Re: Squid 6.10 on Fedora 40 cannot intercept and bump SSL Traffic

[Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>]

On 2024-08-19 15:27, ngtech1ltd@xxxxxxxxx wrote:

> I see that there is a SNI so I am not sure how to look at the issue.

FWIW, as the next step, I still recommend answering the remaining open 
questions. Everything else makes a facinating read but is less likely to 
help us make progress (and may obscure/hide actual answers and test 
results). I will restate those remaining questions for your convenience:

* Do all those 12 access.log records correspond to a single curl 
request? If not, please only share access.log record(s) that do correspond.

2. Does everything work for non-intercept ports? Use the same curl test 
you have shared below, but specify proxy address for curl to use.

4. Does everything work when you remove "ssl-bump" and related options 
from intercepting http_port 33128 (and use that intercepted port in the 
same curl test)?

5. Does everything work when you use "ssl_bump splice all" instead of 
your current ssl_bump rule? Same curl parameters as in Q4.

6. Does everything work when you use "ssl_bump peek all" instead of your 
current ssl_bump rule? Same curl parameters as in Q4.


While going through the above list, top to bottom, if you find a test 
that does _not_ work, pause: There is no need to proceed with other, 
more complicated tests if an earlier simpler/basic test fails.


HTH,

Alex.


> I was thinking that maybe it's something with the OpenSSL version (3.x.x) on Fedora but then I installed both 5.9 and 6.10 on Almalinux 8 and the result is the same.
>
> I will describe my setup which might give some background.
> I have a very big lab...
> In the front of the Internet connection there are couple NGFW devices and RouterOS.
> Mikrotik RouterOS is the edge and all the others are used with PBR accordingly.
> The proxy sits in a deferent segment on the network and I have tried couple methods to intercept the traffic with squid.
> The only one which works with Squid and the existing equipment and do not cause some weird loop is ethernet level tunnel ie not:
> * GRE
> * IPIP
> And couple others.
>
> The only ones which works fine are:
> * EoIP (Mikrotik which is based on GRE0
> * VxLAN
>
> There are two methods to intercept the traffic:
> * PBR+DNAT on the squid box
> * PBR+TPROXY on the squid box
>
> Since the intercept method terminates the connection and creates a new one with the ip of the proxy it's very simple to even use gre and ipip.
> But, with tproxy to allow the traffic being identified currently as a packet which is not still in the routing stack we the linux OS need to tag it somehow.
> To do that the default "Salt" for the packet hash in the routing stack is the source and destination mac address.
> Due to this the only methods which are allowing to use tproxy are the above mentioned tunnels. (Maybe I will post a video on it later on with a demo)
>
> The Mikrotik RouterOS device re-routes the traffic from the LAN interface into the VxLAN interface directly to the proxy machine which has a
> static or dynamic route to the LAN subnet via the other side of the VxLAN tunnel which is the edge RouterOS device.
> I want to gather a set of configurations and tests for this configurations to verify what might cause this issue and if possible to resolve it.
> For me it seems that if my FortiGate and CheckPoint devices are able to intercept the traffic and "Bump" it, there is no reason why squid should
> be able to do that the same way.
>
> I will later on send you a private link to the pcaps in a zip file so you would be able to inspect this issue in the network level and to see if there is
> some details which can help us understand what cause this specific issue.
>
> I want to say that bumping works fine on non-intercepted connections and that I have tested the interception with the two available methods ie:
> * DNAT Redirect
> * Tproxy
>
> Thanks,
> Eliezer Croitoru
>
> -----Original Message-----
> From: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>
> Sent: Monday, August 19, 2024 7:18 PM
> To: NgTech LTD <ngtech1ltd@xxxxxxxxx>
> Subject: Re:  Squid 6.10 on Fedora 40 cannot intercept and bump SSL Traffic
>
> Eliezer, please move this thread back to squid-users mailing list
> instead of emailing me personally. When you do so, please clarify
> whether all 12 access.log records correspond to this single curl request
> (if not, please only share access.log record(s) that do correspond). --Alex.
