Re: Rewriting HTTP to HTTPS for generic package proxy

"Fiehe, Christoph" <c.fiehe@xxxxxxxxxxx> · Wed, 10 Jul 2024 16:42:09 +0000

Thanks a lot. That was a good advice. For test purposes, I have deconfigured the upstream proxy and used an internal server. I changed the scheme from HTTP to HTTPS via a Jesred rule. The translation is working as expected without any issues and the client receives the requested packages.

In the next test case, I used a more modern upstream proxy server based von Squid 6.8 and enabled debugging.

The log shows the error SQUID_TLS_ERR_CONNECT+GNUTLS_E_FATAL_ALERT_RECEIVED. I am not sure, what I can do to prevent it from occurring:

2024/07/10 18:24:44.031 kid1| 5,2| TcpAcceptor.cc(214) doAccept: New connection on FD 12
2024/07/10 18:24:44.031 kid1| 5,2| TcpAcceptor.cc(316) acceptNext: connection on conn482169 local=[::]:3128 remote=[::] FD 12 flags=9
2024/07/10 18:24:44.031 kid1| 51,3| fd.cc(168) fd_open: fd_open() FD 16 HTTP Request
2024/07/10 18:24:44.031 kid1| 28,3| Eui48.cc(511) lookup: id=0x5651b3e6d558 10.2.59.181 NOT found
2024/07/10 18:24:44.031 kid1| 17,2| QosConfig.cc(162) getNfConnmark: QOS: Failed to retrieve connection mark: (-1) (2) No such file or directory (Destination 212.89.134.12:3128, source 10.2.59.181:59100)
2024/07/10 18:24:44.031 kid1| 5,3| comm.cc(599) commSetConnTimeout: conn482175 local=212.89.134.12:3128 remote=10.2.59.181:59100 FD 16 flags=1 timeout 300
2024/07/10 18:24:44.031 kid1| 5,3| IoCallback.cc(112) finish: called for conn482175 local=212.89.134.12:3128 remote=10.2.59.181:59100 FD 16 flags=1 (0, 0)
2024/07/10 18:24:44.031 kid1| 5,3| Read.cc(93) ReadNow: conn482175 local=212.89.134.12:3128 remote=10.2.59.181:59100 FD 16 flags=1, size 4096, retval 293, errno 0
2024/07/10 18:24:44.031 kid1| 5,3| comm.cc(599) commSetConnTimeout: conn482175 local=212.89.134.12:3128 remote=10.2.59.181:59100 FD 16 flags=1 timeout 300
2024/07/10 18:24:44.031 kid1| 33,3| Pipeline.cc(43) back: Pipeline 0x5651b328cb80 empty
2024/07/10 18:24:44.031 kid1| 11,2| client_side.cc(1332) parseHttpRequest: HTTP Client conn482175 local=212.89.134.12:3128 remote=10.2.59.181:59100 FD 16 flags=1
2024/07/10 18:24:44.031 kid1| 11,2| client_side.cc(1333) parseHttpRequest: HTTP Client REQUEST:
---------
GET https://download.docker.com/linux/ubuntu/dists/jammy/InRelease HTTP/1.1
Host: download.docker.com
Accept: text/*
User-Agent: Debian APT-HTTP/1.3 (2.4.12) non-interactive
Via: 1.1 pkg-proxy (squid/6.10)
X-Forwarded-For: 10.2.59.102
Cache-Control: max-age=0
Connection: keep-alive

----------
2024/07/10 18:24:44.031 kid1| 33,3| client_side.cc(1364) parseHttpRequest: complete request received. prefix_sz = 293, request-line-size=77, mime-header-size=216, mime header block:
Host: download.docker.com
Accept: text/*
User-Agent: Debian APT-HTTP/1.3 (2.4.12) non-interactive
Via: 1.1 pkg-proxy (squid/6.10)
X-Forwarded-For: 10.2.59.102
Cache-Control: max-age=0
Connection: keep-alive

----------
2024/07/10 18:24:44.031 kid1| 87,3| clientStream.cc(139) clientStreamInsertHead: clientStreamInsertHead: Inserted node 0x5651b6c14538 with data 0x5651b379ecb0 after head
2024/07/10 18:24:44.031 kid1| 5,3| comm.cc(599) commSetConnTimeout: conn482175 local=212.89.134.12:3128 remote=10.2.59.181:59100 FD 16 flags=1 timeout 86400
2024/07/10 18:24:44.031 kid1| 33,3| client_side.cc(1767) add: 0x5651b379dc40*3 to 0/0
2024/07/10 18:24:44.031 kid1| 33,3| Pipeline.cc(24) add: Pipeline 0x5651b328cb80 add request 1 0x5651b379dc40*4
2024/07/10 18:24:44.031 kid1| 23,3| Uri.cc(446) parse: Split URL 'https://download.docker.com/linux/ubuntu/dists/jammy/InRelease' into proto='https', host='download.docker.com', port='443', path='/linux/ubuntu/dists/jammy/InRelease'
2024/07/10 18:24:44.031 kid1| 14,3| Address.cc(389) lookupHostIP: Given Non-IP 'download.docker.com': Name or service not known
2024/07/10 18:24:44.031 kid1| 33,3| client_side.cc(702) clientSetKeepaliveFlag: http_ver = HTTP/1.1
2024/07/10 18:24:44.031 kid1| 33,3| client_side.cc(703) clientSetKeepaliveFlag: method = GET
2024/07/10 18:24:44.031 kid1| 85,3| client_side_request.cc(123) ClientRequestContext: ClientRequestContext constructed, this=0x5651b667b8b8
2024/07/10 18:24:44.031 kid1| 83,3| client_side_request.cc(1709) doCallouts: Doing calloutContext->hostHeaderVerify()
2024/07/10 18:24:44.031 kid1| 85,3| client_side_request.cc(607) hostHeaderVerify: validate host=download.docker.com, port=0, portStr=NULL
2024/07/10 18:24:44.031 kid1| 85,3| client_side_request.cc(621) hostHeaderVerify: validate skipped.
2024/07/10 18:24:44.031 kid1| 83,3| client_side_request.cc(1716) doCallouts: Doing calloutContext->clientAccessCheck()
2024/07/10 18:24:44.031 kid1| 28,3| Checklist.cc(69) preCheck: 0x5651b56d0d38 checking slow rules
2024/07/10 18:24:44.032 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.181' found
2024/07/10 18:24:44.032 kid1| 28,3| Acl.cc(175) matches: checked: all = 1
2024/07/10 18:24:44.032 kid1| 28,3| Acl.cc(175) matches: checked: follow_x_forwarded_for#1 = 1
2024/07/10 18:24:44.032 kid1| 28,3| Acl.cc(175) matches: checked: follow_x_forwarded_for = 1
2024/07/10 18:24:44.032 kid1| 28,3| Checklist.cc(62) markFinished: 0x5651b56d0d38 answer DENIED for match
2024/07/10 18:24:44.032 kid1| 28,3| Checklist.cc(162) checkCallback: ACLChecklist::checkCallback: 0x5651b56d0d38 answer=DENIED
2024/07/10 18:24:44.032 kid1| 28,3| Checklist.cc(69) preCheck: 0x5651b5f334e8 checking slow rules
2024/07/10 18:24:44.032 kid1| 28,3| Acl.cc(175) matches: checked: Safe_ports = 1
2024/07/10 18:24:44.032 kid1| 28,3| Acl.cc(175) matches: checked: !Safe_ports = 0
2024/07/10 18:24:44.032 kid1| 28,3| Acl.cc(175) matches: checked: http_access#1 = 0
2024/07/10 18:24:44.032 kid1| 28,3| Acl.cc(175) matches: checked: CONNECT = 0
2024/07/10 18:24:44.032 kid1| 28,3| Acl.cc(175) matches: checked: http_access#2 = 0
2024/07/10 18:24:44.032 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.181' NOT found
2024/07/10 18:24:44.032 kid1| 28,3| Acl.cc(175) matches: checked: localhost = 0
2024/07/10 18:24:44.032 kid1| 28,3| Acl.cc(175) matches: checked: http_access#3 = 0
2024/07/10 18:24:44.032 kid1| 28,3| RegexData.cc(50) match: checking 'https://download.docker.com/linux/ubuntu/dists/jammy/InRelease'
2024/07/10 18:24:44.032 kid1| 28,3| Acl.cc(175) matches: checked: manager = 0
2024/07/10 18:24:44.032 kid1| 28,3| Acl.cc(175) matches: checked: http_access#4 = 0
2024/07/10 18:24:44.032 kid1| 14,3| ipcache.cc(733) ipcache_gethostbyname: 'download.docker.com', flags=1
2024/07/10 18:24:44.032 kid1| 14,3| ipcache.cc(314) ipcacheRelease: ipcacheRelease: Releasing entry for 'download.docker.com'
2024/07/10 18:24:44.032 kid1| 14,3| Address.cc(389) lookupHostIP: Given Non-IP 'download.docker.com': Name or service not known
2024/07/10 18:24:44.032 kid1| 14,3| Address.cc(389) lookupHostIP: Given Non-IP 'download.docker.com': Name or service not known
2024/07/10 18:24:44.032 kid1| 78,3| dns_internal.cc(1793) idnsALookup: idnsALookup: buf is 37 bytes for download.docker.com, id = 0xc228
2024/07/10 18:24:44.032 kid1| 50,3| comm.cc(927) comm_udp_sendto: comm_udp_sendto: Attempt to send UDP packet to X.X.X.X:53 using FD 10 using Port 52871
2024/07/10 18:24:44.032 kid1| 78,3| dns_internal.cc(1729) idnsSendSlaveAAAAQuery: buf is 48 bytes for download.docker.com, id = 0x798c
2024/07/10 18:24:44.032 kid1| 50,3| comm.cc(927) comm_udp_sendto: comm_udp_sendto: Attempt to send UDP packet to X.X.X.X:53 using FD 10 using Port 52871
2024/07/10 18:24:44.032 kid1| 28,3| DestinationIp.cc(78) match: can't yet compare 'to_localhost' ACL for download.docker.com
2024/07/10 18:24:44.032 kid1| 14,3| Address.cc(389) lookupHostIP: Given Non-IP 'download.docker.com': Name or service not known
2024/07/10 18:24:44.032 kid1| 28,3| Acl.cc(175) matches: checked: to_localhost = -1 async
2024/07/10 18:24:44.032 kid1| 28,3| Acl.cc(175) matches: checked: http_access#5 = -1 async
2024/07/10 18:24:44.032 kid1| 28,3| Acl.cc(175) matches: checked: http_access = -1 async
2024/07/10 18:24:44.048 kid1| 78,3| dns_internal.cc(1320) idnsRead: idnsRead: starting with FD 10
2024/07/10 18:24:44.049 kid1| 78,3| dns_internal.cc(1366) idnsRead: idnsRead: FD 10: received 144 bytes from X.X.X.X:53
2024/07/10 18:24:44.049 kid1| 78,3| dns_internal.cc(1173) idnsGrokReply: idnsGrokReply: QID 0xc228, 5 answers
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(481) ipcacheParse: 5 answers for download.docker.com
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #1 108.138.7.18
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #2 108.138.7.33
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #3 108.138.7.48
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #4 108.138.7.88
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(481) ipcacheParse: 5 answers for download.docker.com
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #1 108.138.7.18
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #2 108.138.7.33
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #3 108.138.7.48
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #4 108.138.7.88
2024/07/10 18:24:44.049 kid1| 78,3| dns_internal.cc(1320) idnsRead: idnsRead: starting with FD 10
2024/07/10 18:24:44.049 kid1| 78,3| dns_internal.cc(1366) idnsRead: idnsRead: FD 10: received 315 bytes from X.X.X.X:53
