Search squid archive

Re: Why some traffic is TCP_DENIED

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 16/02/21 11:09 pm, Vieri wrote:
Hi,

I'm trying to understand why Squid denies access to some sites, eg:

[Tue Feb 16 10:15:36 2021].044      0 - TCP_DENIED/302 0 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html
[Tue Feb 16 10:15:36 2021].050     46 10.215.248.160 TCP_DENIED/403 3352 - 52.109.12.25:443 - HIER_NONE/- text/html
[Tue Feb 16 10:15:36 2021].050      0 10.215.248.160 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
[Tue Feb 16 10:15:36 2021].052    140 10.215.246.144 TCP_MISS/200 193311 GET https://outlook.office.com/mail/ - ORIGINAL_DST/52.97.168.210 text/html
[Tue Feb 16 10:15:36 2021].053     49 10.215.248.74 TCP_MISS/200 2037 GET https://puk1-collabhubrtc.officeapps.live.com/rtc2/signalr/negotiate? - ORIGINAL_DST/52.108.88.1 application/json
[Tue Feb 16 10:15:36 2021].057      0 10.215.247.159 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- -
[Tue Feb 16 10:15:36 2021].057      0 10.215.247.159 TCP_DENIED/403 3353 - 40.67.251.132:443 - HIER_NONE/- text/html
[Tue Feb 16 10:15:36 2021].057      0 10.215.247.159 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -


If I take the first line in the log and I open the URL from a client I use then the site opens as expected, and the corresponding Squid log is:

[Tue Feb 16 10:45:50 2021].546    628 10.215.111.210 TCP_MISS/200 2134 GET https://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - ORIGINAL_DST/23.210.36.30 application/octet-stream
[Tue Feb 16 10:45:52 2021].668     49 10.215.111.210 NONE_NONE/000 0 CONNECT 216.58.215.138:443 - ORIGINAL_DST/216.58.215.138 -

In this log I see my host's IP addr. 10.215.111.210.
However, in the first log I do not see a source IP address. Why?


Because this is Squid downloading the cert for its own use. For example SSL-Bump needing it to complete a TLS cert chain.



Other clients seem to be denied access with errors in the log such as "NONE_NONE/000"  followed by error:invalid-request or error:transaction-end-before-headers. How can I find out why I get "invalid requests"? Would a tcpdump on the server or client help? Or should I enable verbose debugging in Squid?

Looking at all these lines together I see;

* a client TLS connection being intercepted, the server cert chain in incomplete.
 * Squid attempts to download the missing cert(s).
* squid.conf rules force the cert download to get a 302 instead of a valid cert. * which leaves Squid unable to send the TLS connection client a valid cert chain. * the client rejects the TLS handshake and disconnects before any HTTP happens.


To avoid these, you need to prevent your squid.conf rules generating that 302 when Squid is initiating the request. The ACL type "transaction_initiator" can be used for that.


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux