[Bug 1040588] [NEW] squid3.HEAD (20120823-r12295) "WARNING: ICAP Max-Connections limit exceeded" bug
Dan Searle
1040588 at bugs.launchpad.net
Thu Aug 23 11:09:36 UTC 2012
Public bug reported:
Not sure if this is the right place. I've been trying to find the
correct bug tracker for hours. This was the only place I could see that
was at all relevant.
I configured squid3.HEAD-20120823-r12295 on an up to date Ubuntu 12.04.1
LTS (64 bit) machine like so:
./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=/include
--mandir=/share/man --infodir=/share/info --sysconfdir=/etc
--localstatedir=/var --libexecdir=/lib/squid3 --disable-maintainer-mode
--disable-dependency-tracking --disable-silent-rules --srcdir=.
--datadir=/usr/share/squid3 --sysconfdir=/etc/squid3
--mandir=/usr/share/man --with-cppunit-basedir=/usr --enable-inline
--enable-async-io=8 --enable-storeio=ufs,aufs,diskd --enable-removal-
policies=lru,heap --enable-delay-pools --enable-cache-digests --enable-
underscores --enable-icap-client --enable-ssl --enable-ssl-crtd
--enable-follow-x-forwarded-for --enable-basic-auth-
helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth
,multi-domain-NTLM --enable-ntlm-auth-helpers=smb_lm, --enable-digest-
auth-helpers=ldap,password --enable-negotiate-auth-
helpers=squid_kerb_auth --enable-external-acl-
helpers=ip_user,ldap_group,session,unix_group,wbinfo_group --enable-arp-
acl --enable-esi --enable-zph-qos --disable-translation --with-
logdir=/var/log/squid3 --with-pidfile=/var/run/squid3.pid --with-
filedescriptors=65536 --with-large-files --with-default-user=proxy
--enable-linux-netfilter build_alias=x86_64-linux-gnu
I configured the squid.conf like so:
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 0.0.0.0:8080
host_verify_strict off
cache_mem 64 MB
memory_cache_shared off
coredump_dir /var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
shutdown_lifetime 1 seconds
always_direct allow all
icap_enable on
icap_connect_timeout 10 seconds
icap_io_timeout 10 seconds
icap_service_failure_limit 100 in 1 seconds
icap_service_revival_delay 20
icap_preview_enable on
icap_206_enable on
icap_persistent_connections on
adaptation_send_client_ip on
adaptation_send_username on
icap_client_username_header X-Client-Username
icap_client_username_encode off
icap_service service_blocker reqmod_precache icap://myicapserver:1344/reqmod bypass=off ipv6=off
adaptation_access service_blocker allow all
icap_retry allow all
icap_retry_limit 10000
allow_underscore on
dns_defnames on
hosts_file /etc/hosts
dns_v4_first on
memory_pools_limit 32 MB
forwarded_for off
connect_retries 3
workers 1
unlinkd_program /usr/lib/squid3/unlinkd
logfile_daemon /usr/lib/squid3/log_file_daemon
I need this version as it has new features I require and quickly ran
into a problem with the ICAP support. Running tcpdump, I can see regular
OPTIONS request and responses from squid to the ICAP server, but squid
never attempts to issue a REQMOD request, I get ICAP protocol error in
the browser or it simply hangs there, and the cache.log shows....
2012/08/23 11:35:08 kid1| essential ICAP service is down after an options fetch failure: icap://myicapserver:1344/reqmod [down,!opt]
2012/08/23 11:35:09 kid1| suspending ICAP service for too many failures
2012/08/23 11:35:38 kid1| essential ICAP service is up: icap://myicapserver:1344/reqmod [up]
2012/08/23 11:35:52 kid1| WARNING: ICAP Max-Connections limit exceeded for service icap://myicapserver:1344/reqmod. Open connections now: 10000, including 0 idle persistent connections.
There are only a maximum of 2 or 3 connections open to the ICAP server
at any given time, so the message "Open connections now: 10000", is
simply wrong.
This problem renders the ICAP adaption support useless.
If this is the wrong place to report the bug, please advise.