2024/07/10 18:24:44.049 kid1| 78,3| dns_internal.cc(1173) idnsGrokReply: idnsGrokReply: QID 0x798c, 9 answers
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(481) ipcacheParse: 9 answers for download.docker.com
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #5 [2600:9000:2490:2200:3:db06:4200:93a1]
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #6 [2600:9000:2490:3600:3:db06:4200:93a1]
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #7 [2600:9000:2490:7000:3:db06:4200:93a1]
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #8 [2600:9000:2490:d600:3:db06:4200:93a1]
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #9 [2600:9000:2490:5a00:3:db06:4200:93a1]
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #10 [2600:9000:2490:6600:3:db06:4200:93a1]
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #11 [2600:9000:2490:b600:3:db06:4200:93a1]
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #12 [2600:9000:2490:aa00:3:db06:4200:93a1]
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(587) ipcacheHandleReply: done with download.docker.com: 108.138.7.18 #1/12-0
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(481) ipcacheParse: 9 answers for download.docker.com
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #5 [2600:9000:2490:2200:3:db06:4200:93a1]
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #6 [2600:9000:2490:3600:3:db06:4200:93a1]
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #7 [2600:9000:2490:7000:3:db06:4200:93a1]
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #8 [2600:9000:2490:d600:3:db06:4200:93a1]
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #9 [2600:9000:2490:5a00:3:db06:4200:93a1]
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #10 [2600:9000:2490:6600:3:db06:4200:93a1]
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #11 [2600:9000:2490:b600:3:db06:4200:93a1]
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(536) addGood: download.docker.com #12 [2600:9000:2490:aa00:3:db06:4200:93a1]
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(587) ipcacheHandleReply: done with download.docker.com: 108.138.7.18 #1/12-0
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(314) ipcacheRelease: ipcacheRelease: Releasing entry for 'download.docker.com'
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(733) ipcache_gethostbyname: 'download.docker.com', flags=1
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '108.138.7.18' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '108.138.7.33' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '108.138.7.48' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '108.138.7.88' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '[2600:9000:2490:2200:3:db06:4200:93a1]' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '[2600:9000:2490:3600:3:db06:4200:93a1]' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '[2600:9000:2490:7000:3:db06:4200:93a1]' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '[2600:9000:2490:d600:3:db06:4200:93a1]' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '[2600:9000:2490:5a00:3:db06:4200:93a1]' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '[2600:9000:2490:6600:3:db06:4200:93a1]' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '[2600:9000:2490:b600:3:db06:4200:93a1]' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '[2600:9000:2490:aa00:3:db06:4200:93a1]' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: to_localhost = 0
2024/07/10 18:24:44.049 kid1| 28,3| InnerNode.cc(100) resumeMatchingAt: checked: http_access#5 = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: PURGE = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: http_access#6 = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: PURGE = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: http_access#7 = 0
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.181' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: localhost = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: http_access#8 = 0
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.181' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: nocnet = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: http_access#9 = 0
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.181' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: EXTERNAL_DEV_CLIENTS = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: http_access#10 = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: CONNECT = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: http_access#11 = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: CONNECT = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: http_access#12 = 0
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.181' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: GERMANIA_PROXY = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: http_access#13 = 0
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.181' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: GERMANIA_PROXY = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: http_access#14 = 0
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.181' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: GERMANIA_PROXY = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: http_access#15 = 0
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.181' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: GERMANIA_PROXY = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: http_access#16 = 0
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.181' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: GERMANIA_PROXY = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: http_access#17 = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: Safe_ports = 1
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: !Safe_ports = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: http_access#18 = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: CONNECT = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: http_access#19 = 0
2024/07/10 18:24:44.049 kid1| 28,3| RegexData.cc(50) match: checking '/linux/ubuntu/dists/jammy/InRelease'
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: worm = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: http_access#20 = 0
2024/07/10 18:24:44.049 kid1| 14,3| ipcache.cc(733) ipcache_gethostbyname: 'download.docker.com', flags=1
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '108.138.7.18' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '108.138.7.33' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '108.138.7.48' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '108.138.7.88' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '[2600:9000:2490:2200:3:db06:4200:93a1]' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '[2600:9000:2490:3600:3:db06:4200:93a1]' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '[2600:9000:2490:7000:3:db06:4200:93a1]' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '[2600:9000:2490:d600:3:db06:4200:93a1]' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '[2600:9000:2490:5a00:3:db06:4200:93a1]' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '[2600:9000:2490:6600:3:db06:4200:93a1]' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '[2600:9000:2490:b600:3:db06:4200:93a1]' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '[2600:9000:2490:aa00:3:db06:4200:93a1]' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: SEUCHEN_IPS = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: http_access#21 = 0
2024/07/10 18:24:44.049 kid1| 28,3| DomainData.cc(110) match: aclMatchDomainList: checking 'download.docker.com'
2024/07/10 18:24:44.049 kid1| 28,3| DomainData.cc(115) match: aclMatchDomainList: 'download.docker.com' NOT found
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: SEUCHEN_DOMAINS = 0
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: http_access#22 = 0
2024/07/10 18:24:44.049 kid1| 28,3| RegexData.cc(50) match: checking 'download.docker.com'
2024/07/10 18:24:44.049 kid1| 28,3| Acl.cc(175) matches: checked: SEUCHEN_DOMAINS_REGEX = 0
2024/07/10 18:24:44.050 kid1| 28,3| Acl.cc(175) matches: checked: http_access#23 = 0
2024/07/10 18:24:44.050 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.181' NOT found
2024/07/10 18:24:44.050 kid1| 28,3| Acl.cc(175) matches: checked: GERMANIA_PROXY = 0
2024/07/10 18:24:44.050 kid1| 28,3| Acl.cc(175) matches: checked: http_access#24 = 0
2024/07/10 18:24:44.050 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.181' found
2024/07/10 18:24:44.050 kid1| 28,3| Acl.cc(175) matches: checked: REPOSITORY-CLIENTS = 1
2024/07/10 18:24:44.050 kid1| 28,3| DomainData.cc(110) match: aclMatchDomainList: checking 'download.docker.com'
2024/07/10 18:24:44.050 kid1| 28,3| DomainData.cc(115) match: aclMatchDomainList: 'download.docker.com' found
2024/07/10 18:24:44.050 kid1| 28,3| Acl.cc(175) matches: checked: REPOSITORY-ZIELE = 1
2024/07/10 18:24:44.050 kid1| 28,3| Acl.cc(175) matches: checked: http_access#25 = 1
2024/07/10 18:24:44.050 kid1| 28,3| InnerNode.cc(100) resumeMatchingAt: checked: http_access = 1
2024/07/10 18:24:44.050 kid1| 28,3| Checklist.cc(62) markFinished: 0x5651b5f334e8 answer ALLOWED for match
2024/07/10 18:24:44.050 kid1| 28,3| Checklist.cc(162) checkCallback: ACLChecklist::checkCallback: 0x5651b5f334e8 answer=ALLOWED
