Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 10826 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Proxy

Daniel Schatz

Hi,

on my UTM 9.505-4 i have the following lines all over the web-protection log:

httpproxy[4888]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="read_request_headers" file="request.c" line="1586" message="Read error on the http handler 137 (Input/output error)"

we use the Web-Protection as parent Proxy four our internal squid-cache. the web-protection has no Cache, no blocked-sites, no authentication, no request-logging and works in non-transparent mode. its basically only for AV scanning on http and https. all the Caching, site-blocking and authentication happens on the squid Proxy.

the log-entries on the UTM are accompanied with the following log-lines in squid Proxy:

kid1| TCP connection to (Sophos-utm-ip)/8080 failed
kid1| TCP connection to (Sophos-utm-ip)/8080 failed
kid1| TCP connection to (Sophos-utm-ip)/8080 failed
kid1| TCP connection to (Sophos-utm-ip)/8080 failed
kid1| Detected DEAD Parent: (Sophos-utm-ip)
kid1| TCP connection to (Sophos-utm-ip)/8080 failed
kid1| TCP connection to (Sophos-utm-ip)/8080 failed
kid1| Detected REVIVED Parent: (Sophos-utm-ip)

everytime this happens, users experience great delays in web-Surfing. sites not responding and so on...it just happens for a few seconds before everything goes back to normal.

if we let squid handle all the Surfing without UTM as parent proxy the Problem is gone. so it's def an UTM issue.

squid config line for parent proxy:

cache_peer (Sophos-utm-ip) parent 8080 0 no-query no-digest default
never_direct allow all

any ideas?

best regards, daniel



This thread was automatically locked due to age.
Parents
  • 0

    Hello,

    we still have this Problem and Users are unable to browse the web!
    most websites take ages to open or don't open at all.
    funny enough, if you go into the browser adress line and hit enter again (request the website a second time) it usually comes up pretty quick.
    Still our squid proxy only writes in log that TCP connection to Sophos Web-Protection Port fails.
    If i restart the web-protection on the Sophos UTM it usually runs fine for a few minutes and then the problem comes back.
    If i bypass the Sophos Web-Protection our Squid-Proxy delivers every website immediatly and without any delay.
    If i use Trend-Micro Viruswall as Upstream Proxy instead of Sophos Web-Protection it runs perfectly fine.
    It's not a problem of our squid proxy or the any other network infrastructure, it cleary is a UTM Problem.
    We use SSL Scanning and Web-Protection in Standard (non transparent) Mode. UTM Version is 9.701-6

    In Sophos Web-Protection i have the following log repeating in loops:

    2020:02:28-09:41:24 asg-2 httpproxy[10846]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="plain_write_vector" file="epoll.c" line="1117" message="Write error on the epoll handler 902 (Broken pipe)"
    2020:02:28-09:41:54 asg-2 httpproxy[10846]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="plain_write_vector" file="epoll.c" line="1117" message="Write error on the epoll handler 928 (Broken pipe)"
    2020:02:28-09:42:16 asg-2 httpproxy[10846]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="http_parser_context_execute" file="http_parser_context.c" line="97" message="Unable to parse a http message of 7 bytes (HPE_INVALID_CONSTANT: invalid constant string)"
    2020:02:28-09:43:50 asg-2 httpproxy[10846]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="read_request_headers" file="request.c" line="1694" message="Read error on the http handler 927 (Input/output error)"
     
    2020:02:28-09:45:36 asg-2 httpproxy[10846]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="http_parser_context_execute" file="http_parser_context.c" line="97" message="Unable to parse a http message of 289 bytes (HPE_INVALID_METHOD: invalid HTTP method)"
    2020:02:28-09:45:36 asg-2 httpproxy[10846]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xd9be9800" function="read_request_headers" file="request.c" line="1615" message="unable to parse a http message on handler 1118 (Success)"
     
    Is this a Bug, and if yes when will it finally be fixed? Could it be a corruption of the AV pattern files? Please help!
    Thanks in advance,
    Daniel
Reply
  • 0

    Hello,

    we still have this Problem and Users are unable to browse the web!
    most websites take ages to open or don't open at all.
    funny enough, if you go into the browser adress line and hit enter again (request the website a second time) it usually comes up pretty quick.
    Still our squid proxy only writes in log that TCP connection to Sophos Web-Protection Port fails.
    If i restart the web-protection on the Sophos UTM it usually runs fine for a few minutes and then the problem comes back.
    If i bypass the Sophos Web-Protection our Squid-Proxy delivers every website immediatly and without any delay.
    If i use Trend-Micro Viruswall as Upstream Proxy instead of Sophos Web-Protection it runs perfectly fine.
    It's not a problem of our squid proxy or the any other network infrastructure, it cleary is a UTM Problem.
    We use SSL Scanning and Web-Protection in Standard (non transparent) Mode. UTM Version is 9.701-6

    In Sophos Web-Protection i have the following log repeating in loops:

    2020:02:28-09:41:24 asg-2 httpproxy[10846]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="plain_write_vector" file="epoll.c" line="1117" message="Write error on the epoll handler 902 (Broken pipe)"
    2020:02:28-09:41:54 asg-2 httpproxy[10846]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="plain_write_vector" file="epoll.c" line="1117" message="Write error on the epoll handler 928 (Broken pipe)"
    2020:02:28-09:42:16 asg-2 httpproxy[10846]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="http_parser_context_execute" file="http_parser_context.c" line="97" message="Unable to parse a http message of 7 bytes (HPE_INVALID_CONSTANT: invalid constant string)"
    2020:02:28-09:43:50 asg-2 httpproxy[10846]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="read_request_headers" file="request.c" line="1694" message="Read error on the http handler 927 (Input/output error)"
     
    2020:02:28-09:45:36 asg-2 httpproxy[10846]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="http_parser_context_execute" file="http_parser_context.c" line="97" message="Unable to parse a http message of 289 bytes (HPE_INVALID_METHOD: invalid HTTP method)"
    2020:02:28-09:45:36 asg-2 httpproxy[10846]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xd9be9800" function="read_request_headers" file="request.c" line="1615" message="unable to parse a http message on handler 1118 (Success)"
     
    Is this a Bug, and if yes when will it finally be fixed? Could it be a corruption of the AV pattern files? Please help!
    Thanks in advance,
    Daniel
Children
  • 0 in reply to Daniel Schatz

    Is Squid doing https inspection?  I suspect that Squid is concentrating all of your users onto one IP.   Depending on your workload, UTM may not be able to cope with so many connections coming from one source address.   One possibility is that UTM or SQUID may be running out of port numbers.   Another possibility is that the two proxies are creating timing problems.

    Web Proxy is the best part of UTM, so you are wasting a valuable resource.  I seriously doubt that your Squid configuration is as powerful.    But assuming that it is, why not simply turn off UTM Web Proxy?    The world is going to https.  Without https inspection, UTM cannot give you AV protection for https sites, and you are not using UTM web proxy for anything else.  

    You are using two proxies, and they do not work together very well.   After more than two years, you are still living with bad performance rather than changing your architecture?   

     

  • 0 in reply to Daniel Schatz

    What does Sophos Support say about this, Daniel?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to DouglasFoster

    hi,

    thanks for your Reply.
    the Proxy Sandwich worked OK until a recent update, it just recently started to get that slow.

    Our Squid does not inspect https, it's configured with a big Cache, does AD Authentication and several black/whitelists.
    The Sophos Web-Proxy has Cache, logging and filtering disabled and is only used for https and http AV Inspection.
    This should ensure that only AV-scanned Content is transfered to the big Cache of the squid Proxy.
    As we use lots of VPN and NAT we wanted to reduce the Performance Overhead with the Sophos Proxy. we also like some other Benefits of squid.

    using squid alone (without Sophos) is Lightning fast.
    using the Sophos web-Proxy alone (with Cache and filtering but no av-scanning to have same Situation as with squid) is OK but slower then squid.
    i see no reason why we should change Architecture.

    we did not yet open a support ticket as i just wanted to check with your Forum first.


    Thanks and greetings

Unfiltered HTML