From: Dominique BERTHET on 11 Aug 2010 06:54 Hi, I'm a sysadmin in a French School (Ecole des Mines de Saint-Etienne) I have 2 squid FreeBSD servers based with ntlm authentification I have upgrade squid from 5.1.x to 5.1.6 (yesterday) On a 32b arch: no problem, everything work fine On amd64: it works with http websites but impossible to access https websites with this TCP_MISS/503 errors On the amd64 server i downgrade to squid-3.0.25_2 and everything work fine... I supposed it's a problem with amd64 arch Best Regards Dominique BERTHET Ecole des Mines de Saint-Etienne email: dberthet(a)emse.fr _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"
From: Guido Falsi on 11 Aug 2010 08:38 On Wed, Aug 11, 2010 at 12:54:07PM +0200, Dominique BERTHET wrote: > Hi, > I'm a sysadmin in a French School (Ecole des Mines de Saint-Etienne) > I have 2 squid FreeBSD servers based with ntlm authentification > I have upgrade squid from 5.1.x to 5.1.6 (yesterday) > On a 32b arch: no problem, everything work fine > On amd64: it works with http websites but impossible to access https > websites with this > TCP_MISS/503 errors > On the amd64 server i downgrade to squid-3.0.25_2 and everything work > fine... > I supposed it's a problem with amd64 arch I'm having the same exact problem at work. It looks like a problem related to IPv6 support. Could you check if you have IPv6 in the i386 kernel? I found just one thread abut this in the squid mailing lists and on linux the solution sems to be enabling IPv6. (can't find the url right now) I suspect squid 3.1.6 is trying to, for some reason, uses some IPv6 feature to perform CONNECT requests used to transport https. My solution for now has ben reverting to the previous (3.1.4) version of the squid port waiting to find a fix for this. -- Guido Falsi <mad(a)madpilot.net> _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"
From: Thomas-Martin Seck on 11 Aug 2010 15:35 * Guido Falsi (mad(a)madpilot.net): > On Wed, Aug 11, 2010 at 12:54:07PM +0200, Dominique BERTHET wrote: > > Hi, > > I'm a sysadmin in a French School (Ecole des Mines de Saint-Etienne) > > I have 2 squid FreeBSD servers based with ntlm authentification > > I have upgrade squid from 5.1.x to 5.1.6 (yesterday) > > On a 32b arch: no problem, everything work fine > > On amd64: it works with http websites but impossible to access https > > websites with this > > TCP_MISS/503 errors > > On the amd64 server i downgrade to squid-3.0.25_2 and everything work > > fine... > > I supposed it's a problem with amd64 arch > > I'm having the same exact problem at work. > > It looks like a problem related to IPv6 support. Could you check if you > have IPv6 in the i386 kernel? > > I found just one thread abut this in the squid mailing lists and on > linux the solution sems to be enabling IPv6. (can't find the url right > now) > > I suspect squid 3.1.6 is trying to, for some reason, uses some IPv6 > feature to perform CONNECT requests used to transport https. > > My solution for now has ben reverting to the previous (3.1.4) version of > the squid port waiting to find a fix for this. Thanks for the heads up. From looking at http://www.squid-cache.org/Versions/v3/3.1/changesets/ it looks like you are running into Squid bug #2994/3011 ("squid 3.1.6 does not work on ipv4-only systems"). Can you confirm that? Could you try this patch against www/squid31? It adds a trimmed version of changeset 10063 to the files/ directory. I tested that Squid still builds on 8.1-STABLE/amd64. Index: files/patch-changeset_10063 =================================================================== --- files/patch-changeset_10063 (Revision 0) +++ files/patch-changeset_10063 (Revision 0) @@ -0,0 +1,231 @@ +------------------------------------------------------------ +revno: 10063 +revision-id: amosjeffries(a)squid-cache.org-20100811111641-hybknxtyd8ukt5c1 +parent: amosjeffries(a)squid-cache.org-20100810083149-w98pbcc8f0d5tlpo +committer: Amos Jeffries <amosjeffries(a)squid-cache.org> +branch nick: SQUID_3_1 +timestamp: Wed 2010-08-11 05:16:41 -0600 +message: + Bug 3011: ICAP, HTTPS, cache_peer probe IPv4-only port fixes + + Also updates the forwarding CONNECT_FAIL errors to display more correct + errno messages. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: amosjeffries(a)squid-cache.org-20100811111641-\ +# hybknxtyd8ukt5c1 +# target_branch: http://www.squid-cache.org/bzr/squid3/trunk/ +# testament_sha1: 2aac12c8c664a6c3dbdbd075b256aefeb53926a8 +# timestamp: 2010-08-11 11:31:46 +0000 +# source_branch: http://www.squid-cache.org/bzr/squid3/branches\ +# /SQUID_3_1 +# base_revision_id: amosjeffries(a)squid-cache.org-20100810083149-\ +# w98pbcc8f0d5tlpo +# +# Begin patch +=== modified file 'src/adaptation/ServiceConfig.cc' +--- src/adaptation/ServiceConfig.cc 2010-05-26 04:00:23 +0000 ++++ src/adaptation/ServiceConfig.cc 2010-08-11 11:16:41 +0000 +@@ -5,10 +5,11 @@ + #include "squid.h" + #include "ConfigParser.h" + #include "adaptation/ServiceConfig.h" ++#include "ip/tools.h" + + Adaptation::ServiceConfig::ServiceConfig(): + port(-1), method(methodNone), point(pointNone), +- bypass(false), routing(false) ++ bypass(false), routing(false), ipv6(false) + {} + + const char * +@@ -93,7 +94,11 @@ + grokked = grokBool(bypass, name, value); + else if (strcmp(name, "routing") == 0) + grokked = grokBool(routing, name, value); +- else { ++ else if (strcmp(name, "ipv6") == 0) { ++ grokked = grokBool(ipv6, name, value); ++ if (grokked && ipv6 && !Ip::EnableIpv6) ++ debugs(3, DBG_IMPORTANT, "WARNING: IPv6 is disabled. ICAP service option ignored."); ++ } else { + debugs(3, 0, cfg_filename << ':' << config_lineno << ": " << + "unknown adaptation service option: " << name << '=' << value); + } + +=== modified file 'src/adaptation/ServiceConfig.h' +--- src/adaptation/ServiceConfig.h 2009-09-03 12:15:55 +0000 ++++ src/adaptation/ServiceConfig.h 2010-08-11 11:16:41 +0000 +@@ -33,6 +33,7 @@ + VectPoint point; // where the adaptation happens (pre- or post-cache) + bool bypass; + bool routing; ///< whether this service may determine the next service(s) ++ bool ipv6; ///< whether this service uses IPv6 transport (default IPv4) + + protected: + Method parseMethod(const char *buf) const; + +=== modified file 'src/adaptation/icap/Xaction.cc' +--- src/adaptation/icap/Xaction.cc 2009-09-03 12:15:55 +0000 ++++ src/adaptation/icap/Xaction.cc 2010-08-11 11:16:41 +0000 +@@ -13,6 +13,7 @@ + #include "pconn.h" + #include "HttpRequest.h" + #include "HttpReply.h" ++#include "ip/tools.h" + #include "acl/FilledChecklist.h" + #include "icap_log.h" + #include "fde.h" +@@ -116,6 +117,15 @@ + disableRetries(); // we only retry pconn failures + + IpAddress outgoing; ++ if (!Ip::EnableIpv6 && !outgoing.SetIPv4()) { ++ debugs(31, DBG_CRITICAL, "ERROR: IPv6 is disabled. " << outgoing << " is not an IPv4 address."); ++ dieOnConnectionFailure(); // throws ++ } ++ /* split-stack for now requires default IPv4-only socket */ ++ if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK && outgoing.IsAnyAddr() && !s.cfg().ipv6) { ++ outgoing.SetIPv4(); ++ } ++ + connection = comm_open(SOCK_STREAM, 0, outgoing, + COMM_NONBLOCKING, s.cfg().uri.termedBuf()); + + +=== modified