Squid 3 HTTPS (ssl connect) pages loading slowly / after retries



  • I’m having an issue with setting up Squid, I’ve got a fresh install of pfSense, and I install squid lite and then the squid3 package.
    The problem is when a user browses to a site using HTTPS, on the 1st attempt the browser reports ‘Unable to connect’ also in the squid access log ‘TCP_MISS/503 www.google.com.au:443’ then after a refresh or two the page will load, to make things worse any dynamic content on the site needs another refresh to load. If the connection is inactive even for a small time the process happens again.

    Some testing I have attempted,

    • through my 3G connection :P, just to make sure it’s not another fault
    • from some research I’m thinking this is quite possibly a DNS issue, so I’ve tried changing from the isp’s to google 8.8.8.8
    • I have tried on both 2.0.1-RELEASE (amd64) and 2.1-BETA0 (amd64)

    Surely there’s something I’m missing (I’m relatively new to this) I can’t see something as used as pfSense and squid breaking like this.

    Squid config

    # This file is automatically generated by pfSense
    # Do not edit manually !
    http_port 192.168.1.1:3128
    icp_port 7
    
    pid_filename /var/run/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_default_language en
    icon_directory /usr/local/etc/squid/icons
    visible_hostname localhost
    cache_mgr admin@localhost
    access_log /var/squid/logs/access.log
    cache_log /var/squid/logs/cache.log
    cache_store_log none
    sslcrtd_children 0
    logfile_rotate 2
    shutdown_lifetime 3 seconds
    uri_whitespace strip
    
    acl dynamic urlpath_regex cgi-bin \?
    cache deny dynamic
    cache_mem 512 MB
    maximum_object_size_in_memory 128 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    cache_dir ufs /var/squid/cache 2000 4 256
    minimum_object_size 0 KB
    maximum_object_size 5120 KB
    offline_mode offcache_swap_low 90
    cache_swap_high 95
    
    # No redirector configured
    
    #Remote proxies
    
    # Setup some default acls
    acl allsrc src all
    acl localhost src 127.0.0.1/32
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535 
    acl sslports port 443 563  
    acl manager proto cache_object
    acl purge method PURGE
    acl connect method CONNECT
    
    acl allowed_subnets src 192.168.1.0/24
    http_access allow manager localhost
    
    # Allow external cache managers
    acl ext_manager src 127.0.0.1
    acl ext_manager src 192.168.1.1
    acl ext_manager src 
    http_access allow manager ext_manager
    
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports
    
    # Always allow localhost connections
    http_access allow localhost
    
    request_body_max_size 0 KB
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    delay_access 1 allow allsrc
    
    # Reverse Proxy settings
    
    # Custom options
    
    # Setup allowed acls
    http_access allow allowed_subnets
    # Default block all to be sure
    http_access deny allsrc
    
    

