Squid random disconnects random webpages

La6er

Yes I am using squid along with squidguard for web filtering and yes If I stop squid it works fine... with squid I randomly get issues like no DNS resolutions or the SSL_ERROR, I have deleted both DNS servers on my general and overrides on the DNS resolver, I will check how it performs

Raffi_

That's good to know. For URL filtering, I would suggest giving the package pfblockerNG-devel a try. It's very easy to setup, very effective and doesn't require squid. SSL filtering via squid can cause problems, so avoiding it if possible would be best.

La6er

I did considered pfblocker but the thing is... I have several subnets with different kinds of web access permissions, Maybe I did not looked for the whole information... but... Is it possible to set this kind of web access groups?

La6er

still having the same issue, lots of pages are failing :(

KOM

How many users in your environment? You are probably having an issue with a low number of rewrite & SSL child threads. Look into sslcrtd_children and url_rewrite_children which are configured under Services - Squid proxy server - General - Advanced Options - Integrations.

La6er

around 500 users at this time, I have SSL Certificate Deamon Children set to 20 and url_rewrite_children 64 startup=32 idle=16 concurrency=0

KOM

What do you mean? You already had those set, or you just set them now?

La6er

I had them configured that way already

KOM

Perhaps not enough?

La6er

I have increeased besides I am currently using just 1 pc for testing purposes... and I still received error err_ssl_protocol_error, any ideas? :(

La6er

currently testing with just squid... squidguard is currently disabled, still getting SSL errors

KOM

@la6er said in Squid random disconnects random webpages:

err_ssl_protocol_error

Post the squid access.log details from the time that the error happens. You may need to increase the default level of logging via the debug_options directive.

La6er

this are the logs I received when a wp fails

1542122446.776 0 10.16.20.191 TAG_NONE/409 3938 CONNECT twitter.com:443 - HIER_NONE/- text/html
1542122446.946 11 10.16.20.191 TAG_NONE/200 0 CONNECT 104.244.42.65:443 - HIER_NONE/- -
1542122446.947 0 10.16.20.191 TAG_NONE/409 3938 CONNECT twitter.com:443 - HIER_NONE/- text/html
1542122446.960 9 10.16.20.191 TAG_NONE/200 0 CONNECT 104.244.42.65:443 - HIER_NONE/- -

La6er

currently the main issue looks to be sites related to google, but sometimes if I wait just a few minutes without doing anything they work after I refresh

KOM

A 409 is a conflict. Strange. I don't have a definitive answer for you but start by Googling 'squid 409 conflict err_ssl_protocol_error'

La6er

I have, I disabled 2 different things on my browsers, and so far looks stable, but it means I have to do that on over a 1000 pcs

KOM

Does the problem occur when the proxy is running in explicit mode? I've always hated transparent mode for the issues it has always caused me. Explicit + WPAD has worked for me for years now.

La6er

I indeed have it configured using transparent mode, everytime I tried using WPAD it does not let me download the files on the browser so I asummed it is not working properly in that way

KOM

The wpad.dat and proxy.pac files must reside on an HTTP server, not HTTPS. They must have correct contents. Clients on your network must be able to resolve wpad.your.domain.

La6er

what if my computer does not have any domain? I have set the files on another pfsense solution with the following script

function FindProxyForURL(url,host)
{
return "PROXY 10.30.251.61:3128";
}

they are located on usr/local/www/ but if I set autodetect proxy it does not work, if I set manually http://10.30.251.59/proxy.pac (which is the ip of my http pfsense) on my browser it does not work, however if i set manually the proxy conf on the browser it works perfectly, I have set a host override on my dns resolver, and I am also using static ips on my clients