem?

Here are 3 runs of stop squids + manualy clear cache_dirs + restart squids + get objects...

Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/spain.gif = Proxy request sent, awaiting response... 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/greece.gif = Proxy request sent, awaiting response... 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/france.gif = Proxy request sent, awaiting response... 200 OK
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/denmark.gif = Proxy request sent, awaiting response... 200 OK
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/sweden.gif = Proxy request sent, awaiting response... 200 OK
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/finland.gif = Proxy request sent, awaiting response... 403 Forbidden
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/japan.gif = Proxy request sent, awaiting response... 200 OK
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/usa.gif = Proxy request sent, awaiting response... 200 OK
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/russia.gif = Proxy request sent, awaiting response... 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/brasil.gif = Proxy request sent, awaiting response... 200 OK
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/portugal.gif = Proxy request sent, awaiting response... 200 OK
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/polska.gif = Proxy request sent, awaiting response... 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/netherlands.gif = Proxy request sent, awaiting response... 200 OK
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/taiwan.gif = Proxy request sent, awaiting response... 200 No headers, assuming HTTP/0.9
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/china.gif = Proxy request sent, awaiting response... 200 OK
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/italia.gif = Proxy request sent, awaiting response... 200 No headers, assuming HTTP/0.9
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/turkey.gif = Proxy request sent, awaiting response... 200 OK

Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/spain.gif = Proxy request sent, awaiting response... 200 OK
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/greece.gif = Proxy request sent, awaiting response... 200 OK
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/france.gif = Proxy request sent, awaiting response... 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/denmark.gif = Proxy request sent, awaiting response... 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/sweden.gif = Proxy request sent, awaiting response... 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/finland.gif = Proxy request sent, awaiting response... 403 Forbidden
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/japan.gif = Proxy request sent, awaiting response... 200 OK
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/usa.gif = Proxy request sent, awaiting response... 200 OK
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/russia.gif = Proxy request sent, awaiting response... 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/brasil.gif = Proxy request sent, awaiting response... 200 OK
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/portugal.gif = Proxy request sent, awaiting response... 200 OK
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/polska.gif = Proxy request sent, awaiting response... 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/netherlands.gif = Proxy request sent, awaiting response... 200 OK
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/taiwan.gif = Proxy request sent, awaiting response... 403 Forbidden
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/china.gif = Proxy request sent, awaiting response... 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/italia.gif = Proxy request sent, awaiting response... 403 Forbidden
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/turkey.gif = Proxy request sent, awaiting response... 200 OK

Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/spain.gif = Proxy request sent, awaiting response... 200 OK
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/greece.gif = Proxy request sent, awaiting response... 200 OK
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/france.gif = Proxy request sent, awaiting response... 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/denmark.gif = Proxy request sent, awaiting response... 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/sweden.gif = Proxy request sent, awaiting response... 200 OK
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/finland.gif = Proxy request sent, awaiting response... 200 OK
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/japan.gif = Proxy request sent, awaiting response... 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/usa.gif = Proxy request sent, awaiting response... 200 OK
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/russia.gif = Proxy request sent, awaiting response... 200 OK
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/brasil.gif = Proxy request sent, awaiting response... 200 OK
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/portugal.gif = Proxy request sent, awaiting response... 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/polska.gif = Proxy request sent, awaiting response... 200 OK
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/netherlands.gif = Proxy request sent, awaiting response... 200 OK
Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/taiwan.gif = Proxy request sent, awaiting response... 403 Forbidden
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/china.gif = Proxy request sent, awaiting response... 200 OK
Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/italia.gif = Proxy request sent, awaiting response... 403 Forbidden
Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/turkey.gif = Proxy request sent, awaiting response... 200 OK

So now, brasil.gif, that returned 403 all the time, returns 200 all the time...
It is finland, taiwan and italia's turn... :/

I tried with 2 different udp IPs, same errors...
I tried with the same udp IP, almost same; finland is now always 200 OK...
Back to 255.255... conf, same as the same IP now...

No rights problems:
-rw-r--r-- 1 apache apache 6075 Jun 30 16:12 brasil.gif
-rw-r--r-- 1 apache apache 10764 Jun 30 16:12 china.gif
-rw-r--r-- 1 apache apache 12229 Jun 30 16:12 denmark.gif
-rw-r--r-- 1 apache apache 9569 Jun 30 16:12 finland.gif
-rw-r--r-- 1 apache apache 7934 Jun 30 16:12 france.gif
-rw-r--r-- 1 apache apache 13597 Jun 30 16:12 greece.gif
-rw-r--r-- 1 apache apache 11213 Jun 30 16:12 italia.gif
-rw-r--r-- 1 apache apache 7283 Jun 30 16:12 japan.gif
-rw-r--r-- 1 apache apache 8639 Jun 30 16:12 netherlands.gif
-rw-r--r-- 1 apache apache 7839 Jun 30 16:12 polska.gif
-rw-r--r-- 1 apache apache 5638 Jun 30 16:12 portugal.gif
-rw-r--r-- 1 apache apache 7711 Jun 30 16:12 russia.gif
-rw-r--r-- 1 apache apache 6863 Jun 30 16:12 spain.gif
-rw-r--r-- 1 apache apache 8605 Jun 30 16:12 sweden.gif
-rw-r--r-- 1 apache apache 4900 Jun 30 16:12 taiwan.gif
-rw-r--r-- 1 apache apache 6000 Jun 30 16:12 turkey.gif
-rw-r--r-- 1 apache apache 7208 Jun 30 16:12 usa.gif

> Odd.. Which Squid version? Squid should not even start with ICP enabled
> and incoming & outgoing set to the same address...

The "latest" from a CentOS 5.2: squid-2.6.STABLE6-5.el5_1.2
I guess I will have to manualy compile a STABLE20... Or is 2.7STABLE3 better and as stable?

Thx,
JD

Received on Tue Jul 01 2008 - 14:22:37 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 02 2008 - 12:00:01 MDT