>
> On 2024-08-19 12:03, NgTech LTD wrote:
> > This is the output of curl on windows 11 desktop:
> > C:\Users\USER>curl https://www.youtube.com/ -k -v -o 1.txt
> >     % Total    % Received % Xferd  Average Speed   Time    Time     Time
> >    Current
> >                                    Dload  Upload   Total   Spent    Left
> >    Speed
> >     0     0    0     0    0     0      0      0 --:--:-- --:--:--
> > --:--:--     0* Host www.youtube.com:443 <http://www.youtube.com:443>
> > was resolved.
> > * IPv6: 2a00:1450:4001:800::200e, 2a00:1450:4001:80e::200e,
> > 2a00:1450:4001:81c::200e, 2a00:1450:4001:809::200e
> > * IPv4: 142.250.185.78, 142.250.185.110, 142.250.185.142,
> > 142.250.186.174, 142.250.185.174, 142.250.184.238, 142.250.185.238,
> > 142.250.185.206, 142.250.181.238, 142.250.186.46, 142.250.186.78,
> > 172.217.16.142, 216.58.212.174, 216.58.206.46, 172.217.23.110,
> > 216.58.212.142
> > *   Trying 142.250.185.78:443...
> > * Connected to www.youtube.com <http://www.youtube.com> (142.250.185.78)
> > port 443
> > * schannel: disabled automatic use of client certificate
> > * ALPN: curl offers http/1.1
> > * ALPN: server accepted http/1.1
> > * using HTTP/1.x
> >   > GET / HTTP/1.1
> >   > Host: www.youtube.com <http://www.youtube.com>
> >   > User-Agent: curl/8.8.0
> >   > Accept: */*
> >   >
> > * Request completely sent off
> > * schannel: remote party requests renegotiation
> > * schannel: renegotiating SSL/TLS connection
> > * schannel: SSL/TLS connection renegotiated
> > * schannel: failed to decrypt data, need more data
> > < HTTP/1.1 200 OK
> > < Content-Type: text/html; charset=utf-8
> > < X-Content-Type-Options: nosniff
> > < Cache-Control: no-cache, no-store, max-age=0, must-revalidate
> > < Pragma: no-cache
> > < Expires: Mon, 01 Jan 1990 00:00:00 GMT
> > < Date: Mon, 19 Aug 2024 16:02:23 GMT
> > < X-Frame-Options: SAMEORIGIN
> > < Strict-Transport-Security: max-age=31536000
> > < Origin-Trial:
> > AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9
> > < Cross-Origin-Opener-Policy: same-origin-allow-popups;
> > report-to="youtube_main"
> > < Report-To:
> > {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main <https://csp.withgoogle.com/csp/report-to/youtube_main>"}]}
> > < Content-Security-Policy: require-trusted-types-for 'script'
> > < Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*,
> > ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*,
> > ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*,
> > ch-ua-platform-version=*
> > < P3P: CP="This is not a P3P policy! See
> > http://support.google.com/accounts/answer/151657?hl=en
> > <http://support.google.com/accounts/answer/151657?hl=en> for more info."
