Squid 3 HTTPS (ssl connect) pages loading slowly / after retries

mrstrong

I’m having an issue with setting up Squid, I’ve got a fresh install of pfSense, and I install squid lite and then the squid3 package.
The problem is when a user browses to a site using HTTPS, on the 1st attempt the browser reports ‘Unable to connect’ also in the squid access log ‘TCP_MISS/503 www.google.com.au:443’ then after a refresh or two the page will load, to make things worse any dynamic content on the site needs another refresh to load. If the connection is inactive even for a small time the process happens again.

Some testing I have attempted,

• through my 3G connection :P, just to make sure it’s not another fault
• from some research I’m thinking this is quite possibly a DNS issue, so I’ve tried changing from the isp’s to google 8.8.8.8
• I have tried on both 2.0.1-RELEASE (amd64) and 2.1-BETA0 (amd64)

Surely there’s something I’m missing (I’m relatively new to this) I can’t see something as used as pfSense and squid breaking like this.

Squid config

# This file is automatically generated by pfSense
# Do not edit manually !
http_port 192.168.1.1:3128
icp_port 7

pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language en
icon_directory /usr/local/etc/squid/icons
visible_hostname localhost
cache_mgr admin@localhost
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
sslcrtd_children 0
logfile_rotate 2
shutdown_lifetime 3 seconds
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic
cache_mem 512 MB
maximum_object_size_in_memory 128 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 2000 4 256
minimum_object_size 0 KB
maximum_object_size 5120 KB
offline_mode offcache_swap_low 90
cache_swap_high 95

# No redirector configured

#Remote proxies

# Setup some default acls
acl allsrc src all
acl localhost src 127.0.0.1/32
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535 
acl sslports port 443 563  
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT

acl allowed_subnets src 192.168.1.0/24
http_access allow manager localhost

# Allow external cache managers
acl ext_manager src 127.0.0.1
acl ext_manager src 192.168.1.1
acl ext_manager src 
http_access allow manager ext_manager

