Squid read error connection reset by peer

squid read error connection reset by peer

[prev in thread] [next in thread] List: squid-users Subject: Re: FD 87: read failure: (104) Connection >reset by peer >2003/11/19 10:01:00|. ``Connection reset by peer'' is an error code that Unix operating systems sometimes return for read, write, connect, and other system calls. Connection reset. 43: read failure: Connection reset by peer" means, not on questions why connection reset errors is returned to the client. anything on Squid in a while. squid read error connection reset by peer

Agree: Squid read error connection reset by peer

Squid read error connection reset by peer
3d anti terrorist virus
Registration-activation error 3dmax
Squid read error connection reset by peer

Squid read error connection reset by peer - are

I have squid/dansguardian but I tried going directly to squid with the same result.  If I go through squid (explicit proxy/NTLM auth) to go to http://www.monoprice.com, I get:


The requested URL could not be retrieved


The following error was encountered while trying to retrieve the URL: http://www.monoprice.com/?

Read Error

The system returned: (54) Connection reset by peer

An error condition occurred while reading data from the network. Please retry your request.

If I go direct, I can bring it up fine.  This happens in both Firefox and IE.  I did a network capture of direct vs going through squid and the web site server sends a RST, ACK after the HTTP GET.

Is anyone else having this problem with squid?  The only difference I see in the HTTP header going through squid just before the reset is "Pragma: no-cache", "Cache-Control: max-age=259200", and "X-Forwarded-For: <internal ip="">, unkown".

Anyone have any ideas?</internal>

grep 8080 If you find that some process has bound to your port, but you're not sure which process it is, you might be able to use the excellent lsof program. It will show you which processes own every open file descriptor on your system.

11.12 icpDetectClientClose: ERROR xxx.xxx.xxx.xxx: (32) Broken pipe

This means that the client socket was closed by the client before Squid was finished sending data to it. Squid detects this by trying to some data from the socket. If the call fails, then Squid konws the socket has been closed. Normally the call returns ECONNRESET: Connection reset by peer and these are NOT logged. Any other error messages (such as EPIPE: Broken pipe are logged to cache.log. See the ``intro'' of section 2 of your Unix manual for a list of all error codes.

11.13 icpDetectClientClose: FD 135, 255 unexpected bytes

These are caused by misbehaving Web clients attempting to use persistent connections. Squid-1.1 does not support persistent connections.

11.14 How come Squid doesn't work with NTLM Authorization.

We are not sure. We were unable to find any detailed information on NTLM (thanks Microsoft!), but here is our best guess:

Squid transparently passes the NTLM request and response headers between clients and servers. The encrypted challenge and response strings most likely encode the IP address of the client. Because the proxy is passing these strings and is connected with a different IP address, the authentication scheme breaks down. This implies that if NTLM authentication works at all with proxy caches, the proxy would need to intercept the NTLM headers and process them itself.

If anyone knows more about NTLM and knows the above to be false, please let us know.

11.15 The default parent option isn't working!

This message was received at squid-bugs:

If you have only one parent, configured as: cache_host xxxx parent 3128 3130 no-query default nothing is sent to the parent; neither UDP packets, nor TCP connections.

Simply adding default to a parent does not force all requests to be sent to that parent. The term default is perhaps a poor choice of words. A default parent is only used as a last resort. If the cache is able to make direct connections, direct will be preferred over default. If you want to force all requests to your parent cache(s), use the inside_firewall option:

inside_firewall none

11.16 ``Hot Mail'' complains about: Intrusion Logged. Access denied.

``Hot Mail'' is proxy-unfriendly and requires all requests to come from the same IP address. You can fix this by adding to your squid.conf:

hierarchy_stoplist hotmail.com

11.17 My Squid becomes very slow after it has been running for some time.

This is most likely because Squid is using more memory than it should be for your system. When the Squid process becomes large, it experiences a lot of paging. This will very rapidly degrade the performance of Squid. Memory usage is a complicated problem. There are a number of things to consider.

First, examine the Cache Manager Info ouput and look at these two lines:

Number of TCP connections: 121104 Page faults with physical i/o: 16720 Note, if your system does not have the getrusage() function, then you will not see the page faults line.