> > < Server: ESF
> > < X-XSS-Protection: 0
> > < Set-Cookie: GPS=1; Domain=.youtube.com <http://youtube.com>;
> > Expires=Mon, 19-Aug-2024 16:32:23 GMT; Path=/; Secure; HttpOnly
> > < Set-Cookie: YSC=XYs_jViLkFw; Domain=.youtube.com <http://youtube.com>;
> > Path=/; Secure; HttpOnly; SameSite=none
> > < Set-Cookie: VISITOR_INFO1_LIVE=csMabhlNyrI; Domain=.youtube.com
> > <http://youtube.com>; Expires=Sat, 15-Feb-2025 16:02:23 GMT; Path=/;
> > Secure; HttpOnly; SameSite=none
> > < Set-Cookie: VISITOR_PRIVACY_METADATA=CgJJTBIEGgAgVw%3D%3D;
> > Domain=.youtube.com <http://youtube.com>; Expires=Sat, 15-Feb-2025
> > 16:02:23 GMT; Path=/; Secure; HttpOnly; SameSite=none
> > < Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
> > < Accept-Ranges: none
> > < Vary: Accept-Encoding
> > < Transfer-Encoding: chunked
> > <
> > { [3674 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [8008 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [6880 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [2752 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [5504 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [2462 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [4128 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [2752 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [2752 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [4128 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [2752 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [5504 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [5504 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [4128 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [5242 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [2752 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [2752 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [6922 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [2752 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [6880 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [20378 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [6880 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [5504 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [5504 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [3839 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [6880 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [9632 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [6880 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [2752 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [7994 bytes data]
> > 100  193k    0  193k    0     0   293k      0 --:--:-- --:--:-- --:--:--
> >    294k* schannel: failed to decrypt data, need more data
> > { [28937 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [8414 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [9632 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [5504 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [5504 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [7852 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [5504 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [17888 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [19016 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [15136 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [10760 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [6880 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [34152 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [28648 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [33026 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [14888 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [24768 bytes data]
> > * schannel: failed to decrypt data, need more data
> > { [12136 bytes data]
> > 100  498k    0  498k    0     0   665k      0 --:--:-- --:--:-- --:--:--
> >    669k
> > * Connection #0 to host www.youtube.com <http://www.youtube.com> left intact
> >
> > And the access.log:
> > 1724083303.298      0 192.168.78.15 NONE_NONE/000 0 -
> > error:invalid-request - HIER_NONE/- - -
> > 1724083303.888    589 192.168.78.15 TCP_TUNNEL/200 529157 CONNECT
> > 142.250.185.78:443 <http://142.250.185.78:443> -
> > ORIGINAL_DST/142.250.185.78 <http://142.250.185.78> - -
> > 1724083307.305      0 192.168.78.15 NONE_NONE/000 0 -
> > error:invalid-request - HIER_NONE/- - -
> > 1724083307.908    603 192.168.78.15 TCP_TUNNEL/200 530241 CONNECT
> > 142.250.185.78:443 <http://142.250.185.78:443> -
> > ORIGINAL_DST/142.250.185.78 <http://142.250.185.78> - -
> > 1724083311.615      0 192.168.78.15 NONE_NONE/000 0 -
> > error:invalid-request - HIER_NONE/- - -
> > 1724083312.255    640 192.168.78.15 TCP_TUNNEL/200 528465 CONNECT
> > 142.250.185.78:443 <http://142.250.185.78:443> -
> > ORIGINAL_DST/142.250.185.78 <http://142.250.185.78> - -
> > 1724083316.666      0 192.168.78.15 NONE_NONE/000 0 -
> > error:invalid-request - HIER_NONE/- - -
> > 1724083317.315    649 192.168.78.15 TCP_TUNNEL/200 529617 CONNECT
> > 142.250.185.78:443 <http://142.250.185.78:443> -
> > ORIGINAL_DST/142.250.185.78 <http://142.250.185.78> - -
> > 1724083342.731      0 192.168.78.15 NONE_NONE/000 0 -
> > error:invalid-request - HIER_NONE/- - -
> > 1724083343.377    645 192.168.78.15 TCP_TUNNEL/200 528377 CONNECT
> > 142.250.185.78:443 <http://142.250.185.78:443> -
> > ORIGINAL_DST/142.250.185.78 <http://142.250.185.78> - -
> > 1724083378.565      0 192.168.78.15 NONE_NONE/000 0 -
> > error:invalid-request - HIER_NONE/- - -
> > 1724083378.801      0 192.168.78.15 NONE_NONE/000 0 -
> > error:invalid-request - HIER_NONE/- - -
> >
> >
> > ----
> > Eliezer Croitoru
> > Tech Support
> > Mobile: +972-5-28704261
> > Email: ngtech1ltd@xxxxxxxxx <mailto:ngtech1ltd@xxxxxxxxx>
> >
> >
> > On Mon, Aug 19, 2024 at 3:21 PM Alex Rousskov
> > <rousskov@xxxxxxxxxxxxxxxxxxxxxxx
> > <mailto:rousskov@xxxxxxxxxxxxxxxxxxxxxxx>> wrote:
> >
> >      On 2024-08-19 03:47, NgTech LTD wrote:
> >       > I am testing Squid 6.10 on Fedora 40 (their package).