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings

# Custom options

# Setup allowed acls
http_access allow allowed_subnets
# Default block all to be sure
http_access deny allsrc

Snippet from access log

 Date 	IP 	Status 	Address 	User 	Destination
19.08.2012 22:55:08 	192.168.1.100 	TCP_MISS/503 	http://safebrowsing.clients.google.com/safebrowsing/downloads? 	- 	safebrowsing.clients.google.com
19.08.2012 22:53:22 	192.168.1.100 	TCP_MISS/200 	lh6.ggpht.com:443 	- 	74.125.237.140
19.08.2012 22:51:19 	192.168.1.100 	TCP_MISS/503 	lh6.ggpht.com:443 	- 	-
19.08.2012 22:48:34 	192.168.1.100 	TCP_MISS/200 	lh6.ggpht.com:443 	- 	74.125.237.108
19.08.2012 22:46:31 	192.168.1.100 	TCP_MISS/503 	lh6.ggpht.com:443 	- 	-
19.08.2012 22:44:58 	192.168.1.100 	TCP_MISS/200 	lh6.ggpht.com:443 	- 	74.125.237.107
19.08.2012 22:44:32 	192.168.1.100 	TCP_MISS/200 	www.google.com:443 	- 	74.125.237.145
19.08.2012 22:44:32 	192.168.1.100 	TCP_MISS/200 	www.google.com.au:443 	- 	74.125.237.119
19.08.2012 22:44:32 	192.168.1.100 	TCP_MISS/200 	www.google.com.au:443 	- 	74.125.237.119
19.08.2012 22:44:32 	192.168.1.100 	TCP_MISS/200 	www.google.com.au:443 	- 	74.125.237.119
19.08.2012 22:44:31 	192.168.1.100 	TCP_MISS/200 	encrypted-tbn2.google.com:443 	- 	74.125.237.97
19.08.2012 22:44:31 	192.168.1.100 	TCP_MISS/200 	www.google.com.au:443 	- 	74.125.237.119
19.08.2012 22:44:31 	192.168.1.100 	TCP_MISS/200 	news.google.com:443 	- 	74.125.237.97
19.08.2012 22:44:31 	192.168.1.100 	TCP_MISS/200 	ssl.gstatic.com:443 	- 	74.125.237.111
19.08.2012 22:44:31 	192.168.1.100 	TCP_MISS/200 	encrypted-tbn0.google.com:443 	- 	74.125.237.104
19.08.2012 22:44:31 	192.168.1.100 	TCP_MISS/200 	encrypted-tbn0.google.com:443 	- 	74.125.237.104
19.08.2012 22:42:55 	192.168.1.100 	TCP_MISS/503 	lh6.ggpht.com:443 	- 	-
19.08.2012 22:42:21 	192.168.1.100 	TCP_MISS/503 	www.google.com:443 	- 	-
19.08.2012 22:42:19 	192.168.1.100 	TCP_MISS/200 	lh6.ggpht.com:443 	- 	74.125.237.108
19.08.2012 22:42:16 	192.168.1.100 	TCP_MISS/503 	encrypted-tbn2.google.com:443 	- 	-
19.08.2012 22:42:16 	192.168.1.100 	TCP_MISS/503 	encrypted-tbn0.google.com:443 	- 	-
19.08.2012 22:42:16 	192.168.1.100 	TCP_MISS/503 	encrypted-tbn0.google.com:443 	- 	-
19.08.2012 22:42:16 	192.168.1.100 	TCP_MISS/503 	news.google.com:443 	- 	-
19.08.2012 22:42:15 	192.168.1.100 	TCP_MISS/503 	ssl.gstatic.com:443 	- 	-
19.08.2012 22:42:13 	192.168.1.100 	TCP_MISS/503 	www.google.com.au:443 	- 	-
19.08.2012 22:34:49 	192.168.1.100 	TCP_MISS/200 	secure.leadback.advertising.com:443 	- 	64.236.85.82
19.08.2012 22:34:42 	192.168.1.100 	TCP_MISS/200 	s3.amazonaws.com:443 	- 	207.171.185.200
19.08.2012 22:34:39 	192.168.1.100 	TCP_MISS/200 	googleads.g.doubleclick.net:443 	- 	74.125.237.109
19.08.2012 22:34:39 	192.168.1.100 	TCP_MISS/200 	ssl.google-analytics.com:443 	- 	74.125.237.158
19.08.2012 22:34:37 	192.168.1.100 	TCP_MISS/200 	ajax.googleapis.com:443 	- 	74.125.31.95

marcelloc

Maybe a squid3.1.20 compile problem on pfsense. latest update on ports, fixed a dns feature compile issue.

I'll check if this option is still disabled on squid build xml. If so I'll reenable it and wait next package compile run.

mrstrong

Ok thanks, I've gone back to the stable package for now. But I'll be watching for the update

filipisilva

Hello,

My package SQUID3 Installed: 3.1.20 pkg 2.0.5_2
My pfsense box is 2.0.1-RELEASE (i386) built on Mon Dec 12 19:00:03 EST 2011 FreeBSD 8.1-RELEASE-p6

I solved my problem add Custom Options on squid:
dns_v4_first on

Abs

asmat

@filipisilva:

Hello,

My package SQUID3 Installed: 3.1.20 pkg 2.0.5_2
My pfsense box is 2.0.1-RELEASE (i386) built on Mon Dec 12 19:00:03 EST 2011 FreeBSD 8.1-RELEASE-p6

I solved my problem add Custom Options on squid:
dns_v4_first on

Abs

THIS WORKS!!!

Thank you so much  :D

tester_02

Not 100% sure why, but I've had issues with some sites for years on squid. (www.ncix.com).  The sites would not load and only after repeated tries it would sometimes show up.  I had hoped v3 would fix the issues, but so far it's not.
  Tried the suggested dns additional option just as a faint hope..  Guess what?  It works!!!!
  Now I am down to just the weird occasional youtube glitch (on top right it sometimes loads a window in the window and multiple videos load).  Eventually the browser crashes after too many sub-windows (only effects some youtube pages).  squid off, no issues. 
  Also some sites like cbc.ca, the video won't play.  Weird, but mostly acceptable.

At least after many years, 1 down out of 3!!!!!!

marcelloc

I've included this dns_v4_first option on squid3 pkg v 2.0.5_4 general tab.