Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid 3 HTTPS (ssl connect) pages loading slowly / after retries

    Scheduled Pinned Locked Moved pfSense Packages
    7 Posts 5 Posters 19.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mrstrong
      last edited by

      I’m having an issue with setting up Squid, I’ve got a fresh install of pfSense, and I install squid lite and then the squid3 package.
      The problem is when a user browses to a site using HTTPS, on the 1st attempt the browser reports ‘Unable to connect’ also in the squid access log ‘TCP_MISS/503 www.google.com.au:443’ then after a refresh or two the page will load, to make things worse any dynamic content on the site needs another refresh to load. If the connection is inactive even for a small time the process happens again.

      Some testing I have attempted,

      • through my 3G connection :P, just to make sure it’s not another fault
      • from some research I’m thinking this is quite possibly a DNS issue, so I’ve tried changing from the isp’s to google 8.8.8.8
      • I have tried on both 2.0.1-RELEASE (amd64) and 2.1-BETA0 (amd64)

      Surely there’s something I’m missing (I’m relatively new to this) I can’t see something as used as pfSense and squid breaking like this.

      Squid config

      # This file is automatically generated by pfSense
      # Do not edit manually !
      http_port 192.168.1.1:3128
      icp_port 7
      
      pid_filename /var/run/squid.pid
      cache_effective_user proxy
      cache_effective_group proxy
      error_default_language en
      icon_directory /usr/local/etc/squid/icons
      visible_hostname localhost
      cache_mgr admin@localhost
      access_log /var/squid/logs/access.log
      cache_log /var/squid/logs/cache.log
      cache_store_log none
      sslcrtd_children 0
      logfile_rotate 2
      shutdown_lifetime 3 seconds
      uri_whitespace strip
      
      acl dynamic urlpath_regex cgi-bin \?
      cache deny dynamic
      cache_mem 512 MB
      maximum_object_size_in_memory 128 KB
      memory_replacement_policy heap GDSF
      cache_replacement_policy heap LFUDA
      cache_dir ufs /var/squid/cache 2000 4 256
      minimum_object_size 0 KB
      maximum_object_size 5120 KB
      offline_mode offcache_swap_low 90
      cache_swap_high 95
      
      # No redirector configured
      
      #Remote proxies
      
      # Setup some default acls
      acl allsrc src all
      acl localhost src 127.0.0.1/32
      acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535 
      acl sslports port 443 563  
      acl manager proto cache_object
      acl purge method PURGE
      acl connect method CONNECT
      
      acl allowed_subnets src 192.168.1.0/24
      http_access allow manager localhost
      
      # Allow external cache managers
      acl ext_manager src 127.0.0.1
      acl ext_manager src 192.168.1.1
      acl ext_manager src 
      http_access allow manager ext_manager
      
      http_access deny manager
      http_access allow purge localhost
      http_access deny purge
      http_access deny !safeports
      http_access deny CONNECT !sslports
      
      # Always allow localhost connections
      http_access allow localhost
      
      request_body_max_size 0 KB
      delay_pools 1
      delay_class 1 2
      delay_parameters 1 -1/-1 -1/-1
      delay_initial_bucket_level 100
      delay_access 1 allow allsrc
      
      # Reverse Proxy settings
      
      # Custom options
      
      # Setup allowed acls
      http_access allow allowed_subnets
      # Default block all to be sure
      http_access deny allsrc
      
      