2024/07/10 18:24:44.050 kid1| 85,2| client_side_request.cc(715) clientAccessCheckDone: The request GET https://download.docker.com/linux/ubuntu/dists/jammy/InRelease is ALLOWED; last ACL checked: REPOSITORY-ZIELE
2024/07/10 18:24:44.050 kid1| 83,3| AccessCheck.cc(42) Start: adaptation off, skipping
2024/07/10 18:24:44.050 kid1| 83,3| client_side_request.cc(1744) doCallouts: Doing calloutContext->clientAccessCheck2()
2024/07/10 18:24:44.050 kid1| 85,2| client_side_request.cc(693) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2024/07/10 18:24:44.050 kid1| 85,2| client_side_request.cc(715) clientAccessCheckDone: The request GET https://download.docker.com/linux/ubuntu/dists/jammy/InRelease is ALLOWED; last ACL checked: REPOSITORY-ZIELE
2024/07/10 18:24:44.050 kid1| 83,3| client_side_request.cc(1762) doCallouts: Doing clientInterpretRequestHeaders()
2024/07/10 18:24:44.050 kid1| 85,3| client_side_request.cc(117) ~ClientRequestContext: ClientRequestContext destructed, this=0x5651b667b8b8
2024/07/10 18:24:44.050 kid1| 83,3| client_side_request.cc(1856) doCallouts: calling processRequest()
2024/07/10 18:24:44.050 kid1| 87,3| clientStream.cc(178) clientStreamRead: clientStreamRead: Calling 1 with cbdata 0x5651b379fd80 from node 0x5651b6c14538
2024/07/10 18:24:44.050 kid1| 73,3| HttpRequest.cc(742) storeId: sent back effectiveRequestUrl: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 20,3| Controller.cc(429) peek: D3522EE27FB0ED7004DD594AF7674667
2024/07/10 18:24:44.050 kid1| 85,3| client_side_reply.cc(1523) identifyFoundObject: StoreEntry is NULL -  MISS
2024/07/10 18:24:44.050 kid1| 20,3| store.cc(731) storeCreatePureEntry: storeCreateEntry: 'https://download.docker.com/linux/ubuntu/dists/jammy/InRelease'
2024/07/10 18:24:44.050 kid1| 20,3| MemObject.cc(99) MemObject: MemObject constructed, this=0x5651b3ae4fc0
2024/07/10 18:24:44.050 kid1| 88,3| MemObject.cc(82) setUris: 0x5651b3ae4fc0 storeId: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 20,3| store.cc(435) lock: storeCreateEntry locked key [null_store_key] e:=V/0x5651b365e210*1
2024/07/10 18:24:44.050 kid1| 20,3| store.cc(537) setPrivateKey: 00 e:=V/0x5651b365e210*1
2024/07/10 18:24:44.050 kid1| 20,3| store.cc(413) hashInsert: StoreEntry::hashInsert: Inserting Entry e:=IV/0x5651b365e210*1 key '8349000000000000D107000001000000'
2024/07/10 18:24:44.050 kid1| 20,3| store.cc(435) lock: store_client locked key 8349000000000000D107000001000000 e:=IV/0x5651b365e210*2
2024/07/10 18:24:44.050 kid1| 90,3| store_client.cc(243) copy: store_client::copy: 8349000000000000D107000001000000, from 0, for length 4096, cb 1, cbdata 0x5651b379ece8
2024/07/10 18:24:44.050 kid1| 20,3| store.cc(435) lock: store_client::copy locked key 8349000000000000D107000001000000 e:=IV/0x5651b365e210*3
2024/07/10 18:24:44.050 kid1| 90,3| store_client.cc(343) storeClientCopy2: storeClientCopy2: 8349000000000000D107000001000000
2024/07/10 18:24:44.050 kid1| 90,3| store_client.cc(390) doCopy: store_client::doCopy: Waiting for more
2024/07/10 18:24:44.050 kid1| 20,3| store.cc(458) unlock: store_client::copy unlocking key 8349000000000000D107000001000000 e:=IV/0x5651b365e210*3
2024/07/10 18:24:44.050 kid1| 28,3| Checklist.cc(69) preCheck: 0x7ffef6c09e30 checking fast rules
2024/07/10 18:24:44.050 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.181:59100' found
2024/07/10 18:24:44.050 kid1| 28,3| Acl.cc(175) matches: checked: all = 1
2024/07/10 18:24:44.050 kid1| 28,3| Acl.cc(175) matches: checked: miss_access#1 = 1
2024/07/10 18:24:44.050 kid1| 28,3| Acl.cc(175) matches: checked: miss_access = 1
2024/07/10 18:24:44.050 kid1| 28,3| Checklist.cc(62) markFinished: 0x7ffef6c09e30 answer ALLOWED for match
2024/07/10 18:24:44.050 kid1| 17,3| FwdState.cc(373) Start: 'https://download.docker.com/linux/ubuntu/dists/jammy/InRelease'
2024/07/10 18:24:44.050 kid1| 17,2| FwdState.cc(133) FwdState: Forwarding client request conn482175 local=212.89.134.12:3128 remote=10.2.59.181:59100 FD 16 flags=1, url=https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 20,3| store.cc(435) lock: FwdState locked key 8349000000000000D107000001000000 e:=IV/0x5651b365e210*3
2024/07/10 18:24:44.050 kid1| 17,3| FwdState.cc(140) FwdState: FwdState constructed, this=0x5651b695faf8
2024/07/10 18:24:44.050 kid1| 44,3| peer_select.cc(309) peerSelect: e:=IV/0x5651b365e210*3 https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 20,3| store.cc(435) lock: peerSelect locked key 8349000000000000D107000001000000 e:=IV/0x5651b365e210*4
2024/07/10 18:24:44.050 kid1| 44,3| peer_select.cc(612) selectMore: GET download.docker.com
2024/07/10 18:24:44.050 kid1| 44,3| peer_select.cc(617) selectMore: direct = DIRECT_UNKNOWN (always_direct to be checked)
2024/07/10 18:24:44.050 kid1| 28,3| Checklist.cc(69) preCheck: 0x5651b56d0d38 checking slow rules
2024/07/10 18:24:44.050 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.181' found
2024/07/10 18:24:44.050 kid1| 28,3| Acl.cc(175) matches: checked: all = 1
2024/07/10 18:24:44.050 kid1| 28,3| Acl.cc(175) matches: checked: always_direct#1 = 1
2024/07/10 18:24:44.050 kid1| 28,3| Acl.cc(175) matches: checked: always_direct = 1
2024/07/10 18:24:44.050 kid1| 28,3| Checklist.cc(62) markFinished: 0x5651b56d0d38 answer ALLOWED for match
2024/07/10 18:24:44.050 kid1| 28,3| Checklist.cc(162) checkCallback: ACLChecklist::checkCallback: 0x5651b56d0d38 answer=ALLOWED
2024/07/10 18:24:44.050 kid1| 44,3| peer_select.cc(373) checkAlwaysDirectDone: ALLOWED
2024/07/10 18:24:44.050 kid1| 44,3| peer_select.cc(379) checkAlwaysDirectDone: direct = DIRECT_YES (always_direct allow)
2024/07/10 18:24:44.050 kid1| 44,3| peer_select.cc(612) selectMore: GET download.docker.com
2024/07/10 18:24:44.050 kid1| 44,3| peer_select.cc(1102) addSelection: adding HIER_DIRECT#download.docker.com
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(460) resolveSelected: Find IP destination for: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease' via download.docker.com
2024/07/10 18:24:44.050 kid1| 14,3| Address.cc(389) lookupHostIP: Given Non-IP 'download.docker.com': Name or service not known
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1174) handlePath: PeerSelector64364 found conn482176 local=0.0.0.0 remote=108.138.7.18:443 HIER_DIRECT flags=1, destination #1 for https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1180) handlePath:   always_direct = ALLOWED
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1181) handlePath:    never_direct = DUNNO
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1182) handlePath:        timedout = 0
2024/07/10 18:24:44.050 kid1| 17,3| FwdState.cc(610) noteDestination: conn482176 local=0.0.0.0 remote=108.138.7.18:443 HIER_DIRECT flags=1
2024/07/10 18:24:44.050 kid1| 17,3| FwdState.cc(1124) connectStart: 1+ paths to https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1174) handlePath: PeerSelector64364 found conn482177 local=0.0.0.0 remote=108.138.7.33:443 HIER_DIRECT flags=1, destination #2 for https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1180) handlePath:   always_direct = ALLOWED
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1181) handlePath:    never_direct = DUNNO
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1182) handlePath:        timedout = 0
2024/07/10 18:24:44.050 kid1| 17,3| FwdState.cc(610) noteDestination: conn482177 local=0.0.0.0 remote=108.138.7.33:443 HIER_DIRECT flags=1
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1174) handlePath: PeerSelector64364 found conn482178 local=0.0.0.0 remote=108.138.7.48:443 HIER_DIRECT flags=1, destination #3 for https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1180) handlePath:   always_direct = ALLOWED
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1181) handlePath:    never_direct = DUNNO
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1182) handlePath:        timedout = 0
2024/07/10 18:24:44.050 kid1| 17,3| FwdState.cc(610) noteDestination: conn482178 local=0.0.0.0 remote=108.138.7.48:443 HIER_DIRECT flags=1
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1174) handlePath: PeerSelector64364 found conn482179 local=0.0.0.0 remote=108.138.7.88:443 HIER_DIRECT flags=1, destination #4 for https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1180) handlePath:   always_direct = ALLOWED
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1181) handlePath:    never_direct = DUNNO
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1182) handlePath:        timedout = 0
2024/07/10 18:24:44.050 kid1| 17,3| FwdState.cc(610) noteDestination: conn482179 local=0.0.0.0 remote=108.138.7.88:443 HIER_DIRECT flags=1
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1174) handlePath: PeerSelector64364 found conn482180 local=[::] remote=[2600:9000:2490:2200:3:db06:4200:93a1]:443 HIER_DIRECT flags=1, destination #5 for https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1180) handlePath:   always_direct = ALLOWED
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1181) handlePath:    never_direct = DUNNO
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1182) handlePath:        timedout = 0
2024/07/10 18:24:44.050 kid1| 17,3| FwdState.cc(610) noteDestination: conn482180 local=[::] remote=[2600:9000:2490:2200:3:db06:4200:93a1]:443 HIER_DIRECT flags=1
