Squid random disconnects random webpages
-
What is the main purpose of squid in your setup? Is it URL filtering via squid guard?
If you disable squid, do your problems go away?On a separate note, I don't think you need 1.1.1.1 or 1.0.0.1 in the System > General Setup. You don't have forwarding mode enabled in Resolver so pfSense should still be the first option. That's a good thing. pfSense (Unbound) is going to generally be the best option for DNS resolution. That's my personal opinion, but I rather not use external servers. The main reason being security. External servers are much bigger targets for an attack. Privacy is another one. I don't care but some people who are also concerned about privacy avoid external servers. You don't know what they're doing with the information that goes to their DNS servers. Oh and it's not really going to be speeding up queries anyway. Unbound will be caching the sites you visit so the external servers will not be used for the most part. The majority of the time Unbound should resolve almost instantly from cache.
-
Yes I am using squid along with squidguard for web filtering and yes If I stop squid it works fine... with squid I randomly get issues like no DNS resolutions or the SSL_ERROR, I have deleted both DNS servers on my general and overrides on the DNS resolver, I will check how it performs
-
That's good to know. For URL filtering, I would suggest giving the package pfblockerNG-devel a try. It's very easy to setup, very effective and doesn't require squid. SSL filtering via squid can cause problems, so avoiding it if possible would be best.
-
I did considered pfblocker but the thing is... I have several subnets with different kinds of web access permissions, Maybe I did not looked for the whole information... but... Is it possible to set this kind of web access groups?
-
still having the same issue, lots of pages are failing :(
-
How many users in your environment? You are probably having an issue with a low number of rewrite & SSL child threads. Look into sslcrtd_children and url_rewrite_children which are configured under Services - Squid proxy server - General - Advanced Options - Integrations.
-
around 500 users at this time, I have SSL Certificate Deamon Children set to 20 and url_rewrite_children 64 startup=32 idle=16 concurrency=0
-
What do you mean? You already had those set, or you just set them now?
-
I had them configured that way already
-
Perhaps not enough?
-
I have increeased besides I am currently using just 1 pc for testing purposes... and I still received error err_ssl_protocol_error, any ideas? :(
-
currently testing with just squid... squidguard is currently disabled, still getting SSL errors
-
@la6er said in Squid random disconnects random webpages:
err_ssl_protocol_error
Post the squid access.log details from the time that the error happens. You may need to increase the default level of logging via the debug_options directive.
-
this are the logs I received when a wp fails
1542122446.776 0 10.16.20.191 TAG_NONE/409 3938 CONNECT twitter.com:443 - HIER_NONE/- text/html
1542122446.946 11 10.16.20.191 TAG_NONE/200 0 CONNECT 104.244.42.65:443 - HIER_NONE/- -
1542122446.947 0 10.16.20.191 TAG_NONE/409 3938 CONNECT twitter.com:443 - HIER_NONE/- text/html
1542122446.960 9 10.16.20.191 TAG_NONE/200 0 CONNECT 104.244.42.65:443 - HIER_NONE/- - -
currently the main issue looks to be sites related to google, but sometimes if I wait just a few minutes without doing anything they work after I refresh
-
A 409 is a conflict. Strange. I don't have a definitive answer for you but start by Googling 'squid 409 conflict err_ssl_protocol_error'
-
I have, I disabled 2 different things on my browsers, and so far looks stable, but it means I have to do that on over a 1000 pcs
-
Does the problem occur when the proxy is running in explicit mode? I've always hated transparent mode for the issues it has always caused me. Explicit + WPAD has worked for me for years now.
-
I indeed have it configured using transparent mode, everytime I tried using WPAD it does not let me download the files on the browser so I asummed it is not working properly in that way
-
The wpad.dat and proxy.pac files must reside on an HTTP server, not HTTPS. They must have correct contents. Clients on your network must be able to resolve wpad.your.domain.
