Hey All,

I work for a small school district and we've been using Squid + SquidGuard as our internet filter since we were required to filter our Internet connection.  It's worked very well for us over the years and through various hardware and software upgrades.

Except...

Recently, Yahoo! Mail has stopped working.  The problem(s) are random and sporadic, and sometimes you don't have any problem accessing it at all.

Sometimes you can't log in (no error, just a blank web page)

Sometimes you can't send an e-mail (you get the "Oops! We're having a problem sending your message").  Sometimes clicking "Try sending again" works, sometimes it doesn't.

Sometimes folder contents won't load.  If you click on a folder, like your Sent folder, no messages appear.

Sometimes, messages won't load.  If you click on a message to read it, you'll get stuck on "Loading message...".

Sometimes when deleting messages they don't actually delete.  The user doesn't discover this until logging in at home.

I've confirmed that the issue is with our Squid box as Yahoo! Mail seems to be just fine when the client isn't being proxied.  I've confirmed that it's not the SquidGuard component as disabling it (by removing the url_rewrite directive in the Squid config) does not help.

We have a very basic Squid configuration and it's something that's worked for us for years!  I'm very confused as to why we're having problems.

Our existing server is running Debian Etch with Squid 2.6.STABLE5.  In part of the troubleshooting process I built a new server running Debian Squeeze with Squid 2.7.STABLE9 with no luck.

Here is our current configuration (minus all the comments):

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow localnet
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 80 transparent http11
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
log_fqdn on
redirect_program /usr/bin/squidGuard
url_rewrite_children 50
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern (Release|Packages(.gz)*)$    0    20%    2880
refresh_pattern .        0    20%    4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
via off
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
server_http11 on
visible_hostname squidguard
always_direct allow all
hosts_file /etc/hosts
forwarded_for off
coredump_dir /var/spool/squid
pipeline_prefetch on

If anybody has any ideas on what I can do to resolve this I'd immensely appreciate it!!

Hi,

We you able to find a solution for this yahoo mail problem with Squid. I recently build a squid proxy server 2.6 and I am facing the same problem.

Unfortunately no.  I set up a test scenario a while back and discovered something interesting.

We have port 80 traffic routed to our squid box via a route-map on our last router (Cisco) before the firewall.  This routes any non-local (10.x.x.x) port 80 traffic through the squid box.

I added a rule to the ACL that the route-map uses that excludes a range of IP addresses so I can set up clients to access the web without their traffic passing through the squid box.

When a client is being proxied via the route-map, it has the Yahoo issues.  When a client is being proxied via manual proxy settings in the OS and/or web browser, it's completely happy.

So, my conclusion is that the problem is with the way the route-map is handling the traffic.  Something between the route-map and the squid box is causing the problem.  What or why, I have no idea.  We've simply been living with the problem since Yahoo Mail isn't a service that we use.

I haven't done any further research since we plan on replacing our aging PIX firewall and will probably move to a firewall solution that includes content filtering.

However, if anybody has any ideas on how I could tweak the route-map, I'm all ears!  Here's what I have set up:

route-map squid permit 10
 match ip address 112
 set ip next-hop 10.1.1.3

Corresponding ACL:
access-list 112 deny   tcp host 10.1.1.3 any
access-list 112 deny   tcp any 10.0.0.0 0.255.255.255
access-list 112 deny   tcp 10.10.16.248 0.0.0.7 any
access-list 112 deny   tcp host 10.20.16.255 any
access-list 112 deny   tcp host 10.30.16.255 any
access-list 112 deny   tcp host 10.40.16.255 any
access-list 112 deny   tcp host 10.10.44.100 any
access-list 112 permit tcp any any eq www
access-list 112 deny   tcp any any
 

I should add:

"When a client is being proxied via manual proxy settings in the OS and/or web browser, it's _appears_ completely happy."