Divide the number of page faults by the number of connections. In this case 16720/121104 = 0.14. Ideally this ratio should be in the 0.0 - 0.1 range. It may be acceptable to be in the 0.1 - 0.2 range. Above that, however, and you will most likely find that Squid's performance is unacceptably slow.

If the ratio is too high, you will need to make some changes to lower the amount of memory Squid uses.

11.18 WARNING: Failed to start 'dnsserver'

This could be a permission problem. Does the Squid userid have permission to execute the dnsserver program?

You might also try testing dnsserver from the command line:

> echo oceana.nlanr.net

stunnel + squid = 1 request for 5minutes (rest connection reset by peer)

Mithrand1r Asks: stunnel + squid = 1 request for 5minutes (rest connection reset by peer)


Configuration with stunnel on client which connect to squid proxy with x509 certificate authentication work only for one request per 5minutes. Scenario:

  • and configured and started
  • configured to use as proxy ()
  • Only 1 request (e.g. ) per 5 minutes (or restart) work rest got
  • Using raw connection e.g using direct communication to squid works properly


I am setting up architecture of installed on client which leads to proxy with authentication.

Client setup with his certificate which connects to , then set up to aim for stunnel endpoint at .

Trust path is correctly configured on each side, so both squid trust certificates from client, and client trust squid's certificate on each level - Root CA and intermediate CA.

Configuration of stunnel:


Configuration of squid


Now what happens on client, having configured properly HTTPS_PROXY=localhost:3128, first request through squid is accepted, and next are rejected with . After 5minutes or stunnel restart next request is handled properly.

Logs from stunnel when this occure, first reqeust ok, second one rejected:


it clearly looks like first request TLS negotiation succeed while second one is not even started.

logs from squid access log:


Logs from cache:



When I try to use and then like this:


each request is successful:

log from squid:


I am loosing my mind with this problem. I would appreciate any help with this.

SolveForum.com may not be responsible for the answers or solutions given to any question asked by the users. All Answers or responses are user generated answers and we do not have proof of its validity or correctness. Please vote for the answer that helped you in order to help others find out which is the most helpful answer. Questions labeled as solved may be solved or may not be solved depending on the type of question and the date posted for some posts may be scheduled to be deleted periodically. Do not hesitate to share your response here to help other visitors like you. Thank you, solveforum.

Click to expand...

grep LISTEN That will show all sockets in the LISTEN state. You might also try netstat -naf inet storeSwapInFileOpened: /var/cache/00/00/00000015: Size mismatch: 776(fstat) != 3785(object) 1998/09/23 09:31:31 storeSwapInFileOpened: /var/cache/00/00/00000017: Size mismatch: 2571(fstat) != 4159(object)

What does Squid do in this case?

NOTE, these messages are specific to Squid-2. These happen when Squid reads an object from disk for a cache hit. After it opens the file, Squid checks to see if the size is what it expects it should be. If the size doesn't match, the error is printed. In this case, Squid does not send the wrong object to the client. It will re-fetch the object from the source.

11.31 Why do I get fwdDispatch: Cannot retrieve 'https://www.buy.com/corp/ordertracking.asp'

These messages are caused by buggy clients, mostly Netscape Navigator. What happens is, Netscape sends an HTTPS/SSL request over a persistent HTTP connection. Normally, when Squid gets an SSL request, it looks like this:

CONNECT www.buy.com:443 HTTP/1.0 Then Squid opens a TCP connection to the destination host and port, and the real request is sent encrypted over this connection. Thats the whole point of SSL, that all of the information must be sent encrypted, squid read error connection reset by peer.

With this client bug, however, squid read error connection reset by peer, Squid receives a request like this:

GET https://www.buy.com/corp/ordertracking.asp HTTP/1.0 Accept: */* User-agent: Netscape . . Now, all of the headers, and the message body have been sent, unencrypted to Squid. There is no way for Squid to somehow squid read error connection reset by peer this into an SSL request. The only thing we can do is return the error message.

Note, this browser bug does represent a security risk because the browser is sending sensitive information unencrypted over the network.