    Snippet from access log

     Date 	IP 	Status 	Address 	User 	Destination
    19.08.2012 22:55:08 	192.168.1.100 	TCP_MISS/503 	http://safebrowsing.clients.google.com/safebrowsing/downloads? 	- 	safebrowsing.clients.google.com
    19.08.2012 22:53:22 	192.168.1.100 	TCP_MISS/200 	lh6.ggpht.com:443 	- 	74.125.237.140
    19.08.2012 22:51:19 	192.168.1.100 	TCP_MISS/503 	lh6.ggpht.com:443 	- 	-
    19.08.2012 22:48:34 	192.168.1.100 	TCP_MISS/200 	lh6.ggpht.com:443 	- 	74.125.237.108
    19.08.2012 22:46:31 	192.168.1.100 	TCP_MISS/503 	lh6.ggpht.com:443 	- 	-
    19.08.2012 22:44:58 	192.168.1.100 	TCP_MISS/200 	lh6.ggpht.com:443 	- 	74.125.237.107
    19.08.2012 22:44:32 	192.168.1.100 	TCP_MISS/200 	www.google.com:443 	- 	74.125.237.145
    19.08.2012 22:44:32 	192.168.1.100 	TCP_MISS/200 	www.google.com.au:443 	- 	74.125.237.119
    19.08.2012 22:44:32 	192.168.1.100 	TCP_MISS/200 	www.google.com.au:443 	- 	74.125.237.119
    19.08.2012 22:44:32 	192.168.1.100 	TCP_MISS/200 	www.google.com.au:443 	- 	74.125.237.119
    19.08.2012 22:44:31 	192.168.1.100 	TCP_MISS/200 	encrypted-tbn2.google.com:443 	- 	74.125.237.97
    19.08.2012 22:44:31 	192.168.1.100 	TCP_MISS/200 	www.google.com.au:443 	- 	74.125.237.119
    19.08.2012 22:44:31 	192.168.1.100 	TCP_MISS/200 	news.google.com:443 	- 	74.125.237.97
    19.08.2012 22:44:31 	192.168.1.100 	TCP_MISS/200 	ssl.gstatic.com:443 	- 	74.125.237.111
    19.08.2012 22:44:31 	192.168.1.100 	TCP_MISS/200 	encrypted-tbn0.google.com:443 	- 	74.125.237.104
    19.08.2012 22:44:31 	192.168.1.100 	TCP_MISS/200 	encrypted-tbn0.google.com:443 	- 	74.125.237.104
    19.08.2012 22:42:55 	192.168.1.100 	TCP_MISS/503 	lh6.ggpht.com:443 	- 	-
    19.08.2012 22:42:21 	192.168.1.100 	TCP_MISS/503 	www.google.com:443 	- 	-
    19.08.2012 22:42:19 	192.168.1.100 	TCP_MISS/200 	lh6.ggpht.com:443 	- 	74.125.237.108
    19.08.2012 22:42:16 	192.168.1.100 	TCP_MISS/503 	encrypted-tbn2.google.com:443 	- 	-
    19.08.2012 22:42:16 	192.168.1.100 	TCP_MISS/503 	encrypted-tbn0.google.com:443 	- 	-
    19.08.2012 22:42:16 	192.168.1.100 	TCP_MISS/503 	encrypted-tbn0.google.com:443 	- 	-
    19.08.2012 22:42:16 	192.168.1.100 	TCP_MISS/503 	news.google.com:443 	- 	-
    19.08.2012 22:42:15 	192.168.1.100 	TCP_MISS/503 	ssl.gstatic.com:443 	- 	-
    19.08.2012 22:42:13 	192.168.1.100 	TCP_MISS/503 	www.google.com.au:443 	- 	-
    19.08.2012 22:34:49 	192.168.1.100 	TCP_MISS/200 	secure.leadback.advertising.com:443 	- 	64.236.85.82
    19.08.2012 22:34:42 	192.168.1.100 	TCP_MISS/200 	s3.amazonaws.com:443 	- 	207.171.185.200
    19.08.2012 22:34:39 	192.168.1.100 	TCP_MISS/200 	googleads.g.doubleclick.net:443 	- 	74.125.237.109
    19.08.2012 22:34:39 	192.168.1.100 	TCP_MISS/200 	ssl.google-analytics.com:443 	- 	74.125.237.158
    19.08.2012 22:34:37 	192.168.1.100 	TCP_MISS/200 	ajax.googleapis.com:443 	- 	74.125.31.95
    


  • Maybe a squid3.1.20 compile problem on pfsense. latest update on ports, fixed a dns feature compile issue.

    I'll check if this option is still disabled on squid build xml. If so I'll reenable it and wait next package compile run.



  • Ok thanks, I've gone back to the stable package for now. But I'll be watching for the update



  • Hello,

    My package SQUID3 Installed: 3.1.20 pkg 2.0.5_2
    My pfsense box is 2.0.1-RELEASE (i386) built on Mon Dec 12 19:00:03 EST 2011 FreeBSD 8.1-RELEASE-p6

    I solved my problem add Custom Options on squid:
    dns_v4_first on

    Abs



  • @filipisilva:

    Hello,

    My package SQUID3 Installed: 3.1.20 pkg 2.0.5_2
    My pfsense box is 2.0.1-RELEASE (i386) built on Mon Dec 12 19:00:03 EST 2011 FreeBSD 8.1-RELEASE-p6

    I solved my problem add Custom Options on squid:
    dns_v4_first on

    Abs

    THIS WORKS!!!

    Thank you so much  :D



  • Not 100% sure why, but I've had issues with some sites for years on squid. (www.ncix.com).  The sites would not load and only after repeated tries it would sometimes show up.  I had hoped v3 would fix the issues, but so far it's not.
      Tried the suggested dns additional option just as a faint hope..  Guess what?  It works!!!!
      Now I am down to just the weird occasional youtube glitch (on top right it sometimes loads a window in the window and multiple videos load).  Eventually the browser crashes after too many sub-windows (only effects some youtube pages).  squid off, no issues. 
      Also some sites like cbc.ca, the video won't play.  Weird, but mostly acceptable.

    At least after many years, 1 down out of 3!!!!!!



  • I've included this dns_v4_first option on squid3 pkg v 2.0.5_4 general tab.



Locked