Dipjyoti Bharali | 8 Apr 08:15 2014

WARNING: Forwarding loop detected for:

Hi,

I facing this peculiar issue with certain specific clients. When these 
clients connect to the proxy server, it goes for a toss until i reload 
the service. When examined through the log file, i get this same message 
everytime.

    /2014/04/02 09:00:17| WARNING: Forwarding loop detected for:
    GET / HTTP/1.1
    Content-Type: text/xml; charset=Utf-16
    UNICODE: YES
    Content-Length: 0
    Host: 192.168.1.1:3128
    Via: 1.0 hindenberg (squid), 1.1 hindenberg (squid), 1.1 hindenberg
    (squid), 1.1 hindenberg (squid), 1.1 hindenberg (squid), 1.1
    hindenberg (squid), 1.1 hindenberg (squid), 1.1 hindenberg (squid),
    1.1 hindenberg (squid), 1.1 hindenberg (squid), 1.1 hindenberg
    (squid), 1.1 hindenberg (squid), 1.1 hindenberg (squid), 1.1
    hindenberg (squid), 1.1 hindenberg (squid), 1.1 hindenberg (squid),
    1.1 hindenberg (squid), 1.1 hindenberg (squid), 1.1 hindenberg
    (squid), 1.1 hindenberg (squid), 1.1 hindenberg (squid), 1.1
    hindenberg (squid), 1.1 hindenberg (squid), 1.1 hindenberg (squid),
    1.1 hindenberg (squid), 1.1 hindenberg (squid), 1.1 hindenberg
    (squid), 1.1 hindenberg (squid), 1.1 hindenberg (squid), 1.1
    hindenberg (squid), 1.1 hindenberg (squid), 1.1 hindenberg (squid),
    1.1 hindenberg (squid), 1.1 hindenberg (squid), 1.1 hindenberg
    (squid), 1.1 hindenberg (squid), 1.1 hindenberg (squid), 1.1
    .
    .
    .
(Continue reading)

aditya agarwal | 8 Apr 07:11 2014
Picon

Caching not working for Youtube videos

Hi,

Last week we realized that our caching for Youtube videos is broken and not working any more. We are using
'storeurl_rewrite_program' header to rewrite URL for all youtube videos. Following is our
configuration (Squid 2.7):

acl store_rewrite_list url_regex  youtube
cache allow store_rewrite_list 
storeurl_access allow store_rewrite_list 
storeurl_access deny all 
storeurl_rewrite_program VideoCachingPolicy.pl 
storeurl_rewrite_children 1 
storeurl_rewrite_concurrency 100 

We use the following method in VideoCachingPolicy.pl:
1. All youtube requests which have stream_204 and generate_204 in the URL are stored in a log file.
2. In the perl file, for each request we check if it has videoplayback + google/youtube in the URL
3. If Yes, then we read(backwards) the log file generated in step 1.
    a. We check if any of the stream_204/generate_204 requests have a matching CPN field. If yes then we
extract the docid from these requests and generate an internal URL.
    b. Else we append the ID which came with the current request. Note: As this ID is dynamically
generated for every request stream so it doesn't result in cache HIT.

This method was working fine for some time, but now it seems to be broken. On investigating I found two issues:
1. The stream_204/generate_204 requests do not always come before videoplayback requests.
2. Even if stream_204 requests come before videoplayback they are not logged immediately. When I try to
read the file, it doesnt have these lines initially but it has them later on.

Is anyone else facing these issues? Is there any long term solution for caching Youtube videos?

(Continue reading)

Amos Jeffries | 8 Apr 05:56 2014
Picon

Re: How to make squid proxy server cache response with vary: * in header?

On 8/04/2014 3:02 p.m., Sylvio Cesar wrote:
> Amos, how I use squidclient to download a file .flv for example??
> 

squidclient -h shows the full set of parameters available and what they
do. As with any good command line tool.

Via proxy on localhost:
 squidclient http://stackoverflow.com/

Via proxy at example.com (could be an IP if needed):
 squidclient -h example.com http://stackoverflow.com/

Direct from the web server:
 squidclient -p 80 -h stackoverflow.com /

NP: Depending on tool version you may or may not also need the "-j
stackoverflow.com" or " -H 'Host:stackoverflow.com\n' " parameters to
set the Host: header explicitly.
 The -H takes a string of extra headers separated by \n to add to the
request.

Amos

> 2014-04-07 23:35 GMT-03:00 Amos Jeffries <squid3 <at> treenet.co.nz>:
>>
>> "Vary:*" means the response changes depending on factors outside the
>> HTTP protocol for which shared proxies like Squid are 100% unable to
>> determine whether the cached response is appropriate to deliver.
>>  Even if you did store it, the cache would still always MISS.
(Continue reading)

Sylvio Cesar | 8 Apr 04:00 2014
Picon

How to make squid proxy server cache response with vary: * in header?

curl -x localhost:3128 --silent -o /dev/null --dump-header /dev/stdout
http://stackoverflow.com
HTTP/1.1 200 OK
Cache-Control: public, max-age=18
Content-Type: text/html; charset=utf-8
Expires: Tue, 08 Apr 2014 02:00:38 GMT
Last-Modified: Tue, 08 Apr 2014 01:59:38 GMT
Vary: *
X-Frame-Options: SAMEORIGIN
Date: Tue, 08 Apr 2014 02:00:18 GMT
Content-Length: 212147
X-Cache: MISS from sylviosuse11
X-Cache-Lookup: MISS from sylviosuse11:3128
Via: 1.1 sylviosuse11 (squid/3.4.4)
Connection: keep-alive

--

-- 
Att,

Sylvio César,

Dan Charlesworth | 8 Apr 01:34 2014

Re: Error negotiating SSL connection on FD ##: Closed by client

Thanks, Guy.

I’m almost tempted to just ssl_bump none for 23.0.0.0/12, but I’m sure that would lead to all sorts of
annoyances for clients who are tracking users download usage etc.

I’d appreciate if you could share your list of IP addresses, might be useful for us.

Dan

On 7 Apr 2014, at 11:23 pm, Guy Helmer <ghelmer <at> palisadesystems.com> wrote:

> On Apr 6, 2014, at 11:58 PM, Dan Charlesworth <dan <at> getbusi.com> wrote:
> 
>> This somewhat vague error comes up with relative frequency from iOS apps when browsing via our Squid
3.4.4 intercepting proxy which is performing server-first SSL Bumping.
>> 
>> The requests in question don’t make it as far as the access log, but with debug_options 28,3 26,3, the
dst IP can be identified and allowed through with ssl_bump none.
>> 
>> The device trusts Squid's CA, but apparently that’s not enough for the Twitter iOS app and certain
Akamai requests that App Store updates use.
>> 
>> Can anyone suggest how one might debug this further? Or just an idea of why the client might be closing the
SSL connection in certain cases?
>> 
>> Thanks!
>> 
>> 
> 
> I suspect that the Twitter app is using certificate pinning to prevent man-in-the-middle decryption: https://dev.twitter.com/docs/security/using-ssl
(Continue reading)

Eliezer Croitoru | 7 Apr 22:01 2014
Picon

Do we have an algorithm to define the cachabillity of an object by the request and response?

For example some question was asked about youtube in the past if it's 
cachable or not.
Once we see the request and the response we can say it is cachable.
for example this request:
Host: r8---sn-nhpax-ua8e.googlevideo.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 
Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://s.ytimg.com/yts/swfbin/player-vflXH_6x-/watch_as3.swf
Connection: keep-alive
##end

should be cachable but forces or accepts gzip.
and indeed it's being cached.
The issue is that the player is using vbr which changes the requests and 
responses size and shape each time as far as I understand.
A store log can show that the object is being stored but the next 
request is not the same as the previous one that seems pretty similar.

So in a case you do try to cache youtube for example it will be very 
hard to cache an application which changes it's way of fetching the same 
object in different sizes and shapes.