> >       > And it seems that Squid is unable to bump clients (ESNI/ECH)?
> >       >
> >       > I had couple iterations of pek stare and bump and I am not sure
> >      what is
> >       > the reason for that:
> >
> >      What do you use as a client? Judging by the number of
> >      error:invalid-request entries in your access.log, that client may
> >      not be
> >      speaking HTTP/1 inside those CONNECT tunnels.
> >
> >      Does everything work for non-intercept ports?
> >
> >      Does everything work in a basic curl or wget test?
> >
> >      Does everything work when you remove "ssl-bump" and related options
> >      from
> >      intercepting http_port 33128?
> >
> >      Does everything work when you use "ssl_bump splice all" instead of your
> >      current ssl_bump rule?
> >
> >      Does everything work when you use "ssl_bump peek all" instead of your
> >      current ssl_bump rule?
> >
> >      Alex.
> >
> >
> >       > shutdown_lifetime 3 seconds
> >       > external_acl_type whitelist-lookup-helper ipv4 ttl=10
> >      children-max=10
> >       > children-startup=2 \
> >       >          children-idle=2 concurrency=10 %URI %SRC
> >       > /usr/local/bin/squid-conf-url-lookup.rb
> >       > acl whitelist-lookup external  whitelist-lookup-helper
> >       > acl ytmethods method POST GET
> >       > acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network
> >      (LAN)
> >       > acl localnet src 10.0.0.0/8 <http://10.0.0.0/8>
> >      <http://10.0.0.0/8 <http://10.0.0.0/8>>             # RFC 1918
> >       > local private network (LAN)
> >       > acl localnet src 100.64.0.0/10 <http://100.64.0.0/10>
> >      <http://100.64.0.0/10 <http://100.64.0.0/10>>          # RFC
> >       > 6598 shared address space (CGN)
> >       > acl localnet src 169.254.0.0/16 <http://169.254.0.0/16>
> >      <http://169.254.0.0/16 <http://169.254.0.0/16>>         # RFC
> >       > 3927 link-local (directly plugged) machines
> >       > acl localnet src 172.16.0.0/12 <http://172.16.0.0/12>
> >      <http://172.16.0.0/12 <http://172.16.0.0/12>>          # RFC
> >       > 1918 local private network (LAN)
> >       > acl localnet src 192.168.0.0/16 <http://192.168.0.0/16>
> >      <http://192.168.0.0/16 <http://192.168.0.0/16>>         # RFC
> >       > 1918 local private network (LAN)
> >       > acl localnet src fc00::/7               # RFC 4193 local private
> >      network
> >       > range
> >       > acl localnet src fe80::/10              # RFC 4291 link-local
> >      (directly
> >       > plugged) machines
> >       > acl SSL_ports port 443
> >       > acl Safe_ports port 80          # http
> >       > acl Safe_ports port 21          # ftp
> >       > acl Safe_ports port 443         # https
> >       > acl Safe_ports port 70          # gopher
> >       > acl Safe_ports port 210         # wais
> >       > acl Safe_ports port 1025-65535  # unregistered ports
> >       > acl Safe_ports port 280         # http-mgmt
> >       > acl Safe_ports port 488         # gss-http
> >       > acl Safe_ports port 591         # filemaker
> >       > acl Safe_ports port 777         # multiling http
> >       > http_access deny !Safe_ports
> >       > http_access deny CONNECT !SSL_ports
> >       > http_access allow localhost manager
> >       > http_access deny manager
> >       > http_access allow localhost
> >       > http_access deny to_localhost
> >       > http_access deny to_linklocal
> >       > acl tubedoms dstdomain .ytimg.com <http://ytimg.com>
> >      <http://ytimg.com <http://ytimg.com>> .youtube.com <http://youtube.com>