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1174) handlePath: PeerSelector64364 found conn482181 local=[::] remote=[2600:9000:2490:3600:3:db06:4200:93a1]:443 HIER_DIRECT flags=1, destination #6 for https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1180) handlePath:   always_direct = ALLOWED
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1181) handlePath:    never_direct = DUNNO
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1182) handlePath:        timedout = 0
2024/07/10 18:24:44.050 kid1| 17,3| FwdState.cc(610) noteDestination: conn482181 local=[::] remote=[2600:9000:2490:3600:3:db06:4200:93a1]:443 HIER_DIRECT flags=1
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1174) handlePath: PeerSelector64364 found conn482182 local=[::] remote=[2600:9000:2490:7000:3:db06:4200:93a1]:443 HIER_DIRECT flags=1, destination #7 for https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1180) handlePath:   always_direct = ALLOWED
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1181) handlePath:    never_direct = DUNNO
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1182) handlePath:        timedout = 0
2024/07/10 18:24:44.050 kid1| 17,3| FwdState.cc(610) noteDestination: conn482182 local=[::] remote=[2600:9000:2490:7000:3:db06:4200:93a1]:443 HIER_DIRECT flags=1
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1174) handlePath: PeerSelector64364 found conn482183 local=[::] remote=[2600:9000:2490:d600:3:db06:4200:93a1]:443 HIER_DIRECT flags=1, destination #8 for https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1180) handlePath:   always_direct = ALLOWED
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1181) handlePath:    never_direct = DUNNO
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1182) handlePath:        timedout = 0
2024/07/10 18:24:44.050 kid1| 17,3| FwdState.cc(610) noteDestination: conn482183 local=[::] remote=[2600:9000:2490:d600:3:db06:4200:93a1]:443 HIER_DIRECT flags=1
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1174) handlePath: PeerSelector64364 found conn482184 local=[::] remote=[2600:9000:2490:5a00:3:db06:4200:93a1]:443 HIER_DIRECT flags=1, destination #9 for https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1180) handlePath:   always_direct = ALLOWED
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1181) handlePath:    never_direct = DUNNO
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1182) handlePath:        timedout = 0
2024/07/10 18:24:44.050 kid1| 17,3| FwdState.cc(610) noteDestination: conn482184 local=[::] remote=[2600:9000:2490:5a00:3:db06:4200:93a1]:443 HIER_DIRECT flags=1
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1174) handlePath: PeerSelector64364 found conn482185 local=[::] remote=[2600:9000:2490:6600:3:db06:4200:93a1]:443 HIER_DIRECT flags=1, destination #10 for https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1180) handlePath:   always_direct = ALLOWED
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1181) handlePath:    never_direct = DUNNO
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1182) handlePath:        timedout = 0
2024/07/10 18:24:44.050 kid1| 17,3| FwdState.cc(610) noteDestination: conn482185 local=[::] remote=[2600:9000:2490:6600:3:db06:4200:93a1]:443 HIER_DIRECT flags=1
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1174) handlePath: PeerSelector64364 found conn482186 local=[::] remote=[2600:9000:2490:b600:3:db06:4200:93a1]:443 HIER_DIRECT flags=1, destination #11 for https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1180) handlePath:   always_direct = ALLOWED
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1181) handlePath:    never_direct = DUNNO
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1182) handlePath:        timedout = 0
2024/07/10 18:24:44.050 kid1| 17,3| FwdState.cc(610) noteDestination: conn482186 local=[::] remote=[2600:9000:2490:b600:3:db06:4200:93a1]:443 HIER_DIRECT flags=1
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1174) handlePath: PeerSelector64364 found conn482187 local=[::] remote=[2600:9000:2490:aa00:3:db06:4200:93a1]:443 HIER_DIRECT flags=1, destination #12 for https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1180) handlePath:   always_direct = ALLOWED
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1181) handlePath:    never_direct = DUNNO
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(1182) handlePath:        timedout = 0
2024/07/10 18:24:44.050 kid1| 17,3| FwdState.cc(610) noteDestination: conn482187 local=[::] remote=[2600:9000:2490:aa00:3:db06:4200:93a1]:443 HIER_DIRECT flags=1
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(479) resolveSelected: PeerSelector64364 found all 12 destinations for https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(480) resolveSelected:   always_direct = ALLOWED
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(481) resolveSelected:    never_direct = DUNNO
2024/07/10 18:24:44.050 kid1| 44,2| peer_select.cc(482) resolveSelected:        timedout = 0
2024/07/10 18:24:44.050 kid1| 44,3| peer_select.cc(241) ~PeerSelector: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.050 kid1| 20,3| store.cc(458) unlock: peerSelect unlocking key 8349000000000000D107000001000000 e:=p2IV/0x5651b365e210*4
2024/07/10 18:24:44.050 kid1| 48,3| pconn.cc(474) popStored: lookup for key {108.138.7.18:443/download.docker.com} failed.
2024/07/10 18:24:44.050 kid1| 28,3| Checklist.cc(69) preCheck: 0x7ffef6c0a460 checking fast ACLs
2024/07/10 18:24:44.050 kid1| 28,3| DomainData.cc(110) match: aclMatchDomainList: checking 'download.docker.com'
2024/07/10 18:24:44.050 kid1| 28,3| DomainData.cc(115) match: aclMatchDomainList: 'download.docker.com' NOT found
2024/07/10 18:24:44.050 kid1| 28,3| Acl.cc(175) matches: checked: SKIP_PALO_DOMAINS_FAST = 0
2024/07/10 18:24:44.050 kid1| 28,3| Acl.cc(175) matches: checked: !SKIP_PALO_DOMAINS_FAST = 1
2024/07/10 18:24:44.051 kid1| 28,3| Acl.cc(175) matches: checked: (tcp_outgoing_mark 0x14 line) = 1
2024/07/10 18:24:44.051 kid1| 28,3| Acl.cc(175) matches: checked: tcp_outgoing_mark 0x14 = 1
2024/07/10 18:24:44.051 kid1| 28,3| Checklist.cc(62) markFinished: 0x7ffef6c0a460 answer ALLOWED for match
2024/07/10 18:24:44.051 kid1| 17,3| FwdState.cc(1568) GetMarkingsToServer: from 0.0.0.0 tos 0 netfilter mark 20
2024/07/10 18:24:44.051 kid1| 5,3| ConnOpener.cc(42) ConnOpener: will connect to conn482189 local=0.0.0.0 remote=108.138.7.18:443 HIER_DIRECT flags=1 with 60 timeout
2024/07/10 18:24:44.051 kid1| 50,3| comm.cc(378) comm_openex: comm_openex: Attempt open socket for: 0.0.0.0
2024/07/10 18:24:44.051 kid1| 50,3| comm.cc(420) comm_openex: comm_openex: Opened socket conn482190 local=0.0.0.0 remote=[::] FD 19 flags=1 : family=2, type=1, protocol=6
2024/07/10 18:24:44.051 kid1| 51,3| fd.cc(168) fd_open: fd_open() FD 19 download.docker.com
2024/07/10 18:24:44.051 kid1| 50,3| QosConfig.cc(581) setSockNfmark: for FD 19 to 20
2024/07/10 18:24:44.051 kid1| 5,3| ConnOpener.cc(312) createFd: conn482189 local=0.0.0.0 remote=108.138.7.18:443 HIER_DIRECT flags=1 will timeout in 60
2024/07/10 18:24:44.058 kid1| 83,2| Io.cc(161) Handshake: handshake IN: Unknown Handshake packet
2024/07/10 18:24:44.058 kid1| 83,2| Io.cc(163) Handshake: handshake OUT: CLIENT HELLO
2024/07/10 18:24:44.058 kid1| 5,3| comm.cc(599) commSetConnTimeout: conn482189 local=X.X.X.X:36718 remote=108.138.7.18:443 HIER_DIRECT FD 19 flags=1 timeout 60
2024/07/10 18:24:44.064 kid1| 83,2| Io.cc(161) Handshake: handshake IN: Unknown Handshake packet
2024/07/10 18:24:44.064 kid1| 83,2| Io.cc(163) Handshake: handshake OUT: CLIENT HELLO
2024/07/10 18:24:44.064 kid1| 83,2| PeerConnector.cc(279) handleNegotiationResult: ERROR: Cannot establish a TLS connection to conn482189 local=X.X.X.X:36718 remote=108.138.7.18:443 HIER_DIRECT FD 19 flags=1:
    problem: failure
    detail: SQUID_TLS_ERR_CONNECT+GNUTLS_E_FATAL_ALERT_RECEIVED
2024/07/10 18:24:44.064 kid1| 5,3| comm.cc(625) commUnsetConnTimeout: Remove timeout for conn482189 local=X.X.X.X:36718 remote=108.138.7.18:443 HIER_DIRECT FD 19 flags=1
2024/07/10 18:24:44.064 kid1| 5,3| comm.cc(599) commSetConnTimeout: conn482189 local=X.X.X.X:36718 remote=108.138.7.18:443 HIER_DIRECT FD 19 flags=1 timeout -1
2024/07/10 18:24:44.064 kid1| 5,3| comm.cc(850) _comm_close: start closing FD 19 by Connection.cc:108
2024/07/10 18:24:44.064 kid1| 5,3| comm.cc(586) commUnsetFdTimeout: Remove timeout for FD 19
2024/07/10 18:24:44.064 kid1| 83,3| Session.cc(36) tls_read_method: started for session=0x5651b404d2c0
2024/07/10 18:24:44.064 kid1| 51,3| fd.cc(93) fd_close: fd_close FD 19 server https start
2024/07/10 18:24:44.064 kid1| 17,3| FwdState.cc(471) fail: ERR_SECURE_CONNECT_FAIL "Service Unavailable"
	https://download.docker.com/linux/ubuntu/dists/jammy/InRelease
2024/07/10 18:24:44.064 kid1| 17,3| FwdState.cc(781) retryOrBail: re-forwarding (1 tries, 0 secs)

>-----Ursprüngliche Nachricht-----
>Von: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>
>Gesendet: Mittwoch, 10. Juli 2024 14:50
>An: squid-users@xxxxxxxxxxxxxxxxxxxxx
>Cc: Fiehe, Christoph <c.fiehe@xxxxxxxxxxx>
>Betreff: Re:  Rewriting HTTP to HTTPS for generic package proxy
>
>On 2024-07-09 18:25, Fiehe, Christoph wrote:
>
>> I hope that somebody has an idea, what I am doing wrong.