Eliezer

Sylvio Cesar | 7 Apr 16:02 2014
Picon

Re: inconsistency with objects in squid cache

2014-04-06 13:46 GMT-03:00, Eliezer Croitoru <eliezer <at> ngtech.co.il>:
> On 04/06/2014 05:29 PM, Sylvio Cesar wrote:
>> but this happens only in the network 10.21.155.0/24.
> then squid.conf and the debug_options output would help to understand if
> it is the reason or there is another reason.
>
> Eliezer
>

Hi Eliezer,

    I noticed that when there is the header "Vary:
Accept-Encoding,User-Agent" the object is not cached.

Following logs cache.log and cachemgr.cgi

HTTP/1.1 200 OK
Date: Mon, 07 Apr 2014 12:26:02 GMT
Server: Apache/2.0.63
Last-Modified: Tue, 11 Mar 2014 22:31:34 GMT
ETag: "586039-e63e58-484cbd80"
Accept-Ranges: bytes
Content-Length: 15089240
Vary: Accept-Encoding,User-Agent
Cache-Control: public
Keep-Alive: timeout=15, max=35
Connection: Keep-Alive
Content-Type: text/plain; charset=ISO-8859-1

FLV^A^E
(Continue reading)

Jasper Van Der Westhuizen | 7 Apr 08:28 2014
Picon

Blank page on first load

Hi all

I have a problem with some of my users getting blank pages when loading
sites like google and MSN. They would open the site and get a blank
page, but when refreshing it loads. These users mostly use IE11 but have
had it with browsers like Safari. Although I have to say that 98% of the
time it is with IE10 and 11.

In my squid logs I can see the request going to the website. The client
just gets a blank page until they reload it.

My setup is 3 servers running squid 3-3.1.12-8.12.1 behind an F5 load
balancer. From there I send all traffic to a ZScaler cache peer. In my
testing I have bypassed the cache peer but without any success.

Has anyone come across this problem before?

-- 
Kind Regards
Jasper 
Dan Charlesworth | 7 Apr 06:58 2014

Error negotiating SSL connection on FD ##: Closed by client

This somewhat vague error comes up with relative frequency from iOS apps when browsing via our Squid 3.4.4
intercepting proxy which is performing server-first SSL Bumping.

The requests in question don’t make it as far as the access log, but with debug_options 28,3 26,3, the dst
IP can be identified and allowed through with ssl_bump none.

The device trusts Squid's CA, but apparently that’s not enough for the Twitter iOS app and certain Akamai
requests that App Store updates use.

Can anyone suggest how one might debug this further? Or just an idea of why the client might be closing the SSL
connection in certain cases?

Thanks!

Derek Jones | 7 Apr 00:38 2014
Picon

Notification to users - SSL bumping on Cygwin

I've been working on implementing SSL bumping with Squid on Cygwin. I
want to inform the community that you don't need to run ./configure or
recompile Squid to enable SSL bumping with Cygwin on Windows Server
2008 R2 Standard.

When you install Cygwin, make sure you install the following packages:
Admin Devel Net Archive Interpreters Perl Base Libs Python Database
Mail Ruby Debug Math Security Shells System Tcl Utils Web

You can then edit your squid.conf file to configure ssl-bumping as needed.

I hope this helps some people!

Derek

Rajesh Srivastava | 6 Apr 18:56 2014
Picon

SSL bump not working for Android and IOS apps

Hi,

As part of a proof of concept, I am able to use ssl bump for https sites
from IE and Firefox browsers. I have created a self signed certificate in
squid and have added the same as trusted certificate in IE and Firefox
browsers. 

I added the same certificate in a mobile device and could see ssl bump is
working from inbuilt mobile browser, chrome\safari browsers. But when I use
mobile apps, then for couple of apps like twitter, soundhound etc, ssl bump
is not working and I can see SSL error in squid cache log. 

Is there a way to address ssl bump for mobile apps? 

Thanks in advance,
Rajesh

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-bump-not-working-for-Android-and-IOS-apps-tp4665453.html
Sent from the Squid - Users mailing list archive at Nabble.com.


Gmane