I am trying to setup squid on Google cloud engine but i am getting 503 Service Unavailable with every website.
curl -x http://35.xx.xxx.xxx:62401 -I http://www.squid-cache.org/Support/
HTTP/1.1 503 Service Unavailable
Server: squid
Mime-Version: 1.0
Date: Fri, 01 Feb 2019 13:45:15 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3670
X-Squid-Error: ERR_CONNECT_FAIL 101
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from google_proxyv1
X-Cache-Lookup: MISS from google_proxyv1:62401
Connection: keep-alive
I stripped my squid conf to the minimum below
acl CONNECT method CONNECT
http_access allow CONNECT
# And finally allow all access to this proxy
http_access allow all
# Squid port
http_port 0.0.0.0:62401
debug_options ALL,1 5,5
request_header_access User-Agent deny all
request_header_replace Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari
/537.36
tcp_outgoing_address 35.xx.xxx.xxx
cache_access_log /var/log/squid/access.log
httpd_suppress_version_string on
cache_store_log none
shutdown_lifetime 1 second
icp_port 0
htcp_port 0
icp_access deny all
htcp_access deny all
snmp_port 0
snmp_access deny all
memory_pools off
via off
forwarded_for delete
follow_x_forwarded_for deny all
pipeline_prefetch on
request_header_access From deny all
request_header_access Server deny all
squid is listening to ipv4 as i reserved only one ipv4 address
sudo netstat -antp | grep squid
tcp 0 0 0.0.0.0:62401 0.0.0.0:* LISTEN 16811/(squid-1)
However access log is showing that is it still trying to connect to ipv6 address
1549028715.317 3 35.xx.xxx.xxx TCP_MISS/503 357 HEAD http://www.squid-cache.org/Support/ - HIER_DIRECT/2001:4800:7812:514:be76:4eff:fe04:5ca1
I already open 62401 tcp on Google cloud engine
This topic has been deleted. Only users with topic management privileges can see it.
Not sure why but I have two pfsense boxes in different environment with very similar configuration (just a couple of VLAN differences and both use Squid 0.4.44_18) but one of them has a lot of NONE/503 error in the logs. And true enough, when accessing the websites that have those NONE/503 errors, they cannot be accessed. Sometimes, you have to refresh the website multiple times and it pushes through but most of the times it does not. What could be causing this?
Here are my access logs:
https://www.dropbox.com/s/updd47g6q2tp7yb/access%20logs.zip?dl=0
It looks like I have lots of non-200 responses there too and I’m starting to notice difficulty in browsing other websites too. Example, just going to www.facebook.com or forums.freebsd.org won’t load the page right away. Disabling the proxy altogether solves the issue completely so I don’t have issues with my ISP connection. The same websites are working properly on my other box with the same configuration (including Squid’s config).
I have been seeing the EXACT same thing here lately…
Browsing along just fine, decide to visit a website, and BAM, almost instant HTTP/503 error. Mind you, I am on sat-net, there should never, ever be an INSTANT error for me.
I have also noted that I am more frequently waiting on the proxy tunnel than normal.
I have done a full reinstall of PFSense and SQUID… Noted that this started happening right after 2.4.5 came along with a new version of SQUID, has been flaky since.
Restarting SQUID every 15 to 30 minutes on my network isn’t fun. Speaking of restarting so frequently… Anyone know how to schedule a cron job to restart the service for me when I am out and about? I suspect this is something that may not be fixed for some time.
Exactly! I had more problems with Squid than benefits so I researched and came to a conclusion that most sites have dynamic content that can’t be cached anyway and that you really won’t even notice the caching effect when used at home (less than 50 devices in network). So I decided to just be done with it and uninstall all Swuid stuff. Everything was smoother after that.
Ehh, I still use it for filtering some things, so having it work would be nice, mostly because of how mobile devices work. Don’t really care much about the caching aspect of it, as it really is useless anymore in most scenarios.
@C0RR0SIVE yeah, I was thinking of that use case too before I decided to get rid of it. What I thought though is that mobile devices, by default, don’t use proxies when they connect to wifi SSID’s. So it’s still a manual step for everyone (especially guests) which made it just not worthwhile for me. Plus the fact that I use pihole as my DNS server and it blocks a significant amount of potentially bad traffic.
Are you using it for Squidguard?
Yeup, using it purely for SquidGuard, I really like having a nice fancy custom block page when someone tries to visit a blocked website. I don’t particularly like blank pages that can result from DNS filtering.
I don’t really worry about guests as I have setup a Guest VLAN and have a captive portal that requests they setup the proxy manually in their device. If they don’t they just get blocked at the firewall and can’t get out to the internet.
Another option could be to route the traffic for that VLAN straight to the proxy, but that’s cumbersome at best IMO.
@C0RR0SIVE said in Squid proxy NONE/503:
Yeup, using it purely for SquidGuard, I really like having a nice fancy custom block page when someone tries to visit a blocked website. I don’t particularly like blank pages that can result from DNS filtering.
I don’t really worry about guests as I have setup a Guest VLAN and have a captive portal that requests they setup the proxy manually in their device. If they don’t they just get blocked at the firewall and can’t get out to the internet.
Another option could be to route the traffic for that VLAN straight to the proxy, but that’s cumbersome at best IMO.
I have to be honest, I haven’t really tried using Squidguard yet but I had it installed together with Squid. If I don’t necessarily want any custom websites blocked in my home, are the blacklists in Squidguard useful together with pihole? Or should you just use either of them?
I also have my own Guest VLAN. So in your captive portal you simply put a note there to request them to setup a proxy?
How do you route all traffic for the guest VLAN to the proxy? Policy-based routing? Will that work with https too? I know transparent proxy in Squid adds a hidden NAT rule that forwards http traffic to the proxy.
I just use Shallalist for my SquidGuard, it helps block some common annoyances really, don’t think it has been updated in some time though. More useful if you have kids trying to get to porn sites more than anything IMO.
Yeah, I use Unifi AP’s and a Captive Portal in my Unifi software that requests they setup the proxy on their device using a proxy.pac file that’s stored on a local webserver. When they pull from that file they go through HTTP/S just fine. If they don’t they just get rejected on 443/80. Haven’t had an issue with guests doing that so far. I also make sure I link to instructions stored on the local web server so they can follow those.
I have done some testing, but nothing concrete yet… I was on 2.4.5, and have been having some other issues with it. I decided to compile a version of 2.4.4-p3 and installed that, then restored all my settings. So far SQUID + SquidGuard has been rather stable and fast. I suspect the issue isn’t just SQUID, but 2.4.5. Can you confirm what version of PFSense you are on?
I still see 503 errors, but those look purely SquidGuard and PFBlocker related (as in, what I am seeing, the URL is in my SquidGuard list or tied to a list on PFBlocker).
@C0RR0SIVE said in Squid proxy NONE/503:
I just use Shallalist for my SquidGuard, it helps block some common annoyances really, don’t think it has been updated in some time though. More useful if you have kids trying to get to porn sites more than anything IMO.
Yeah, I use Unifi AP’s and a Captive Portal in my Unifi software that requests they setup the proxy on their device using a proxy.pac file that’s stored on a local webserver. When they pull from that file they go through HTTP/S just fine. If they don’t they just get rejected on 443/80. Haven’t had an issue with guests doing that so far. I also make sure I link to instructions stored on the local web server so they can follow those.
I have done some testing, but nothing concrete yet… I was on 2.4.5, and have been having some other issues with it. I decided to compile a version of 2.4.4-p3 and installed that, then restored all my settings. So far SQUID + SquidGuard has been rather stable and fast. I suspect the issue isn’t just SQUID, but 2.4.5. Can you confirm what version of PFSense you are on?
I still see 503 errors, but those look purely SquidGuard and PFBlocker related (as in, what I am seeing, the URL is in my SquidGuard list or tied to a list on PFBlocker).
I see. I use Unifi AP’s/controller too so we pretty have a similar setup. I have to play around with Squidguard when this issue gets fixed.
I’m also at pfsense 2.4.5 but I’m not sure when those 503 errors started showing up but I also highly suspect it’s after the 2.4.5 upgrade.
When connect to server directly, it works fine. When pass a proxy, squid tells TCP_MISS/503 error.
Source code:
const url = `https://${PostOpts.host}:${PostOpts.port}/sse`; if (params.proxy) { const proxy = params.proxy; console.log('EventSource proxy: ', proxy); this._source = new EventSource(url, {proxy: proxy}); }
Console.log output:
EventSource proxy: http://192.168.1.50:3128
Event { type: 'error', status: 503 }
Event { type: 'error' }
Squid output:
1497854565.761 3 192.168.1.51 TCP_MISS/503 4277 GET https://192.168.1.246/sse - HIER_DIRECT/192.168.1.246 text/html
1497854566.780 4 192.168.1.51 TCP_MISS/503 4277 GET https://192.168.1.246/sse - HIER_DIRECT/192.168.1.246 text/html
1497854567.795 6 192.168.1.51 TCP_MISS/503 4277 GET https://192.168.1.246/sse - HIER_DIRECT/192.168.1.246 text/html
1497854646.226 2 192.168.1.51 TCP_MISS/503 4277 GET https://192.168.1.246/sse - HIER_DIRECT/192.168.1.246 text/html
1497854647.254 7 192.168.1.51 TCP_MISS/503 4277 GET https://192.168.1.246/sse - HIER_DIRECT/192.168.1.246 text/html
1497854648.279 7 192.168.1.51 TCP_MISS/503 4277 GET https://192.168.1.246/sse - HIER_DIRECT/192.168.1.246 text/html
Skip to content
Tag: TCP_MISS/503
Problem:
A system Administrator wants to allow URLS with Port Number. But adding the port number in the Firewall and Squid will not solve the problem of allowing the URLs with port number. The SQUID shows the TCP_MISS/503 in SQUID Log (/var/log/squid/access.log) file. This means the Permission is denied for the request made by the Client.
Solve:
Step 1:
Open the
/etc/squid/squid.conf file and
add the line (if your URL contains port as 81)
acl Safe_ports port 81
Step 2:
Restart the Squid service by
service squid restart
Step 3:
Add the port number in the Firewall
iptables -A INPUT -p tcp –dport 81 -j ACCEPT
Step 4:
Edit the SELINUX File by opening
/etc/sysconfig/selinux file
and Edit the file as
SELINUX=permissive
Step 5:
Restart the Machine by:
reboot command
And you are done with this. You can browse to any port number by allowing in your squid file now.
N.B.: If this post is valuable to you then Please comment to this post.
Web pages were failing to load on (mostly) Google’s and Facebook’s domains through squid. Direct access was working normally. I kept getting these errors in squid:
Code:
TCP_MISS/503 0 CONNECT fbcdn-photos-a.akamaihd.net:443 - DIRECT/- -This seems to have to do with ipv6 responses.
The solution I found was to add this setting to the squid conf:
Code:
tcp_outgoing_address <public IP or domain name>Since I don’t run ipv6 yet, I discovered another person solved this by compiling squid without ipv6 support.
Disabling ipv6 in the OS level, nor in pf.conf had any affect on the squid 503 errors.
I run pf + squid 3.1 on FreeBSD 8.3-stable, and the problem was also happening on FreeBSD 8.2-stable.