** Affects: squid3 (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
Not sure if this is the right place. I've been trying to find the
correct bug tracker for hours. This was the only place I could see that
was at all relevant.
I configured squid3.HEAD-20120823-r12295 on an up to date Ubuntu 12.04.1
LTS (64 bit) machine like so:
./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=/include
--mandir=/share/man --infodir=/share/info --sysconfdir=/etc
--localstatedir=/var --libexecdir=/lib/squid3 --disable-maintainer-mode
--disable-dependency-tracking --disable-silent-rules --srcdir=.
--datadir=/usr/share/squid3 --sysconfdir=/etc/squid3
--mandir=/usr/share/man --with-cppunit-basedir=/usr --enable-inline
--enable-async-io=8 --enable-storeio=ufs,aufs,diskd --enable-removal-
policies=lru,heap --enable-delay-pools --enable-cache-digests --enable-
underscores --enable-icap-client --enable-ssl --enable-ssl-crtd
--enable-follow-x-forwarded-for --enable-basic-auth-
helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth
,multi-domain-NTLM --enable-ntlm-auth-helpers=smb_lm, --enable-digest-
auth-helpers=ldap,password --enable-negotiate-auth-
helpers=squid_kerb_auth --enable-external-acl-
helpers=ip_user,ldap_group,session,unix_group,wbinfo_group --enable-arp-
acl --enable-esi --enable-zph-qos --disable-translation --with-
logdir=/var/log/squid3 --with-pidfile=/var/run/squid3.pid --with-
filedescriptors=65536 --with-large-files --with-default-user=proxy
--enable-linux-netfilter build_alias=x86_64-linux-gnu
I configured the squid.conf like so:
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 0.0.0.0:8080
host_verify_strict off
cache_mem 64 MB
memory_cache_shared off
coredump_dir /var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
shutdown_lifetime 1 seconds
always_direct allow all
icap_enable on
icap_connect_timeout 10 seconds
icap_io_timeout 10 seconds
icap_service_failure_limit 100 in 1 seconds
icap_service_revival_delay 20
icap_preview_enable on
icap_206_enable on
icap_persistent_connections on
adaptation_send_client_ip on
adaptation_send_username on
- adaptation_send_client_username_hmac on
icap_client_username_header X-Client-Username
icap_client_username_encode off
icap_service service_blocker reqmod_precache icap://myicapserver:1344/reqmod bypass=off ipv6=off
adaptation_access service_blocker allow all
icap_retry allow all
icap_retry_limit 10000
allow_underscore on
dns_defnames on
hosts_file /etc/hosts
dns_v4_first on
memory_pools_limit 32 MB
forwarded_for off
connect_retries 3
workers 1
unlinkd_program /usr/lib/squid3/unlinkd
logfile_daemon /usr/lib/squid3/log_file_daemon
I need this version as it has new features I require and quickly ran
into a problem with the ICAP support. Running tcpdump, I can see regular
OPTIONS request and responses from squid to the ICAP server, but squid
never attempts to issue a REQMOD request, I get ICAP protocol error in
the browser or it simply hangs there, and the cache.log shows....
2012/08/23 11:35:08 kid1| essential ICAP service is down after an options fetch failure: icap://myicapserver:1344/reqmod [down,!opt]
2012/08/23 11:35:09 kid1| suspending ICAP service for too many failures
2012/08/23 11:35:38 kid1| essential ICAP service is up: icap://myicapserver:1344/reqmod [up]
2012/08/23 11:35:52 kid1| WARNING: ICAP Max-Connections limit exceeded for service icap://myicapserver:1344/reqmod. Open connections now: 10000, including 0 idle persistent connections.
There are only a maximum of 2 or 3 connections open to the ICAP server
at any given time, so the message "Open connections now: 10000", is
simply wrong.
This problem renders the ICAP adaption support useless.
If this is the wrong place to report the bug, please advise.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid3 in Ubuntu.
https://bugs.launchpad.net/bugs/1040588
Title:
squid3.HEAD (20120823-r12295) "WARNING: ICAP Max-Connections limit
exceeded" bug
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1040588/+subscriptions
More information about the Ubuntu-server-bugs
mailing list