file 'src/cf.data.pre' +--- src/cf.data.pre 2010-08-10 08:31:49 +0000 ++++ src/cf.data.pre 2010-08-11 11:16:41 +0000 +@@ -5798,6 +5798,11 @@ + Routing is not allowed by default: the ICAP X-Next-Services + response header is ignored. + ++ ipv6=on|off ++ Only has effect on split-stack systems. The default on those systems ++ is to use IPv4-only connections. When set to 'on' this option will ++ make Squid use IPv6-only connections to contact this ICAP service. ++ + Older icap_service format without optional named parameters is + deprecated but supported for backward compatibility. + + +=== modified file 'src/dns_internal.cc' +--- src/dns_internal.cc 2010-07-27 13:02:31 +0000 ++++ src/dns_internal.cc 2010-08-11 11:16:41 +0000 +@@ -201,10 +201,15 @@ + + if (A.IsAnyAddr()) { + debugs(78, 0, "WARNING: Squid does not accept " << A << " in DNS server specifications."); +- A = "127.0.0.1"; ++ A.SetLocalhost(); + debugs(78, 0, "Will be using " << A << " instead, assuming you meant that DNS is running on the same machine"); + } + ++ if (!Ip::EnableIpv6 && !A.SetIPv4()) { ++ debugs(78, DBG_IMPORTANT, "WARNING: IPv6 is disabled. Discarding " << A << " in DNS server specifications."); ++ return; ++ } ++ + if (nns == nns_alloc) { + int oldalloc = nns_alloc; + ns *oldptr = nameservers; +@@ -742,6 +747,12 @@ + else + addr = Config.Addrs.udp_incoming; + ++ if (nameservers[ns].S.IsIPv4() && !addr.SetIPv4()) { ++ debugs(31, DBG_CRITICAL, "ERROR: Cannot contact DNS nameserver " << nameservers[ns].S << " from " << addr); ++ addr.SetAnyAddr(); ++ addr.SetIPv4(); ++ } ++ + vc->queue = new MemBuf; + + vc->msg = new MemBuf; + +=== modified file 'src/forward.cc' +--- src/forward.cc 2010-08-01 13:29:09 +0000 ++++ src/forward.cc 2010-08-11 11:16:41 +0000 +@@ -870,9 +870,9 @@ + + // if IPv6 is disabled try to force IPv4-only outgoing. + if (!Ip::EnableIpv6 && !outgoing.SetIPv4()) { +- debugs(50, 4, "fwdConnectStart: " << xstrerror()); ++ debugs(50, 4, "fwdConnectStart: IPv6 is Disabled. Cannot connect from " << outgoing); + ErrorState *anErr = errorCon(ERR_CONNECT_FAIL, HTTP_SERVICE_UNAVAILABLE, request); +- anErr->xerrno = errno; ++ anErr->xerrno = EAFNOSUPPORT; + fail(anErr); + self = NULL; // refcounted + return; + +=== modified file 'src/neighbors.cc' +--- src/neighbors.cc 2010-02-14 05:30:15 +0000 ++++ src/neighbors.cc 2010-08-11 11:16:41 +0000 +@@ -46,6 +46,7 @@ + #include "Store.h" + #include "icmp/net_db.h" + #include "ip/IpAddress.h" ++#include "ip/tools.h" + + /* count mcast group peers every 15 minutes */ + #define MCAST_COUNT_RATE 900 +@@ -1387,6 +1388,20 @@ + + IpAddress temp(getOutgoingAddr(NULL,p)); + ++ // if IPv6 is disabled try to force IPv4-only outgoing. ++ if (!Ip::EnableIpv6 && !temp.SetIPv4()) { ++ debugs(50, DBG_IMPORTANT, "WARNING: IPv6 is disabled. Failed to use " << temp << " to probe " << p->host); ++ return ret; ++ } ++ ++ // if IPv6 is split-stack, prefer IPv4 ++ if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK) { ++ // NP: This is not a great choice of default, ++ // but with the current Internet being IPv4-majority has a higher success rate. ++ // if setting to IPv4 fails we dont care, that just means to use IPv6 outgoing. ++ temp.SetIPv4(); ++ } ++ + fd = comm_open(SOCK_STREAM, IPPROTO_TCP, temp, COMM_NONBLOCKING, p->host); + + if (fd < 0) + +=== modified file 'src/tunnel.cc' +--- src/tunnel.cc 2010-07-23 04:30:08 +0000 ++++ src/tunnel.cc 2010-08-11 11:16:41 +0000 +@@ -46,6 +46,7 @@ + #include "client_side.h" + #include "MemBuf.h" + #include "http.h" ++#include "ip/tools.h" + + class TunnelStateData + { +@@ -641,6 +642,24 @@ + statCounter.server.other.requests++; + /* Create socket. */ + IpAddress temp = getOutgoingAddr(request,NULL); ++ ++ // if IPv6 is disabled try to force IPv4-only outgoing. ++ if (!Ip::EnableIpv6 && !temp.SetIPv4()) { ++ debugs(50, 4, "tunnelStart: IPv6 is Disabled. Tunnel failed from " << temp); ++ ErrorState *anErr = errorCon(ERR_CONNECT_FAIL, HTTP_SERVICE_UNAVAILABLE, request); ++ anErr->xerrno = EAFNOSUPPORT; ++ errorSend(fd, anErr); ++ return; ++ } ++ ++ // if IPv6 is split-stack, prefer IPv4 ++ if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK) { ++ // NP: This is not a great choice of default, ++ // but with the current Internet being IPv4-majority has a higher success rate. ++ // if setting to IPv4 fails we dont care, that just means to use IPv6 outgoing. ++ temp.SetIPv4(); ++ } ++ + int flags = COMM_NONBLOCKING; + if (request->flags.spoof_client_ip) { + flags |= COMM_TRANSPARENT; + Index: Makefile =================================================================== --- Makefile (Revision 1860) +++ Makefile (Arbeitskopie) @@ -51,6 +51,7 @@ PORTNAME= squid PORTVERSION= 3.1.${SQUID_STABLE_VER} +PORTREVISION= 1 CATEGORIES= www ipv6 MASTER_SITES= ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \ http://mirrors.ccs.neu.edu/Squid/ \ _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"
From: Guido Falsi on 11 Aug 2010 18:44 On 08/11/10 21:35, Thomas-Martin Seck wrote: > Thanks for the heads up. From looking at > http://www.squid-cache.org/Versions/v3/3.1/changesets/ > it looks like you are running into Squid bug #2994/3011 ("squid > 3.1.6 does not work on ipv4-only systems"). Can you confirm that? > Hi! Thanks for the quick response! From what I have seen, yes it seems to happen on IPv4 systems. I could not try any IPv6 system, since I don't have any. > Could you try this patch against www/squid31? It adds a trimmed version > of changeset 10063 to the files/ directory. I tested that Squid still > builds on 8.1-STABLE/amd64. I just tried your patch at home and it seems to have solved the problem. I can now reach ssl sites. I have not tested it well still though. I will try this at work tomorrow and report back. Thanks again for the quick patch! -- Guido Falsi <mad(a)madpilot.net> _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"
From: Dominique BERTHET on 12 Aug 2010 04:46 Hello I have finally use the patch on the amd64 server and now everything seems to work fine Thanx a lot Best Regards Dominique BERTHET Le 12/08/2010 00:44, Guido Falsi a �crit : > On 08/11/10 21:35, Thomas-Martin Seck wrote: > >> Thanks for the heads up. From looking at >> http://www.squid-cache.org/Versions/v3/3.1/changesets/ >> it looks like you are running into Squid bug #2994/3011 ("squid >> 3.1.6 does not work on ipv4-only systems"). Can you confirm that? >> > > Hi! > > Thanks for the quick response! > > From what I have seen, yes it seems to happen on IPv4 systems. I could > not try any IPv6 system, since I don't have any. > >> Could you try this patch against www/squid31? It adds a trimmed version >> of changeset 10063 to the files/ directory. I tested that Squid still >> builds on 8.1-STABLE/amd64. > > I just tried your patch at home and it seems to have solved the problem. > I can now reach ssl sites. > > I have not tested it well still though. > > I will try this at work tomorrow and report back. > > Thanks again for the quick patch! > _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"
|
Next
|
Last
Pages: 1 2 Prev: question on an app that uses the fusefs libs/possible port Next: FreeBSD Port: istgt-20100707 |