>
>AFAICT from the debugging log, it is your parent proxy that returns an
>ERR_SECURE_CONNECT_FAIL error page in response to a seemingly valid
>"HEAD https://..."; request. Can you ask their admin to investigate? You
>may also recommend that they upgrade from Squid v4 that has many known
>security vulnerabiities.
>
>If parent is uncooperative, you can try to reproduce the problem by
>temporary installing your own parent Squid instance and configuring your
>child Squid to use that instead.
>
>HTH,
>
>Alex.
>P.S. Unlike Amos, I do not see serious conceptual problems with
>rewriting request target scheme (as a temporary compatibility measure).
>It may not always work, for various reasons, but it does not necessarily
>make things worse (and may make things better).
>
>
>
>
>I try to build a generic package proxy with Squid and need the feature
>to rewrite (not redirect) a HTTP request to a package repository
>transparently to a HTTPS-based package source. I was able to get Jesred
>working and defined the following rewrite rule:
>>
>> regex ^http:\/\/download\.docker\.com(.*)$ https://download.docker.com\1
>>
>> I had to use a parent upstream proxy. In my test case the rule gets applied
>successfully:
>>
>> 1720558404.106 10.2.59.102/molecule-ubuntu-jammy.lx.mycompany.de
>http://download.docker.com/linux/ubuntu/dists/jammy/InRelease[http://download.docker.com/l
>inux/ubuntu/dists/jammy/InRelease]
>https://download.docker.com/linux/ubuntu/dists/jammy/InRelease 2
>>
>> I have validated that the returned URL is correct and that the resource is accessible
>via my upstream proxy.
>>
>> But at the very end, the client receives a 503 error code. I have set "debug_options
>ALL,3" and this gives the log:
>>
>> [...]
>> 2024/07/09 23:35:40.115 kid1| 11,2| client_side.cc(1333) parseHttpRequest: HTTP Client
>REQUEST:
>> ---------
>> HEAD
>http://download.docker.com/linux/ubuntu/dists/jammy/InRelease[http://download.docker.com/l
>inux/ubuntu/dists/jammy/InRelease] HTTP/1.1
>> Host: download.docker.com
>> User-Agent: curl/7.81.0
>> Accept: */*
>> Proxy-Connection: Keep-Alive
>>
>>
>> ----------
>> 2024/07/09 23:35:40.115 kid1| 33,3| client_side.cc(1364) parseHttpRequest: complete
>request received. prefix_sz = 174, request-line-size=77, mime-header-size=97, mime header
>block:
>> Host: download.docker.com
>> User-Agent: curl/7.81.0
>> Accept: */*
>> Proxy-Connection: Keep-Alive
>>
>>
>> ----------
>> 2024/07/09 23:35:40.115 kid1| 87,3| clientStream.cc(139) clientStreamInsertHead:
>clientStreamInsertHead: Inserted node 0x5c3ba4154308 with data 0x5c3ba4152950 after head
>> 2024/07/09 23:35:40.115 kid1| 5,3| comm.cc(599) commSetConnTimeout: conn9
>local=10.2.59.103:8000 remote=10.2.59.102:56466 FD 15 flags=1 timeout 86400
>> 2024/07/09 23:35:40.115 kid1| 33,3| client_side.cc(1767) add: 0x5c3ba41518e0*3 to 0/0
>> 2024/07/09 23:35:40.115 kid1| 33,3| Pipeline.cc(24) add: Pipeline 0x5c3ba41501f0 add
>request 1 0x5c3ba41518e0*4
>> 2024/07/09 23:35:40.115 kid1| 23,3| Uri.cc(446) parse: Split URL
>'http://download.docker.com/linux/ubuntu/dists/jammy/InRelease'[http://download.docker.com
>/linux/ubuntu/dists/jammy/InRelease'] into proto='http', host='download.docker.com',
>port='80', path='/linux/ubuntu/dists/jammy/InRelease'
>> 2024/07/09 23:35:40.115 kid1| 14,3| Address.cc(389) lookupHostIP: Given Non-IP
>'download.docker.com': Name or service not known
>> 2024/07/09 23:35:40.115 kid1| 33,3| client_side.cc(702) clientSetKeepaliveFlag: http_ver
>= HTTP/1.1
>> 2024/07/09 23:35:40.115 kid1| 33,3| client_side.cc(703) clientSetKeepaliveFlag: method =
>HEAD
>> 2024/07/09 23:35:40.115 kid1| 85,3| client_side_request.cc(122) ClientRequestContext:
>ClientRequestContext constructed, this=0x5c3ba4154e78
>> 2024/07/09 23:35:40.115 kid1| 83,3| client_side_request.cc(1708) doCallouts: Doing
>calloutContext->hostHeaderVerify()
>> 2024/07/09 23:35:40.115 kid1| 85,3| client_side_request.cc(606) hostHeaderVerify:
>validate host=download.docker.com, port=0, portStr=NULL
>> 2024/07/09 23:35:40.115 kid1| 85,3| client_side_request.cc(620) hostHeaderVerify:
>validate skipped.
>> 2024/07/09 23:35:40.115 kid1| 83,3| client_side_request.cc(1715) doCallouts: Doing
>calloutContext->clientAccessCheck()
>> 2024/07/09 23:35:40.115 kid1| 28,3| Checklist.cc(69) preCheck: 0x5c3ba41552d8 checking
>slow rules
>> 2024/07/09 23:35:40.115 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.102:56466'
>found
>> 2024/07/09 23:35:40.115 kid1| 28,3| Acl.cc(175) matches: checked: all = 1
>> 2024/07/09 23:35:40.115 kid1| 28,3| Acl.cc(175) matches: checked: http_access#1 = 1
>> 2024/07/09 23:35:40.115 kid1| 28,3| Acl.cc(175) matches: checked: http_access = 1
>> 2024/07/09 23:35:40.115 kid1| 28,3| Checklist.cc(62) markFinished: 0x5c3ba41552d8 answer
>ALLOWED for match
>> 2024/07/09 23:35:40.115 kid1| 28,3| Checklist.cc(162) checkCallback:
>ACLChecklist::checkCallback: 0x5c3ba41552d8 answer=ALLOWED
>> 2024/07/09 23:35:40.115 kid1| 85,2| client_side_request.cc(714) clientAccessCheckDone:
>The request HEAD
>http://download.docker.com/linux/ubuntu/dists/jammy/InRelease[http://download.docker.com/l
>inux/ubuntu/dists/jammy/InRelease] is ALLOWED; last ACL checked: all
>> 2024/07/09 23:35:40.115 kid1| 83,3| AccessCheck.cc(42) Start: adaptation off, skipping
>> 2024/07/09 23:35:40.115 kid1| 83,3| client_side_request.cc(1735) doCallouts: Doing
>calloutContext->clientRedirectStart()
>> 2024/07/09 23:35:40.115 kid1| 78,3| dns_internal.cc(1836) idnsPTRLookup: idnsPTRLookup:
>buf is 42 bytes for 10.2.59.102, id = 0x8d95
>> 2024/07/09 23:35:40.115 kid1| 50,3| comm.cc(927) comm_udp_sendto: comm_udp_sendto:
>Attempt to send UDP packet to 127.0.0.53:53 using FD 11 using Port 54280
>> 2024/07/09 23:35:40 kid1| Starting new redirector helpers...
>> current master transaction: master54
>> 2024/07/09 23:35:40 kid1| helperOpenServers: Starting 1/3 'jesred' processes
>> current master transaction: master54
>> 2024/07/09 23:35:40.115 kid1| 51,3| fd.cc(168) fd_open: fd_open() FD 17 IPC UNIX STREAM
>Parent
>> 2024/07/09 23:35:40.115 kid1| 51,3| fd.cc(168) fd_open: fd_open() FD 19 IPC UNIX STREAM
>Parent
>> 2024/07/09 23:35:40.115 kid1| 54,3| ipc.cc(212) ipcCreate: ipcCreate: prfd FD 17
>> 2024/07/09 23:35:40.115 kid1| 54,3| ipc.cc(213) ipcCreate: ipcCreate: pwfd FD 17
>> 2024/07/09 23:35:40.115 kid1| 54,3| ipc.cc(214) ipcCreate: ipcCreate: crfd FD 19
>> 2024/07/09 23:35:40.115 kid1| 54,3| ipc.cc(215) ipcCreate: ipcCreate: cwfd FD 19
>> 2024/07/09 23:35:40.116 kid1| 5,3| comm.cc(850) _comm_close: start closing FD 19 by
>ipc.cc:271
>> 2024/07/09 23:35:40.116 kid1| 5,3| comm.cc(586) commUnsetFdTimeout: Remove timeout for
>FD 19
>> 2024/07/09 23:35:40.116 kid1| 21,3| tools.cc(561) leave_suid: leave_suid: PID 503746
>called
>> 2024/07/09 23:35:40.116 kid1| 21,3| tools.cc(651) no_suid: no_suid: PID 503746 giving up
>root privileges forever
>> 2024/07/09 23:35:40.116 kid1| 5,3| comm.cc(586) commUnsetFdTimeout: Remove timeout for
>FD 17
>> 2024/07/09 23:35:40.117 kid1| 84,3| helper.cc(1310) GetFirstAvailable:
>GetFirstAvailable: Least-loaded helper is fully loaded!
