Hello Amos/Klaus/Fantomas, Thanks for your help. I have searched for the "via off" and "via on" - The directive was not present on the config file but I am assuming "via on" it's the default option. Anyway I added it to the config file. No Success. I also checked the visible_hostname, as suggested by Klaus (Thanks Klaus for the help!!) . It was set to localhost, then I changed to something different. No success as well.
So, I decided to make another test using Wireshark. For that, I put the squid down before starting the capture, then started Squid after capturing. What I can see is squid sending thousands of requests (like a machine gun) against the E2G (loopback interface on port 8080) with thousands of "408 Request Time Out" entries. I also see the following HTTP GET: "http://127.0.0.1:8080/squid-internal-dynamic/netdb"; by the way, 8080 is E2G port. Not sure what it is. The 408 above are probably because of this calling. Attached you can see the capture file, just in case you have wireshark or any other software able to read .cap file. Don't worry, there is nothing confidential on the file. That's a LAB environment. That is really confusing me. Thank You very Much! Regards Fabricio. -----Original Message----- From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf Of Amos Jeffries Sent: Tuesday, July 28, 2020 11:50 PM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] SQUID with cache_peer config + E2guardian - too many connections On 29/07/20 1:07 pm, Contato - KONNTROL wrote: > Hello Everyone, > Greetings. > > Background: > OS - FreeBSD 12.1 > SQUID ver 4.10 > OpenSSL 1.0.2u > > I am trying to use SQUID in front of E2Guardian (content filter) with > the following configuration at the SQUID side. > > ### > cache_peer 127.0.0.1 parent 8080 0 login=*:password > client_persistent_connections on always_direct deny all never_direct > allow all ### > > It works fine till the point SQUID exhausts all E2Guardian > threads/workers, no matter the amount you set. If 1000, SQUID is > opening 1000 connections. If 10.000, squid also opens 10.000 connections. > I tried the directive "client_persistent_connections on and off" with > no success. > Even using a single browser for testing purposes, for some reason > SQUID opens thousands of connections against the E2guardian. > I did a wireshark capture to "see" what is happening and it seems > like a lot of ACK/SYN with no payload. > > Any idea? Maybe I am using a wrong configuration. > You are. BUT, I think you have a forwarding loop happening so the correct config for limiting connections will not help. You should be able to test for loops by enabling the Via header. If your squid.conf contains "via off" remove that line. Assuming e2g is not removing that header Squid will reject loops with an error message. Check that the traffic leaving e2g is not going back into Squid. With the setup described e2g should be connecting directly to upstream/Internet servers - it should have no settings about Squid except those for processing the X-Forwarded-For header. If you are intercepting traffic to deliver it to Squid make sure the connections leaving e2g are not being caught by those firewall rules. If you are certain there is no loop the cache_peer max-conn=N is the way to limit the connections made to a peer. This will only help if the problem is high traffic flow. It will not help if there is a forwarding loop happening. > By the way, I am using SQUID in front of E2Guardian cause I use > Kerberos authentication (not supported by E2guardian) with FORWARDX option > enable. > Sure. You may want to look at the features of e2g you are using and see whether Squid can do them instead. The idea there being to make deny decisions early as possible to minimize the total amount of processing work those transactions consume. You may find you can get rid of e2g entirely, which will improve overall performance and reduce management headaches from layers of proxy. Cheers Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
<<attachment: Squid_E2G_Loopback_Capture.zip>>
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