      Snippet from access log

       Date 	IP 	Status 	Address 	User 	Destination
      19.08.2012 22:55:08 	192.168.1.100 	TCP_MISS/503 	http://safebrowsing.clients.google.com/safebrowsing/downloads? 	- 	safebrowsing.clients.google.com
      19.08.2012 22:53:22 	192.168.1.100 	TCP_MISS/200 	lh6.ggpht.com:443 	- 	74.125.237.140
      19.08.2012 22:51:19 	192.168.1.100 	TCP_MISS/503 	lh6.ggpht.com:443 	- 	-
      19.08.2012 22:48:34 	192.168.1.100 	TCP_MISS/200 	lh6.ggpht.com:443 	- 	74.125.237.108
      19.08.2012 22:46:31 	192.168.1.100 	TCP_MISS/503 	lh6.ggpht.com:443 	- 	-
      19.08.2012 22:44:58 	192.168.1.100 	TCP_MISS/200 	lh6.ggpht.com:443 	- 	74.125.237.107
      19.08.2012 22:44:32 	192.168.1.100 	TCP_MISS/200 	www.google.com:443 	- 	74.125.237.145
      19.08.2012 22:44:32 	192.168.1.100 	TCP_MISS/200 	www.google.com.au:443 	- 	74.125.237.119
      19.08.2012 22:44:32 	192.168.1.100 	TCP_MISS/200 	www.google.com.au:443 	- 	74.125.237.119
      19.08.2012 22:44:32 	192.168.1.100 	TCP_MISS/200 	www.google.com.au:443 	- 	74.125.237.119
      19.08.2012 22:44:31 	192.168.1.100 	TCP_MISS/200 	encrypted-tbn2.google.com:443 	- 	74.125.237.97
      19.08.2012 22:44:31 	192.168.1.100 	TCP_MISS/200 	www.google.com.au:443 	- 	74.125.237.119
      19.08.2012 22:44:31 	192.168.1.100 	TCP_MISS/200 	news.google.com:443 	- 	74.125.237.97
      19.08.2012 22:44:31 	192.168.1.100 	TCP_MISS/200 	ssl.gstatic.com:443 	- 	74.125.237.111
      19.08.2012 22:44:31 	192.168.1.100 	TCP_MISS/200 	encrypted-tbn0.google.com:443 	- 	74.125.237.104
      19.08.2012 22:44:31 	192.168.1.100 	TCP_MISS/200 	encrypted-tbn0.google.com:443 	- 	74.125.237.104
      19.08.2012 22:42:55 	192.168.1.100 	TCP_MISS/503 	lh6.ggpht.com:443 	- 	-
      19.08.2012 22:42:21 	192.168.1.100 	TCP_MISS/503 	www.google.com:443 	- 	-
      19.08.2012 22:42:19 	192.168.1.100 	TCP_MISS/200 	lh6.ggpht.com:443 	- 	74.125.237.108
      19.08.2012 22:42:16 	192.168.1.100 	TCP_MISS/503 	encrypted-tbn2.google.com:443 	- 	-
      19.08.2012 22:42:16 	192.168.1.100 	TCP_MISS/503 	encrypted-tbn0.google.com:443 	- 	-
      19.08.2012 22:42:16 	192.168.1.100 	TCP_MISS/503 	encrypted-tbn0.google.com:443 	- 	-
      19.08.2012 22:42:16 	192.168.1.100 	TCP_MISS/503 	news.google.com:443 	- 	-
      19.08.2012 22:42:15 	192.168.1.100 	TCP_MISS/503 	ssl.gstatic.com:443 	- 	-
      19.08.2012 22:42:13 	192.168.1.100 	TCP_MISS/503 	www.google.com.au:443 	- 	-
      19.08.2012 22:34:49 	192.168.1.100 	TCP_MISS/200 	secure.leadback.advertising.com:443 	- 	64.236.85.82
      19.08.2012 22:34:42 	192.168.1.100 	TCP_MISS/200 	s3.amazonaws.com:443 	- 	207.171.185.200
      19.08.2012 22:34:39 	192.168.1.100 	TCP_MISS/200 	googleads.g.doubleclick.net:443 	- 	74.125.237.109
      19.08.2012 22:34:39 	192.168.1.100 	TCP_MISS/200 	ssl.google-analytics.com:443 	- 	74.125.237.158
      19.08.2012 22:34:37 	192.168.1.100 	TCP_MISS/200 	ajax.googleapis.com:443 	- 	74.125.31.95
      
      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        Maybe a squid3.1.20 compile problem on pfsense. latest update on ports, fixed a dns feature compile issue.

        I'll check if this option is still disabled on squid build xml. If so I'll reenable it and wait next package compile run.

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • M
          mrstrong
          last edited by

          Ok thanks, I've gone back to the stable package for now. But I'll be watching for the update

          1 Reply Last reply Reply Quote 0
          • F
            filipisilva
            last edited by

            Hello,

            My package SQUID3 Installed: 3.1.20 pkg 2.0.5_2
            My pfsense box is 2.0.1-RELEASE (i386) built on Mon Dec 12 19:00:03 EST 2011 FreeBSD 8.1-RELEASE-p6

            I solved my problem add Custom Options on squid:
            dns_v4_first on

            Abs

            1 Reply Last reply Reply Quote 0
            • A
              asmat
              last edited by

              @filipisilva:

              Hello,

              My package SQUID3 Installed: 3.1.20 pkg 2.0.5_2
              My pfsense box is 2.0.1-RELEASE (i386) built on Mon Dec 12 19:00:03 EST 2011 FreeBSD 8.1-RELEASE-p6

              I solved my problem add Custom Options on squid:
              dns_v4_first on

              Abs

              THIS WORKS!!!

              Thank you so much  :D

              1 Reply Last reply Reply Quote 0
              • T
                tester_02
                last edited by

                Not 100% sure why, but I've had issues with some sites for years on squid. (www.ncix.com).  The sites would not load and only after repeated tries it would sometimes show up.  I had hoped v3 would fix the issues, but so far it's not.
                  Tried the suggested dns additional option just as a faint hope..  Guess what?  It works!!!!
                  Now I am down to just the weird occasional youtube glitch (on top right it sometimes loads a window in the window and multiple videos load).  Eventually the browser crashes after too many sub-windows (only effects some youtube pages).  squid off, no issues. 
                  Also some sites like cbc.ca, the video won't play.  Weird, but mostly acceptable.

                At least after many years, 1 down out of 3!!!!!!

                1 Reply Last reply Reply Quote 0
                • marcellocM
                  marcelloc
                  last edited by

                  I've included this dns_v4_first option on squid3 pkg v 2.0.5_4 general tab.

                  squid3_dns_v4_first.png
                  squid3_dns_v4_first.png_thumb

                  Treinamentos de Elite: http://sys-squad.com

                  Help a community developer! ;D

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.