> >       > <http://youtube.com <http://youtube.com>> .youtu.be
> >      <http://youtu.be> <http://youtu.be <http://youtu.be>>
> >       > http_access allow ytmethods localnet tubedoms whitelist-lookup
> >       > http_access allow localnet
> >       > http_access deny all
> >       > http_port 3128
> >       > http_port 13128 ssl-bump tls-cert=/etc/squid/ssl/cert.pem
> >       > tls-key=/etc/squid/ssl/key.pem \
> >       >          generate-host-certificates=on
> >      dynamic_cert_mem_cache_size=4MB
> >       > http_port 23128 tproxy ssl-bump tls-cert=/etc/squid/ssl/cert.pem
> >       > tls-key=/etc/squid/ssl/key.pem \
> >       >          generate-host-certificates=on
> >      dynamic_cert_mem_cache_size=4MB
> >       > http_port 33128 intercept ssl-bump tls-cert=/etc/squid/ssl/cert.pem
> >       > tls-key=/etc/squid/ssl/key.pem \
> >       >          generate-host-certificates=on
> >      dynamic_cert_mem_cache_size=4MB
> >       > sslcrtd_program /usr/lib64/squid/security_file_certgen -s
> >       > /var/spool/squid/ssl_db -M 4MB
> >       > sslcrtd_children 5
> >       > acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
> >       > acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
> >       > on_unsupported_protocol tunnel foreignProtocol
> >       > on_unsupported_protocol tunnel serverTalksFirstProtocol
> >       > on_unsupported_protocol respond all
> >       > acl monitoredSites ssl::server_name .youtube.com
> >      <http://youtube.com> <http://youtube.com <http://youtube.com>>
> >       > .ytimg.com <http://ytimg.com> <http://ytimg.com <http://ytimg.com>>
> >       > acl monitoredSitesRegex ssl::server_name_regex \.youtube\.com
> >      \.ytimg\.com
> >       > acl serverIsBank ssl::server_name .visa.com <http://visa.com>
> >      <http://visa.com <http://visa.com>>
> >       > acl step1 at_step SslBump1
> >       > acl step2 at_step SslBump2
> >       > acl step3 at_step SslBump3
> >       > ssl_bump bump all
> >       > strip_query_terms off
> >       > coredump_dir /var/spool/squid
> >       > refresh_pattern ^ftp:           1440    20%     10080
> >       > refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> >       > refresh_pattern .               0       20%     4320
> >       > logformat ssl_custom_format %ts.%03tu %6tr %>a %Ss/%03>Hs %<st
> >      %rm %ru
> >       > %[un %Sh/%<a %mt %ssl::>sni
> >       > access_log daemon:/var/log/squid/access.log ssl_custom_format
> >       > ##EOF
> >       >
> >       > access.log from before:
> >       > 1724028804.797    486 192.168.78.15 TCP_TUNNEL/200 17764 CONNECT
> >       > 40.126.31.73:443 <http://40.126.31.73:443>
> >      <http://40.126.31.73:443 <http://40.126.31.73:443>> -
> >      ORIGINAL_DST/40.126.31.73 <http://40.126.31.73>
> >       > <http://40.126.31.73 <http://40.126.31.73>> - -
> >       > 1724028805.413      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028806.028      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028806.028      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028806.029      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028806.030      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028806.085     57 192.168.78.15 TCP_TUNNEL/200 4513 CONNECT
> >       > 104.18.72.113:443 <http://104.18.72.113:443>
> >      <http://104.18.72.113:443 <http://104.18.72.113:443>> -
> >       > ORIGINAL_DST/104.18.72.113 <http://104.18.72.113>
> >      <http://104.18.72.113 <http://104.18.72.113>> - -
