On 1/07/2015 8:52 a.m., Randal Cowen wrote: > For years I've been successfully running a squid. Last Wednesday the 17th > magically only HTTPS requests fail over only AT&T's cellular network.... > > Everything still works great on any other land-line provider I've tested > including AT&T's DSL service. Typically my logs show > > 1435691713.787 240084 <Source IP> TCP_TUNNEL/200 381 CONNECT > www.google.com:443 - HIER_DIRECT/216.239.32.20 - > > but now magically over the AT&T cell network they come in.. > > 1435692019.503 0 <Source IP> TAG_NONE/501 4175 TFD-CONNECT > https://iecvlist.microsoft.com/ - HIER_NONE/- text/html > > Notice the odd "TFD-CONNECT" which I assume is 501 "Not Implemented" along > with the URL now containing the https:// prefix... "TFD-CONNECT" is being sent in as the HTTP request method. It is a custom method unknown to Squid. It will therefore *not* trigger the CONNECT method handling code, but be treated as a GET/POST request. Please double-check this with a "debug_options 11,2" trace to see the client request message. But I assume the URL also came in either to a https_port or with "https://"; already in the URL. Your Squid can handle those URLs only if it has been built with OpenSSL support. Otherwise they get rejected as HTTPS protocol is not implemented. > > I'm not finding much on the TFD-CONNECT, what I am finding is leading me to > believe AT&T has possibly enabled their "Toll Free Data" in my area and is > messing with my headers/proxy tunnel. > > Has anyone else been experiencing this? Or have any helpful clues? I'm getting the nasty suspicion that they are decrypting the traffic and passing it around un-encrypted. But you will need to investigate closer to know for sure. > > I have even downloaded and recompiled a completely new box for testing with > the same behavior. The new box is > > Squid Cache: Version 3.5.5-20150624-r13848 > Service Name: squid > configure options: '--prefix=/usr' '--includedir=/usr/include' > '--datadir=/usr/share' '--bindir=/usr/sbin' > '--libexecdir=/usr/lib64/squid--localstatedir=/var' > '--sysconfdir=/etc/squid' --enable-ltdl-convenience Please try adding --with-openssl (may need to install the openssl-dev dependency). At the very least it will enable your Squid to service the https:// URLs. No guarantees about what happens after that though. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