>> 2024/07/09 23:35:40.117 kid1| 51,3| fd.cc(93) fd_close: fd_close FD 19 IPC UNIX STREAM
>Parent
>> 2024/07/09 23:35:40.117 kid1| 78,3| dns_internal.cc(1319) idnsRead: idnsRead: starting
>with FD 11
>> 2024/07/09 23:35:40.117 kid1| 78,3| dns_internal.cc(1365) idnsRead: idnsRead: FD 11:
>received 92 bytes from 127.0.0.53:53
>> 2024/07/09 23:35:40.117 kid1| 78,3| dns_internal.cc(1172) idnsGrokReply: idnsGrokReply:
>QID 0x8d95, 1 answers
>> 2024/07/09 23:35:40.117 kid1| 35,3| fqdncache.cc(336) fqdncacheParse: fqdncacheParse: 1
>answers for '10.2.59.102'
>> 2024/07/09 23:35:40.117 kid1| 5,3| IoCallback.cc(112) finish: called for conn11
>local=[::] remote=[::] FD 17 flags=1 (0, 0)
>> 2024/07/09 23:35:40.125 kid1| 5,3| Read.cc(148) HandleRead: FD 17, size 32767, retval
>80, errno 0
>> 2024/07/09 23:35:40.125 kid1| 5,3| IoCallback.cc(112) finish: called for conn10
>local=[::] remote=[::] FD 17 flags=1 (0, 0)
>> 2024/07/09 23:35:40.125 kid1| 84,3| helper.cc(1022) helperHandleRead: helperHandleRead:
>end of reply found
>> 2024/07/09 23:35:40.125 kid1| 84,3| Reply.cc(41) finalize: Parsing helper buffer
>> 2024/07/09 23:35:40.125 kid1| 84,3| Reply.cc(59) finalize: Buff length is larger than 2
>> 2024/07/09 23:35:40.125 kid1| 84,3| Reply.cc(63) finalize: helper Result = OK
>> 2024/07/09 23:35:40.125 kid1| 23,3| Uri.cc(446) parse: Split URL
>'https://download.docker.com/linux/ubuntu/dists/jammy/InRelease'[https://download.docker.c
>om/linux/ubuntu/dists/jammy/InRelease'] into proto='https', host='download.docker.com',
>port='443', path='/linux/ubuntu/dists/jammy/InRelease'
>> 2024/07/09 23:35:40.125 kid1| 14,3| Address.cc(389) lookupHostIP: Given Non-IP
>'download.docker.com': Name or service not known
>> 2024/07/09 23:35:40.125 kid1| 61,2| client_side_request.cc(1235) clientRedirectDone:
>URL-rewriter diverts URL from
>http://download.docker.com/linux/ubuntu/dists/jammy/InRelease[http://download.docker.com/l
>inux/ubuntu/dists/jammy/InRelease] to
>https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com
>/linux/ubuntu/dists/jammy/InRelease]
>> 2024/07/09 23:35:40.125 kid1| 83,3| client_side_request.cc(1743) doCallouts: Doing
>calloutContext->clientAccessCheck2()
>> 2024/07/09 23:35:40.125 kid1| 85,2| client_side_request.cc(692) clientAccessCheck2: No
>adapted_http_access configuration. default: ALLOW
>> 2024/07/09 23:35:40.125 kid1| 85,2| client_side_request.cc(714) clientAccessCheckDone:
>The request HEAD
>https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com
>/linux/ubuntu/dists/jammy/InRelease] is ALLOWED; last ACL checked: all
>> 2024/07/09 23:35:40.126 kid1| 83,3| client_side_request.cc(1761) doCallouts: Doing
>clientInterpretRequestHeaders()
>> 2024/07/09 23:35:40.126 kid1| 83,3| client_side_request.cc(1770) doCallouts: Doing
>calloutContext->checkNoCache()
>> 2024/07/09 23:35:40.126 kid1| 28,3| Checklist.cc(69) preCheck: 0x5c3ba41552d8 checking
>slow rules
>> 2024/07/09 23:35:40.126 kid1| 28,3| RegexData.cc(50) match: checking
>'https://download.docker.com/linux/ubuntu/dists/jammy/InRelease'[https://download.docker.c
>om/linux/ubuntu/dists/jammy/InRelease']
>> 2024/07/09 23:35:40.126 kid1| 28,3| Acl.cc(175) matches: checked: no_cache = 0
>> 2024/07/09 23:35:40.126 kid1| 28,3| Acl.cc(175) matches: checked: cache#1 = 0
>> 2024/07/09 23:35:40.126 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.102:56466'
>found
>> 2024/07/09 23:35:40.126 kid1| 28,3| Acl.cc(175) matches: checked: all = 1
>> 2024/07/09 23:35:40.126 kid1| 28,3| Acl.cc(175) matches: checked: cache#2 = 1
>> 2024/07/09 23:35:40.126 kid1| 28,3| Acl.cc(175) matches: checked: cache = 1
>> 2024/07/09 23:35:40.126 kid1| 28,3| Checklist.cc(62) markFinished: 0x5c3ba41552d8 answer
>ALLOWED for match
>> 2024/07/09 23:35:40.126 kid1| 28,3| Checklist.cc(162) checkCallback:
>ACLChecklist::checkCallback: 0x5c3ba41552d8 answer=ALLOWED
>> 2024/07/09 23:35:40.126 kid1| 85,3| client_side_request.cc(116) ~ClientRequestContext:
>ClientRequestContext destructed, this=0x5c3ba4154e78
>> 2024/07/09 23:35:40.126 kid1| 83,3| client_side_request.cc(1855) doCallouts: calling
>processRequest()
>> 2024/07/09 23:35:40.126 kid1| 87,3| clientStream.cc(178) clientStreamRead:
>clientStreamRead: Calling 1 with cbdata 0x5c3ba4153e70 from node 0x5c3ba4154308
>> 2024/07/09 23:35:40.126 kid1| 73,3| HttpRequest.cc(742) storeId: sent back
>effectiveRequestUrl:
>https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com
>/linux/ubuntu/dists/jammy/InRelease]
>> 2024/07/09 23:35:40.126 kid1| 20,3| Controller.cc(429) peek:
>DE850794EBC405A27A7718F51795E32A
>> 2024/07/09 23:35:40.126 kid1| 73,3| HttpRequest.cc(742) storeId: sent back
>effectiveRequestUrl:
>https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com
>/linux/ubuntu/dists/jammy/InRelease]
>> 2024/07/09 23:35:40.126 kid1| 20,3| Controller.cc(429) peek:
>D3522EE27FB0ED7004DD594AF7674667
>> 2024/07/09 23:35:40.126 kid1| 85,3| client_side_reply.cc(1523) identifyFoundObject:
>StoreEntry is NULL - MISS
>> 2024/07/09 23:35:40.126 kid1| 20,3| store.cc(730) storeCreatePureEntry:
>storeCreateEntry:
>'https://download.docker.com/linux/ubuntu/dists/jammy/InRelease'[https://download.docker.c
>om/linux/ubuntu/dists/jammy/InRelease']
>> 2024/07/09 23:35:40.126 kid1| 20,3| MemObject.cc(99) MemObject: MemObject constructed,
>this=0x5c3ba416ef10
>> 2024/07/09 23:35:40.126 kid1| 88,3| MemObject.cc(82) setUris: 0x5c3ba416ef10 storeId:
>https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com
>/linux/ubuntu/dists/jammy/InRelease]
>> 2024/07/09 23:35:40.126 kid1| 20,3| store.cc(434) lock: storeCreateEntry locked key
>[null_store_key] e:=V/0x5c3ba416ee90*1
>> 2024/07/09 23:35:40.126 kid1| 20,3| store.cc(536) setPrivateKey: 00
>e:=V/0x5c3ba416ee90*1
>> 2024/07/09 23:35:40.126 kid1| 20,3| store.cc(412) hashInsert: StoreEntry::hashInsert:
>Inserting Entry e:=IV/0x5c3ba416ee90*1 key '020000000000000061AF070001000000'
>> 2024/07/09 23:35:40.126 kid1| 20,3| store.cc(434) lock: store_client locked key
>020000000000000061AF070001000000 e:=IV/0x5c3ba416ee90*2
>> 2024/07/09 23:35:40.126 kid1| 90,3| store_client.cc(243) copy: store_client::copy:
>020000000000000061AF070001000000, from 0, for length 4096, cb 1, cbdata 0x5c3ba4152dd8
>> 2024/07/09 23:35:40.126 kid1| 20,3| store.cc(434) lock: store_client::copy locked key
>020000000000000061AF070001000000 e:=IV/0x5c3ba416ee90*3
>> 2024/07/09 23:35:40.126 kid1| 90,3| store_client.cc(343) storeClientCopy2:
>storeClientCopy2: 020000000000000061AF070001000000
>> 2024/07/09 23:35:40.126 kid1| 90,3| store_client.cc(390) doCopy: store_client::doCopy:
>Waiting for more
>> 2024/07/09 23:35:40.126 kid1| 20,3| store.cc(457) unlock: store_client::copy unlocking
>key 020000000000000061AF070001000000 e:=IV/0x5c3ba416ee90*3
>> 2024/07/09 23:35:40.126 kid1| 17,3| FwdState.cc(373) Start:
>'https://download.docker.com/linux/ubuntu/dists/jammy/InRelease'[https://download.docker.c
>om/linux/ubuntu/dists/jammy/InRelease']
>> 2024/07/09 23:35:40.126 kid1| 17,2| FwdState.cc(133) FwdState: Forwarding client request
>conn9 local=10.2.59.103:8000 remote=10.2.59.102:56466 FD 15 flags=1,
>url=https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker
>.com/linux/ubuntu/dists/jammy/InRelease]
>> 2024/07/09 23:35:40.126 kid1| 20,3| store.cc(434) lock: FwdState locked key
>020000000000000061AF070001000000 e:=IV/0x5c3ba416ee90*3
>> 2024/07/09 23:35:40.126 kid1| 17,3| FwdState.cc(140) FwdState: FwdState constructed,
>this=0x5c3ba416fa18
>> 2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(309) peerSelect:
>e:=IV/0x5c3ba416ee90*3
>https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com
>/linux/ubuntu/dists/jammy/InRelease]
>> 2024/07/09 23:35:40.126 kid1| 20,3| store.cc(434) lock: peerSelect locked key
>020000000000000061AF070001000000 e:=IV/0x5c3ba416ee90*4
>> 2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(612) selectMore: HEAD
>download.docker.com
>> 2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(626) selectMore: direct =
