Squid 3 HTTPS (ssl connect) pages loading slowly / after retries
-
I’m having an issue with setting up Squid, I’ve got a fresh install of pfSense, and I install squid lite and then the squid3 package.
The problem is when a user browses to a site using HTTPS, on the 1st attempt the browser reports ‘Unable to connect’ also in the squid access log ‘TCP_MISS/503 www.google.com.au:443’ then after a refresh or two the page will load, to make things worse any dynamic content on the site needs another refresh to load. If the connection is inactive even for a small time the process happens again.Some testing I have attempted,
- through my 3G connection :P, just to make sure it’s not another fault
- from some research I’m thinking this is quite possibly a DNS issue, so I’ve tried changing from the isp’s to google 8.8.8.8
- I have tried on both 2.0.1-RELEASE (amd64) and 2.1-BETA0 (amd64)
Surely there’s something I’m missing (I’m relatively new to this) I can’t see something as used as pfSense and squid breaking like this.
Squid config
# This file is automatically generated by pfSense # Do not edit manually ! http_port 192.168.1.1:3128 icp_port 7 pid_filename /var/run/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language en icon_directory /usr/local/etc/squid/icons visible_hostname localhost cache_mgr admin@localhost access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none sslcrtd_children 0 logfile_rotate 2 shutdown_lifetime 3 seconds uri_whitespace strip acl dynamic urlpath_regex cgi-bin \? cache deny dynamic cache_mem 512 MB maximum_object_size_in_memory 128 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA cache_dir ufs /var/squid/cache 2000 4 256 minimum_object_size 0 KB maximum_object_size 5120 KB offline_mode offcache_swap_low 90 cache_swap_high 95 # No redirector configured #Remote proxies # Setup some default acls acl allsrc src all acl localhost src 127.0.0.1/32 acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 1025-65535 acl sslports port 443 563 acl manager proto cache_object acl purge method PURGE acl connect method CONNECT acl allowed_subnets src 192.168.1.0/24 http_access allow manager localhost # Allow external cache managers acl ext_manager src 127.0.0.1 acl ext_manager src 192.168.1.1 acl ext_manager src http_access allow manager ext_manager http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings # Custom options # Setup allowed acls http_access allow allowed_subnets # Default block all to be sure http_access deny allsrc
Snippet from access log
Date IP Status Address User Destination 19.08.2012 22:55:08 192.168.1.100 TCP_MISS/503 http://safebrowsing.clients.google.com/safebrowsing/downloads? - safebrowsing.clients.google.com 19.08.2012 22:53:22 192.168.1.100 TCP_MISS/200 lh6.ggpht.com:443 - 74.125.237.140 19.08.2012 22:51:19 192.168.1.100 TCP_MISS/503 lh6.ggpht.com:443 - - 19.08.2012 22:48:34 192.168.1.100 TCP_MISS/200 lh6.ggpht.com:443 - 74.125.237.108 19.08.2012 22:46:31 192.168.1.100 TCP_MISS/503 lh6.ggpht.com:443 - - 19.08.2012 22:44:58 192.168.1.100 TCP_MISS/200 lh6.ggpht.com:443 - 74.125.237.107 19.08.2012 22:44:32 192.168.1.100 TCP_MISS/200 www.google.com:443 - 74.125.237.145 19.08.2012 22:44:32 192.168.1.100 TCP_MISS/200 www.google.com.au:443 - 74.125.237.119 19.08.2012 22:44:32 192.168.1.100 TCP_MISS/200 www.google.com.au:443 - 74.125.237.119 