On Thu, Jan 7, 2010 at 2:30 PM, Johann Terblanche
<jterblanche@xxxxxxxxxxxxxxxx> wrote:
> Hi Kinkie
>
> Thanks for your response.
>
> I've looked at the log file and below is a extract of a site but I do
> not fully understand the meaning of _MISS _HIT _DENIED
> ok DENIED is obvious but why?
>
> 1262869421.378 6417 172.30.36.254 TCP_MISS/200 1762 CONNECT
> www.ibm.com:443 jterblanche DIRECT/129.42.60.216 -
This means that there was an https tunneling request from IP
172.30.36.254 by user "jterblanche" to www.ibm.com, which was allowed
("/200"), was not satisfied from cache ("TCP_MISS" - https request
cannot be cached, so not surprising).
> 1262869421.378 6426 172.30.36.254 TCP_MISS/200 1764 CONNECT
> www.ibm.com:443 jterblanche DIRECT/129.42.60.216 -
> 1262869421.379 6422 172.30.36.254 TCP_MISS/200 1751 CONNECT
> www.ibm.com:443 jterblanche DIRECT/129.42.60.216 -
> 1262869421.380 6405 172.30.36.254 TCP_MISS/200 1763 CONNECT
> www.ibm.com:443 jterblanche DIRECT/129.42.60.216 -
> 1262869421.400 0 172.30.36.254 TCP_DENIED/407 1849 CONNECT
> www-03.ibm.com:443 - NONE/- text/html
This says that an https tunnel-setup request from ip 172.30.36.254 was
denied ("TCP_DENIED") with a request user identification ("/407")
caused by missing or incorrect user credentials. This does not
necessarily indicate a problem: if you're using NTLM to authenticate
users, there's going to be 2 407's for each TCP connection used by the
client. If you're using other authentication protocols, it's up to the
client really - usually they're going to 407 once per process per
proxy, and then remember that they have to authenticate. But there may
be misbehaving software.
> 1262869421.442 1 172.30.36.254 TCP_DENIED/407 2083 CONNECT
> www-03.ibm.com:443 - NONE/- text/html
> 1262869422.508 0 172.30.36.254 TCP_DENIED/407 1837 CONNECT
> w3.ibm.com:443 - NONE/- text/html
> 1262869422.515 0 172.30.36.254 TCP_DENIED/407 1840 CONNECT
> www.ibm.com:443 - NONE/- text/html
> 1262869422.521 1 172.30.36.254 TCP_DENIED/407 1840 CONNECT
> www.ibm.com:443 - NONE/- text/html
> 1262869422.522 0 172.30.36.254 TCP_DENIED/407 1840 CONNECT
> www.ibm.com:443 - NONE/- text/html
> 1262869422.529 2 172.30.36.254 TCP_DENIED/407 1840 CONNECT
> www.ibm.com:443 - NONE/- text/html
> 1262869422.532 1 172.30.36.254 TCP_DENIED/407 2071 CONNECT
> w3.ibm.com:443 - NONE/- text/html
> 1262869422.541 4 172.30.36.254 TCP_DENIED/407 2074 CONNECT
> www.ibm.com:443 - NONE/- text/html
> 1262869422.542 2 172.30.36.254 TCP_DENIED/407 2074 CONNECT
> www.ibm.com:443 - NONE/- text/html
> 1262869422.542 2 172.30.36.254 TCP_DENIED/407 2074 CONNECT
> www.ibm.com:443 - NONE/- text/html
> 1262869422.542 1 172.30.36.254 TCP_DENIED/407 2074 CONNECT
> www.ibm.com:443 - NONE/- text/html
> 1262869422.543 3 172.30.36.254 TCP_MISS/404 0 CONNECT
> w3.ibm.com:443 jterblanche DIRECT/- -
>
> I think it has something to do with automatic certificate signing how do
> I make a generic certificate that will work with all https sites in
> squid?
This is a forward proxy. Squid does not participate in the SSL
transaction, but only creates a TCP link along which the SSL
transaction takes place.
--
/kinkie