>DIRECT_UNKNOWN (never_direct to be checked)
>> 2024/07/09 23:35:40.126 kid1| 28,3| Checklist.cc(69) preCheck: 0x5c3ba4170638 checking
>slow rules
>> 2024/07/09 23:35:40.126 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.102:56466'
>found
>> 2024/07/09 23:35:40.126 kid1| 28,3| Acl.cc(175) matches: checked: all = 1
>> 2024/07/09 23:35:40.126 kid1| 28,3| Acl.cc(175) matches: checked: never_direct#1 = 1
>> 2024/07/09 23:35:40.126 kid1| 28,3| Acl.cc(175) matches: checked: never_direct = 1
>> 2024/07/09 23:35:40.126 kid1| 28,3| Checklist.cc(62) markFinished: 0x5c3ba4170638 answer
>ALLOWED for match
>> 2024/07/09 23:35:40.126 kid1| 28,3| Checklist.cc(162) checkCallback:
>ACLChecklist::checkCallback: 0x5c3ba4170638 answer=ALLOWED
>> 2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(345) checkNeverDirectDone: ALLOWED
>> 2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(351) checkNeverDirectDone: direct =
>DIRECT_NO (never_direct allow)
>> 2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(612) selectMore: HEAD
>download.docker.com
>> 2024/07/09 23:35:40.126 kid1| 14,3| ipcache.cc(732) ipcache_gethostbyname:
>ipcache_gethostbyname: 'download.docker.com', flags=0
>> 2024/07/09 23:35:40.126 kid1| 14,3| Address.cc(389) lookupHostIP: Given Non-IP
>'download.docker.com': Name or service not known
>> 2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(286) peerSelectIcpPing:
>https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com
>/linux/ubuntu/dists/jammy/InRelease]
>> 2024/07/09 23:35:40.126 kid1| 15,3| neighbors.cc(283) neighborsCount: neighborsCount: 0
>> 2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(297) peerSelectIcpPing: counted 0
>neighbors
>> 2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(833) selectSomeParent: HEAD
>download.docker.com
>> 2024/07/09 23:35:40.126 kid1| 15,3| neighbors.cc(350) getRoundRobinParent: returning
>[nil]
>> 2024/07/09 23:35:40.126 kid1| 15,3| neighbors.cc(403) getWeightedRoundRobinParent:
>returning [nil]
>> 2024/07/09 23:35:40.126 kid1| 15,3| neighbors.cc(309) getFirstUpParent: returning
>212.89.128.96
>> 2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(1102) addSelection: adding
>FIRSTUP_PARENT/212.89.128.96
>> 2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(1095) addSelection: skipping
>ANY_OLD_PARENT/212.89.128.96; have FIRSTUP_PARENT/212.89.128.96
>> 2024/07/09 23:35:40.126 kid1| 15,3| neighbors.cc(493) getDefaultParent: returning
>212.89.128.96
>> 2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(1095) addSelection: skipping
>DEFAULT_PARENT/212.89.128.96; have FIRSTUP_PARENT/212.89.128.96
>> 2024/07/09 23:35:40.126 kid1| 44,2| peer_select.cc(460) resolveSelected: Find IP
>destination for:
>https://download.docker.com/linux/ubuntu/dists/jammy/InRelease'[https://download.docker.co
>m/linux/ubuntu/dists/jammy/InRelease'] via 212.89.128.96
>> 2024/07/09 23:35:40.126 kid1| 44,2| peer_select.cc(1174) handlePath: PeerSelector1 found
>conn12 local=0.0.0.0 remote=212.89.128.96:3128 FIRSTUP_PARENT flags=1, destination #1 for
>https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com
>/linux/ubuntu/dists/jammy/InRelease]
>> 2024/07/09 23:35:40.126 kid1| 44,2| peer_select.cc(1180) handlePath: always_direct =
>DENIED
>> 2024/07/09 23:35:40.126 kid1| 44,2| peer_select.cc(1181) handlePath: never_direct =
>ALLOWED
>> 2024/07/09 23:35:40.126 kid1| 44,2| peer_select.cc(1182) handlePath: timedout = 0
>> 2024/07/09 23:35:40.126 kid1| 17,3| FwdState.cc(610) noteDestination: conn12
>local=0.0.0.0 remote=212.89.128.96:3128 FIRSTUP_PARENT flags=1
>> 2024/07/09 23:35:40.126 kid1| 17,3| FwdState.cc(1124) connectStart: 1+ paths to
>https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com
>/linux/ubuntu/dists/jammy/InRelease]
>> 2024/07/09 23:35:40.126 kid1| 44,2| peer_select.cc(479) resolveSelected: PeerSelector1
>found all 1 destinations for
>https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com
>/linux/ubuntu/dists/jammy/InRelease]
>> 2024/07/09 23:35:40.126 kid1| 44,2| peer_select.cc(480) resolveSelected: always_direct =
>DENIED
>> 2024/07/09 23:35:40.126 kid1| 44,2| peer_select.cc(481) resolveSelected: never_direct =
>ALLOWED
>> 2024/07/09 23:35:40.126 kid1| 44,2| peer_select.cc(482) resolveSelected: timedout = 0
>> 2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(241) ~PeerSelector:
>https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com
>/linux/ubuntu/dists/jammy/InRelease]
>> 2024/07/09 23:35:40.126 kid1| 20,3| store.cc(457) unlock: peerSelect unlocking key
>020000000000000061AF070001000000 e:=p2IV/0x5c3ba416ee90*4
>> 2024/07/09 23:35:40.126 kid1| 48,3| pconn.cc(474) popStored: lookup for key
>{212.89.128.96:3128} failed.
>> 2024/07/09 23:35:40.126 kid1| 17,3| FwdState.cc(1568) GetMarkingsToServer: from 0.0.0.0
>tos 0 netfilter mark 0
>> 2024/07/09 23:35:40.126 kid1| 5,3| ConnOpener.cc(42) ConnOpener: will connect to conn14
>local=0.0.0.0 remote=212.89.128.96:3128 FIRSTUP_PARENT flags=1 with 30 timeout
>> 2024/07/09 23:35:40.126 kid1| 50,3| comm.cc(378) comm_openex: comm_openex: Attempt open
>socket for: 0.0.0.0
>> 2024/07/09 23:35:40.126 kid1| 50,3| comm.cc(420) comm_openex: comm_openex: Opened socket
>conn15 local=0.0.0.0 remote=[::] FD 19 flags=1 : family=2, type=1, protocol=6
>> 2024/07/09 23:35:40.126 kid1| 51,3| fd.cc(168) fd_open: fd_open() FD 19
>> 2024/07/09 23:35:40.126 kid1| 5,3| ConnOpener.cc(312) createFd: conn14 local=0.0.0.0
>remote=212.89.128.96:3128 FIRSTUP_PARENT flags=1 will timeout in 30
>> 2024/07/09 23:35:40.127 kid1| 17,3| FwdState.cc(1197) dispatch: conn9
>local=10.2.59.103:8000 remote=10.2.59.102:56466 FD 15 flags=1: Fetching HEAD
>https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com
>/linux/ubuntu/dists/jammy/InRelease]
>> 2024/07/09 23:35:40.127 kid1| 14,3| Address.cc(389) lookupHostIP: Given Non-IP
>'download.docker.com': Name or service not known
>> 2024/07/09 23:35:40.127 kid1| 78,3| dns_internal.cc(1793) idnsALookup: idnsALookup: buf
>is 37 bytes for download.docker.com, id = 0xe779
>> 2024/07/09 23:35:40.127 kid1| 50,3| comm.cc(927) comm_udp_sendto: comm_udp_sendto:
>Attempt to send UDP packet to 127.0.0.53:53 using FD 11 using Port 54280
>> 2024/07/09 23:35:40.127 kid1| 78,3| dns_internal.cc(1729) idnsSendSlaveAAAAQuery: buf is
>37 bytes for download.docker.com, id = 0x8aee
>> 2024/07/09 23:35:40.127 kid1| 50,3| comm.cc(927) comm_udp_sendto: comm_udp_sendto:
>Attempt to send UDP packet to 127.0.0.53:53 using FD 11 using Port 54280
>> 2024/07/09 23:35:40.127 kid1| 11,3| http.cc(2516) httpStart: HEAD
>https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com
>/linux/ubuntu/dists/jammy/InRelease]
>> 2024/07/09 23:35:40.127 kid1| 20,3| store.cc(434) lock: Client locked key
>020000000000000061AF070001000000 e:=p2IV/0x5c3ba416ee90*4
>> 2024/07/09 23:35:40.127 kid1| 5,3| comm.cc(599) commSetConnTimeout: conn14
>local=10.2.59.103:39370 remote=212.89.128.96:3128 FIRSTUP_PARENT FD 19 flags=1 timeout
>86400
>> 2024/07/09 23:35:40.127 kid1| 22,3| refresh.cc(636) getMaxAge: getMaxAge:
>'https://download.docker.com/linux/ubuntu/dists/jammy/InRelease'[https://download.docker.c
>om/linux/ubuntu/dists/jammy/InRelease']
>> 2024/07/09 23:35:40.127 kid1| 11,2| http.cc(2472) sendRequest: HTTP Server conn14
>local=10.2.59.103:39370 remote=212.89.128.96:3128 FIRSTUP_PARENT FD 19 flags=1
>> 2024/07/09 23:35:40.127 kid1| 11,2| http.cc(2473) sendRequest: HTTP Server REQUEST:
>> ---------
>> HEAD
>https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com
>/linux/ubuntu/dists/jammy/InRelease] HTTP/1.1
>> Host: download.docker.com
>> User-Agent: curl/7.81.0
>> Accept: */*
>> Via: 1.1 pkg-proxy (squid/6.6)
>> X-Forwarded-For: 10.2.59.102
>> Cache-Control: max-age=0
>> Connection: keep-alive
>>
>>
>> ----------
>> 2024/07/09 23:35:40.127 kid1| 5,3| IoCallback.cc(112) finish: called for conn14
>local=10.2.59.103:39370 remote=212.89.128.96:3128 FIRSTUP_PARENT FD 19 flags=1 (0, 0)
>> 2024/07/09 23:35:40.127 kid1| 5,3| comm.cc(599) commSetConnTimeout: conn14
