-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 7/12/2014 9:48 p.m., glenn.groves wrote: > Hi All, > > I have finally been able to spend time upgrading a server to a > later squid version, I have tried 3.4.9. > > I could not get authentication to work for this test, but proceeded > to test without (also dismisses auth as the problem). > > I am getting the following in the logs with secure sites now the > squid is 3.4.9: > > 192.168.9.69 TCP_MISS/200 295 CONNECT www.google.com:443 - > HIER_DIRECT/216.58.220.1 192.168.9.69 TCP_MISS/200 0 CONNECT > www.google.com:443 - HIER_DIRECT/216.58.220.132 > > Upgrading to 3.4.9 on Centos as been a pain so far, no point in > proceeding with the problem persisting. Can someone advise why I am > getting TCP_MISS/200 when going to secure google sites? > "200" because the tunnel was setup successfully. "TCP_MISS" because a connection being opened does not use an existing cache object. Old Squid versions do not use the TCP_TUNNEL label. The above appear to be successful tunnels setup through the proxy. > Or more importantly, how to fix my squid 3.1 on centos 6.5 with > this problem. > What browser(s) are showing the problem? and what does a tcpdump trace of the packets content show happening? A) It could be they are trying to use SPDY or HTTP/2 inside the tunnel. CONNECT technically could be followed immediately with traffic bytes even though the tunnel/Upgrade process was not confirmed successful by the proxy. Squid does not support that behaviour until version 3.4.5 (bug 3371) but browsers using SPDY and HTTP/2 rely on it. You may be able to backport the bug fix (http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13126.patch), but this is one unlikely to be easy across so many versions. There have been numerous tunneling code updates in between. B) It could be happy-eyeballs algorithm being used by the browser. Settign up a connection in advance and having it timeout in the proxy before an attempt to actually use it is made. Although Squid should append _TIMEOUT to the MISS tag in those cases its not certain if that happens on tunnels. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUhB8iAAoJELJo5wb/XPRjfsIH/jFvpT7a/lHZfM8uaMxoUVu4 oGLoyjx6m1ZEg/W5Ta+TjlnfJjcyqfZdkHeIJzY9athcAWaxcT/By2sFEhuPqdtJ hbps9UWbcae3Uu8sL71oABPnNvfH23HpU6q3PBrNRv82K8jrFjS56oEFwCQrKavP pxfirbNk0MZg9/bLDAGnD05ItKAxo+uQ2xQU0AE/z6z3LE23WaMS4axTNLBS2icP V9y2D90mH35nMlaFkhSPl1oL8HfQ1yOuKoNJz2YSgIsgiEmGBsF9aRQ+FS1CgiSh HFFDyY+dAQUOFL9Qv/gJjddWhQAqH3X6kjqUCqgzqp+eHCOfrQGWzG6Wv42X7/k= =P6Ev -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