> >       > 1724028806.086     56 192.168.78.15 TCP_TUNNEL/200 4513 CONNECT
> >       > 104.18.72.113:443 <http://104.18.72.113:443>
> >      <http://104.18.72.113:443 <http://104.18.72.113:443>> -
> >       > ORIGINAL_DST/104.18.72.113 <http://104.18.72.113>
> >      <http://104.18.72.113 <http://104.18.72.113>> - -
> >       > 1724028806.086     56 192.168.78.15 TCP_TUNNEL/200 4512 CONNECT
> >       > 104.18.72.113:443 <http://104.18.72.113:443>
> >      <http://104.18.72.113:443 <http://104.18.72.113:443>> -
> >       > ORIGINAL_DST/104.18.72.113 <http://104.18.72.113>
> >      <http://104.18.72.113 <http://104.18.72.113>> - -
> >       > 1724028806.208      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028806.213      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028806.338      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028806.469      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028806.596      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028807.006      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028807.262      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028808.922   5037 192.168.78.15 TCP_TUNNEL/200 6096 CONNECT
> >       > 13.107.246.60:443 <http://13.107.246.60:443>
> >      <http://13.107.246.60:443 <http://13.107.246.60:443>> -
> >       > ORIGINAL_DST/13.107.246.60 <http://13.107.246.60>
> >      <http://13.107.246.60 <http://13.107.246.60>> - -
> >       > 1724028812.906   8336 192.168.78.15 TCP_TUNNEL/200 1071500 CONNECT
> >       > 104.126.37.171:443 <http://104.126.37.171:443>
> >      <http://104.126.37.171:443 <http://104.126.37.171:443>> -
> >       > ORIGINAL_DST/104.126.37.171 <http://104.126.37.171>
> >      <http://104.126.37.171 <http://104.126.37.171>> - -
> >       > 1724028819.209 247893 192.168.78.15 TCP_TUNNEL/200 4023 CONNECT
> >       > 142.250.186.34:443 <http://142.250.186.34:443>
> >      <http://142.250.186.34:443 <http://142.250.186.34:443>> -
> >       > ORIGINAL_DST/142.250.186.34 <http://142.250.186.34>
> >      <http://142.250.186.34 <http://142.250.186.34>> - -
> >       > 1724028820.097 250033 192.168.78.15 TCP_TUNNEL/200 549611 CONNECT
> >       > 142.250.184.246:443 <http://142.250.184.246:443>
> >      <http://142.250.184.246:443 <http://142.250.184.246:443>> -
> >       > ORIGINAL_DST/142.250.184.246 <http://142.250.184.246>
> >      <http://142.250.184.246 <http://142.250.184.246>> - -
> >       > 1724028820.154 246850 192.168.78.15 TCP_TUNNEL/200 15119 CONNECT
> >       > 216.58.206.65:443 <http://216.58.206.65:443>
> >      <http://216.58.206.65:443 <http://216.58.206.65:443>> -
> >       > ORIGINAL_DST/216.58.206.65 <http://216.58.206.65>
> >      <http://216.58.206.65 <http://216.58.206.65>> - -
> >       > 1724028820.164 246856 192.168.78.15 TCP_TUNNEL/200 3037 CONNECT
> >       > 142.250.181.227:443 <http://142.250.181.227:443>
> >      <http://142.250.181.227:443 <http://142.250.181.227:443>> -
> >       > ORIGINAL_DST/142.250.181.227 <http://142.250.181.227>
> >      <http://142.250.181.227 <http://142.250.181.227>> - -
> >       > 1724028820.203 246893 192.168.78.15 TCP_TUNNEL/200 3031 CONNECT
> >       > 172.217.16.196:443 <http://172.217.16.196:443>
> >      <http://172.217.16.196:443 <http://172.217.16.196:443>> -
> >       > ORIGINAL_DST/172.217.16.196 <http://172.217.16.196>
> >      <http://172.217.16.196 <http://172.217.16.196>> - -
> >       > 1724028822.656 271833 192.168.78.15 TCP_TUNNEL/200 387583 CONNECT
> >       > 142.250.185.238:443 <http://142.250.185.238:443>
> >      <http://142.250.185.238:443 <http://142.250.185.238:443>> -
