[Privoxy-users] squid 5.1 + privoxy 3.0.32 leads to "cache_peer replying with 403s to CONNECTs marked as DEAD" and/or "TCP connection to 127.0.0.1/8118 failed"

Matthias Fischer matthias.fischer at ipfire.org
Sat Aug 21 12:03:43 UTC 2021 

Hi,

could "someone" please take a look at...

https://bugs.squid-cache.org/show_bug.cgi?id=5147

...where I opened a bug report reagarding a configuration which worked
flawlessly for several years - until 'squid 5.1' came out.

Configuration is as follows:
'privoxy 3.0.32' running as a parent cache_peer for squid (before: 4.16,
now: 5.1).

Excerpt from 'squid.conf':
...
cache_peer 127.0.0.1 parent 8118 0 name=privoxy no-query no-digest
no-netdb-exchange default
never_direct allow all
...

'privoxy 3.0.32' is configured with:
...
listen-address  127.0.0.1:8118
...

This worked for years - with several squid and several privoxy versions.
No Problems.

After upgrading from squid 4.16 to the current "5.1 stable", squids
'cache_log' suddenly started reporting that a "TCP connection" to the
parent "cache_peer" fails or that the 'cache_peer' is DEAD and REVIVED
in the same second. But 'privoxy' is actually running and doing its job!
Its running and filtering. Hm!?

I didn't change anything in both configurations and as soon as I revert
to squid 4.16, these messages are gone. They only appear with 5.1.

After opening a bug report for 'squid', Alex Russkow - squid developer -
asked me to create a debug log, which I did:
https://bugs.squid-cache.org/attachment.cgi?id=3796

For him, this log shows that "The privoxy cache_peer is blocking Squid
CONNECT requests by responding with an "HTTP/1.1 403 Request blocked by
Privoxy" response status line. I do not know whether that is
intended/desirable/expected in your deployment, but Squid marks privoxy
peer connection as failed because (with that 403 response) privoxy
refuses Squid CONNECT request."

And later "AFAICT, Squid v4 did not consider rejected CONNECTs a problem
worth marking the peer DEAD for. Squid v4 only payed attention to
TCP-level failures. IMO, that was a Squid bug fixed in v5. I am sorry
that the bug fix has negative consequences for your use case."

Is this a problem that can be fixed in 'privoxy'? I'm now running squid
5.1 only - without privoxy - and never saw "TCP connection to
127.0.0.1/8118 failed" again since then.

If you need any further information please let me know.

Best,
Matthias

More information about the Privoxy-users mailing list