>local=10.2.59.103:39370 remote=212.89.128.96:3128 FIRSTUP_PARENT FD 19 flags=1 timeout 900
>> 2024/07/09 23:35:40.137 kid1| 78,3| dns_internal.cc(1319) idnsRead: idnsRead: starting
>with FD 11
>> 2024/07/09 23:35:40.137 kid1| 78,3| dns_internal.cc(1365) idnsRead: idnsRead: FD 11:
>received 304 bytes from 127.0.0.53:53
>> 2024/07/09 23:35:40.137 kid1| 78,3| dns_internal.cc(1172) idnsGrokReply: idnsGrokReply:
>QID 0x8aee, 9 answers
>> 2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(480) ipcacheParse: 9 answers for
>download.docker.com
>> 2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #1
>[2600:9000:2490:6c00:3:db06:4200:93a1]
>> 2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #2
>[2600:9000:2490:a600:3:db06:4200:93a1]
>> 2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #3
>[2600:9000:2490:9c00:3:db06:4200:93a1]
>> 2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #4
>[2600:9000:2490:6000:3:db06:4200:93a1]
>> 2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #5
>[2600:9000:2490:c00:3:db06:4200:93a1]
>> 2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #6
>[2600:9000:2490:5200:3:db06:4200:93a1]
>> 2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #7
>[2600:9000:2490:9a00:3:db06:4200:93a1]
>> 2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #8
>[2600:9000:2490:2c00:3:db06:4200:93a1]
>> 2024/07/09 23:35:40.137 kid1| 78,3| dns_internal.cc(1319) idnsRead: idnsRead: starting
>with FD 11
>> 2024/07/09 23:35:40.137 kid1| 78,3| dns_internal.cc(1365) idnsRead: idnsRead: FD 11:
>received 144 bytes from 127.0.0.53:53
>> 2024/07/09 23:35:40.137 kid1| 78,3| dns_internal.cc(1172) idnsGrokReply: idnsGrokReply:
>QID 0xe779, 5 answers
>> 2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(480) ipcacheParse: 5 answers for
>download.docker.com
>> 2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #9
>108.138.7.33
>> 2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #10
>108.138.7.18
>> 2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #11
>108.138.7.88
>> 2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #12
>108.138.7.48
>> 2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(586) ipcacheHandleReply: done with
>download.docker.com: [2600:9000:2490:6c00:3:db06:4200:93a1] #1/12-0
>> 2024/07/09 23:35:40.137 kid1| 38,3| net_db.cc(337) netdbSendPing: netdbSendPing: pinging
>download.docker.com
>> 2024/07/09 23:35:40.137 kid1| 37,2| IcmpSquid.cc(88) SendEcho: to
>[2600:9000:2490:6c00:3:db06:4200:93a1], opcode 3, len 19
>> 2024/07/09 23:35:40.137 pinger| 42,2| IcmpPinger.cc(198) Recv: Pass
>[2600:9000:2490:6c00:3:db06:4200:93a1] off to ICMPv6 module.
>> 2024/07/09 23:35:40 pinger| SendEcho ERROR: sending to ICMPv6 packet to
>[2600:9000:2490:6c00:3:db06:4200:93a1]: (101) Network is unreachable
>> 2024/07/09 23:35:40.138 pinger| 42,2| Icmp.cc(90) Log: pingerLog: 1720560940.138021
>[2600:9000:2490:6c00:3:db06:4200:93a1] 0
>> 2024/07/09 23:35:40.323 kid1| 5,3| IoCallback.cc(112) finish: called for conn14
>local=10.2.59.103:39370 remote=212.89.128.96:3128 FIRSTUP_PARENT FD 19 flags=1 (0, 0)
>> 2024/07/09 23:35:40.324 kid1| 5,3| Read.cc(93) ReadNow: conn14 local=10.2.59.103:39370
>remote=212.89.128.96:3128 FIRSTUP_PARENT FD 19 flags=1, size 65536, retval 348, errno 0
>> 2024/07/09 23:35:40.324 kid1| 11,3| http.cc(649) processReplyHeader: processReplyHeader:
>key '020000000000000061AF070001000000'
>> 2024/07/09 23:35:40.324 kid1| 11,2| http.cc(696) processReplyHeader: HTTP Server conn14
>local=10.2.59.103:39370 remote=212.89.128.96:3128 FIRSTUP_PARENT FD 19 flags=1
>> 2024/07/09 23:35:40.324 kid1| 11,2| http.cc(697) processReplyHeader: HTTP Server
>RESPONSE:
>> ---------
>> HTTP/1.1 503 Service Unavailable
>> Server: squid/4.10
>> Mime-Version: 1.0
>> Date: Tue, 09 Jul 2024 21:35:40 GMT
>> Content-Type: text/html;charset=utf-8
>> Content-Length: 3879
>> X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71
>> X-Cache: MISS from proxy-srv2
>> X-Cache-Lookup: MISS from proxy-srv2:3128
>> Via: 1.1 proxy-srv2 (squid/4.10)
>> Connection: keep-alive
>>
>> ----------
>> 2024/07/09 23:35:40.324 kid1| 83,3| AccessCheck.cc(42) Start: adaptation off, skipping
>> 2024/07/09 23:35:40.324 kid1| 20,3| store.cc(1693) replaceHttpReply:
>StoreEntry::replaceHttpReply:
>https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com
>/linux/ubuntu/dists/jammy/InRelease]
>> 2024/07/09 23:35:40.324 kid1| 11,3| http.cc(949) haveParsedReplyHeaders: HTTP CODE: 503
>>
>> Has anybody an idea what I can do to solve the issue?
>>
>> This is my configuration borrowed from squid-deb-proxy:
>>
>> # this file contains private networks (10.0.0.0/8, 172.16.0.0/12,
>> # 192.168.0.0/16) by default, you can add/remove additional allowed
>> # source networks in it to customize it for your setup
>> acl src_networks src "/etc/squid/acl/src-networks.acl"
>>
>> # this file contains the archive mirrors by default,
>> # if you use a different mirror, add it there
>> acl to_archive_mirrors dstdomain "/etc/squid/acl/archive-mirrors.acl"
>>
>> # Disable Cache for defined domains
>> acl no_cache url_regex "/etc/squid/acl/no-cache.acl"
>>
>> # this contains the package blacklist
>> acl blockedpkgs urlpath_regex "/etc/squid/pkg-blacklist-regexp.acl"
>>
>> # default to a different port than stock squid
>> http_port 8000
>>
>> # -------------------------------------------------
>> # settings below probably do not need customization
>>
>> # user visible name
>> visible_hostname pkg-proxy
>>
>> # we need a big cache, some debs are huge
>> maximum_object_size 512 MB
>>
>> # use a different dir than stock squid and default to 40G
>> cache_dir aufs /var/cache/squid 40000 16 256
>>
>> cache_peer 212.89.128.96 parent 3128 0 no-query default
>> never_direct allow all
>>
>> # use different logs
>> cache_access_log /var/log/squid/access.log
>> cache_log /var/log/squid/cache.log
>> cache_store_log /var/log/squid/store.log
>>
>> # tweaks to speed things up
>> cache_mem 200 MB
>> maximum_object_size_in_memory 10240 KB
>>
>> # pid
>> pid_filename /var/run/squid.pid
>>
>> # refresh pattern for debs and udebs
>> refresh_pattern deb$ 129600 100% 129600
>> refresh_pattern udeb$ 129600 100% 129600
>> refresh_pattern tar.gz$ 129600 100% 129600
>> refresh_pattern tar.xz$ 129600 100% 129600
>> refresh_pattern tar.bz2$ 129600 100% 129600
>>
>> # always refresh Packages and Release files
>> refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
>> refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
>> refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
>> refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
>>
>> # handle meta-release and changelogs.ubuntu.com special
>> # (fine to have this on debian too)
>> refresh_pattern changelogs.ubuntu.com\/.* 0 1% 1
>>
>> # only allow connects to ports for http, https
>> acl SSL_ports port 443 563
>> acl Safe_ports port 80
>> acl Safe_ports port 443 563
>>
>> # only allow ports we trust
>> http_access deny !Safe_ports
>>
>> # do not allow to download from the pkg blacklist
>> http_access deny blockedpkgs
>>
>> # allow access only to official archive mirrors
>> # uncomment the third and fouth line to permit any unlisted domain
>> http_access deny !to_archive_mirrors
>>
>> # allow access from our network and localhost
>> http_access allow src_networks
>>
>> # And finally deny all other access to this proxy
>> http_access deny all
>>
>> # don't cache domains not listed in the mirrors file
>> # uncomment the third and fourth line to cache any unlisted domains
>> cache deny no_cache
>>
>> # And finally cache everything else
>> cache allow all
>>
>> url_rewrite_children 3 startup=0 idle=1 concurrency=1
>> url_rewrite_program /usr/lib/squid/jesred
>>
>> debug_options ALL,3
>>
>> Thanks a lot.
>>
>> Regards,
>> Christoph
>> _______________________________________________
>> squid-users mailing list
>> squid-users@xxxxxxxxxxxxxxxxxxxxx
>> https://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users