19.08.2012 22:44:32 192.168.1.100 TCP_MISS/200 www.google.com.au:443 - 74.125.237.119 19.08.2012 22:44:31 192.168.1.100 TCP_MISS/200 encrypted-tbn2.google.com:443 - 74.125.237.97 19.08.2012 22:44:31 192.168.1.100 TCP_MISS/200 www.google.com.au:443 - 74.125.237.119 19.08.2012 22:44:31 192.168.1.100 TCP_MISS/200 news.google.com:443 - 74.125.237.97 19.08.2012 22:44:31 192.168.1.100 TCP_MISS/200 ssl.gstatic.com:443 - 74.125.237.111 19.08.2012 22:44:31 192.168.1.100 TCP_MISS/200 encrypted-tbn0.google.com:443 - 74.125.237.104 19.08.2012 22:44:31 192.168.1.100 TCP_MISS/200 encrypted-tbn0.google.com:443 - 74.125.237.104 19.08.2012 22:42:55 192.168.1.100 TCP_MISS/503 lh6.ggpht.com:443 - - 19.08.2012 22:42:21 192.168.1.100 TCP_MISS/503 www.google.com:443 - - 19.08.2012 22:42:19 192.168.1.100 TCP_MISS/200 lh6.ggpht.com:443 - 74.125.237.108 19.08.2012 22:42:16 192.168.1.100 TCP_MISS/503 encrypted-tbn2.google.com:443 - - 19.08.2012 22:42:16 192.168.1.100 TCP_MISS/503 encrypted-tbn0.google.com:443 - - 19.08.2012 22:42:16 192.168.1.100 TCP_MISS/503 encrypted-tbn0.google.com:443 - - 19.08.2012 22:42:16 192.168.1.100 TCP_MISS/503 news.google.com:443 - - 19.08.2012 22:42:15 192.168.1.100 TCP_MISS/503 ssl.gstatic.com:443 - - 19.08.2012 22:42:13 192.168.1.100 TCP_MISS/503 www.google.com.au:443 - - 19.08.2012 22:34:49 192.168.1.100 TCP_MISS/200 secure.leadback.advertising.com:443 - 64.236.85.82 19.08.2012 22:34:42 192.168.1.100 TCP_MISS/200 s3.amazonaws.com:443 - 207.171.185.200 19.08.2012 22:34:39 192.168.1.100 TCP_MISS/200 googleads.g.doubleclick.net:443 - 74.125.237.109 19.08.2012 22:34:39 192.168.1.100 TCP_MISS/200 ssl.google-analytics.com:443 - 74.125.237.158 19.08.2012 22:34:37 192.168.1.100 TCP_MISS/200 ajax.googleapis.com:443 - 74.125.31.95
-
Maybe a squid3.1.20 compile problem on pfsense. latest update on ports, fixed a dns feature compile issue.
I'll check if this option is still disabled on squid build xml. If so I'll reenable it and wait next package compile run.
-
Ok thanks, I've gone back to the stable package for now. But I'll be watching for the update
-
Hello,
My package SQUID3 Installed: 3.1.20 pkg 2.0.5_2
My pfsense box is 2.0.1-RELEASE (i386) built on Mon Dec 12 19:00:03 EST 2011 FreeBSD 8.1-RELEASE-p6I solved my problem add Custom Options on squid:
dns_v4_first onAbs
-
Hello,
My package SQUID3 Installed: 3.1.20 pkg 2.0.5_2
My pfsense box is 2.0.1-RELEASE (i386) built on Mon Dec 12 19:00:03 EST 2011 FreeBSD 8.1-RELEASE-p6I solved my problem add Custom Options on squid:
dns_v4_first onAbs
THIS WORKS!!!
Thank you so much :D
-
Not 100% sure why, but I've had issues with some sites for years on squid. (www.ncix.com). The sites would not load and only after repeated tries it would sometimes show up. I had hoped v3 would fix the issues, but so far it's not.
Tried the suggested dns additional option just as a faint hope.. Guess what? It works!!!!
Now I am down to just the weird occasional youtube glitch (on top right it sometimes loads a window in the window and multiple videos load). Eventually the browser crashes after too many sub-windows (only effects some youtube pages). squid off, no issues.
Also some sites like cbc.ca, the video won't play. Weird, but mostly acceptable.At least after many years, 1 down out of 3!!!!!!
-
I've included this dns_v4_first option on squid3 pkg v 2.0.5_4 general tab.