Documentation #14842
openUpdate Squid troubleshooting
0%
Description
The area where the update is needed:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/squid.html#sites-not-loading-with-splice-error-409-in-access-log
Supporting forum conversations:
https://forum.netgate.com/topic/181796/infamous-409-issue/17?_=1696515335663
Supporting Redmine:
https://redmine.pfsense.org/issues/14390
The update to the documentation just needs to point out that the way the modern Internet works today with CDNs especially, low TTL values for domain names will impact connectivity when using Squid. /409 errors are generated because clients for whatever reason (they may hold on to dns cache values longer) will use an IP to connect to a resource that the Proxy has a different resolved IP for.
Just having all clients point to pfsense is not a fix for this.
There are fixes to this but it has yet to be investigated when I checked the redmine today. Adding a note in the documentation will help admins that still use proxies in this way and can help those same admins identify why sites wont load or stop working suddenly.
Updated by Mike Moore about 1 year ago
Can an update be made in the netgate documentation or a fix for this issue be investigated?
Its very odd that tickets concerning Squid Proxy are ignored short of there being a php error.
A transparent proxy is fundamentally broken within the product. Bare minium a note should be placed stating that /409 errors are not fully caused by not having clients point to pfsense for dns. Thats just not true anymore in 2023.
Updated by Jonathan Lee 5 months ago
Squids http_port tproxy directive spoofs the IP addresses. This can be used in place of intercept to further increase accuracy and reliability within transparent proxy use.