> >       > ORIGINAL_DST/142.250.185.238 <http://142.250.185.238>
> >      <http://142.250.185.238 <http://142.250.185.238>> - -
> >       > 1724028830.336      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028830.781    444 192.168.78.15 TCP_TUNNEL/200 18505 CONNECT
> >       > 40.126.31.73:443 <http://40.126.31.73:443>
> >      <http://40.126.31.73:443 <http://40.126.31.73:443>> -
> >      ORIGINAL_DST/40.126.31.73 <http://40.126.31.73>
> >       > <http://40.126.31.73 <http://40.126.31.73>> - -
> >       > 1724028841.781 155018 192.168.78.15 TCP_TUNNEL/200 15960 CONNECT
> >       > 13.107.6.158:443 <http://13.107.6.158:443>
> >      <http://13.107.6.158:443 <http://13.107.6.158:443>> -
> >      ORIGINAL_DST/13.107.6.158 <http://13.107.6.158>
> >       > <http://13.107.6.158 <http://13.107.6.158>> - -
> >       > 1724028849.443      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028849.698      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028865.261      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028865.779    517 192.168.78.15 TCP_TUNNEL/200 18557 CONNECT
> >       > 40.126.31.73:443 <http://40.126.31.73:443>
> >      <http://40.126.31.73:443 <http://40.126.31.73:443>> -
> >      ORIGINAL_DST/40.126.31.73 <http://40.126.31.73>
> >       > <http://40.126.31.73 <http://40.126.31.73>> - -
> >       > 1724028870.718 109994 192.168.78.15 TCP_TUNNEL/200 6972 CONNECT
> >       > 20.42.65.94:443 <http://20.42.65.94:443> <http://20.42.65.94:443
> >      <http://20.42.65.94:443>> - ORIGINAL_DST/20.42.65.94
> >      <http://20.42.65.94>
> >       > <http://20.42.65.94 <http://20.42.65.94>> - -
> >       > 1724028871.179  64583 192.168.78.15 TCP_TUNNEL/200 1903 CONNECT
> >       > 104.18.10.207:443 <http://104.18.10.207:443>
> >      <http://104.18.10.207:443 <http://104.18.10.207:443>> -
> >       > ORIGINAL_DST/104.18.10.207 <http://104.18.10.207>
> >      <http://104.18.10.207 <http://104.18.10.207>> - -
> >       > 1724028871.179  63917 192.168.78.15 TCP_TUNNEL/200 2430 CONNECT
> >       > 142.250.186.99:443 <http://142.250.186.99:443>
> >      <http://142.250.186.99:443 <http://142.250.186.99:443>> -
> >       > ORIGINAL_DST/142.250.186.99 <http://142.250.186.99>
> >      <http://142.250.186.99 <http://142.250.186.99>> - -
> >       > 1724028871.179  64709 192.168.78.15 TCP_TUNNEL/200 2439 CONNECT
> >       > 142.250.185.170:443 <http://142.250.185.170:443>
> >      <http://142.250.185.170:443 <http://142.250.185.170:443>> -
> >       > ORIGINAL_DST/142.250.185.170 <http://142.250.185.170>
> >      <http://142.250.185.170 <http://142.250.185.170>> - -
> >       > 1724028871.308      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028871.731    422 192.168.78.15 TCP_TUNNEL/200 17789 CONNECT
> >       > 40.126.31.73:443 <http://40.126.31.73:443>
> >      <http://40.126.31.73:443 <http://40.126.31.73:443>> -
> >      ORIGINAL_DST/40.126.31.73 <http://40.126.31.73>
> >       > <http://40.126.31.73 <http://40.126.31.73>> - -
> >       > 1724028872.486      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028873.477      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028873.745      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028873.902    424 192.168.78.15 TCP_TUNNEL/200 18520 CONNECT
> >       > 40.126.31.73:443 <http://40.126.31.73:443>
> >      <http://40.126.31.73:443 <http://40.126.31.73:443>> -
> >      ORIGINAL_DST/40.126.31.73 <http://40.126.31.73>
> >       > <http://40.126.31.73 <http://40.126.31.73>> - -
> >       > 1724028877.056      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028877.060      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028877.060      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028877.060      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028877.430 312389 192.168.78.15 TCP_TUNNEL/200 7884 CONNECT
> >       > 142.250.186.78:443 <http://142.250.186.78:443>
> >      <http://142.250.186.78:443 <http://142.250.186.78:443>> -
> >       > ORIGINAL_DST/142.250.186.78 <http://142.250.186.78>
> >      <http://142.250.186.78 <http://142.250.186.78>> - -
> >       > 1724028878.800      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028878.920      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028879.072      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028880.808   7062 192.168.78.15 TCP_TUNNEL/200 836391 CONNECT
> >       > 104.126.37.145:443 <http://104.126.37.145:443>
> >      <http://104.126.37.145:443 <http://104.126.37.145:443>> -
> >       > ORIGINAL_DST/104.126.37.145 <http://104.126.37.145>
> >      <http://104.126.37.145 <http://104.126.37.145>> - -
> >       > 1724028882.468  33024 192.168.78.15 TCP_TUNNEL/200 1488697 CONNECT
> >       > 49.12.59.2:443 <http://49.12.59.2:443> <http://49.12.59.2:443
> >      <http://49.12.59.2:443>> - ORIGINAL_DST/49.12.59.2 <http://49.12.59.2>
> >       > <http://49.12.59.2 <http://49.12.59.2>> - -
> >       > 1724028883.728   6671 192.168.78.15 TCP_TUNNEL/200 69351 CONNECT
> >       > 52.216.185.251:443 <http://52.216.185.251:443>
> >      <http://52.216.185.251:443 <http://52.216.185.251:443>> -
> >       > ORIGINAL_DST/52.216.185.251 <http://52.216.185.251>
> >      <http://52.216.185.251 <http://52.216.185.251>> - -
> >       > 1724028883.789   6728 192.168.78.15 TCP_TUNNEL/200 69216 CONNECT
> >       > 52.216.185.251:443 <http://52.216.185.251:443>
> >      <http://52.216.185.251:443 <http://52.216.185.251:443>> -
> >       > ORIGINAL_DST/52.216.185.251 <http://52.216.185.251>
> >      <http://52.216.185.251 <http://52.216.185.251>> - -
> >       > 1724028883.797   6736 192.168.78.15 TCP_TUNNEL/200 104657 CONNECT
> >       > 52.216.185.251:443 <http://52.216.185.251:443>
> >      <http://52.216.185.251:443 <http://52.216.185.251:443>> -
> >       > ORIGINAL_DST/52.216.185.251 <http://52.216.185.251>
> >      <http://52.216.185.251 <http://52.216.185.251>> - -
> >       > 1724028883.845   6784 192.168.78.15 TCP_TUNNEL/200 80277 CONNECT
> >       > 52.216.185.251:443 <http://52.216.185.251:443>
> >      <http://52.216.185.251:443 <http://52.216.185.251:443>> -
> >       > ORIGINAL_DST/52.216.185.251 <http://52.216.185.251>
> >      <http://52.216.185.251 <http://52.216.185.251>> - -
> >       > 1724028884.460 170355 192.168.78.15 TCP_TUNNEL/200 44690 CONNECT
> >       > 185.199.108.153:443 <http://185.199.108.153:443>
> >      <http://185.199.108.153:443 <http://185.199.108.153:443>> -
> >       > ORIGINAL_DST/185.199.108.153 <http://185.199.108.153>
> >      <http://185.199.108.153 <http://185.199.108.153>> - -
> >       > 1724028889.845 120370 192.168.78.15 TCP_TUNNEL/200 5868 CONNECT
> >       > 104.126.37.161:443 <http://104.126.37.161:443>
> >      <http://104.126.37.161:443 <http://104.126.37.161:443>> -
> >       > ORIGINAL_DST/104.126.37.161 <http://104.126.37.161>
> >      <http://104.126.37.161 <http://104.126.37.161>> - -
> >       > 1724028890.011 122862 192.168.78.15 TCP_TUNNEL/200 136726 CONNECT
> >       > 23.37.37.211:443 <http://23.37.37.211:443>
> >      <http://23.37.37.211:443 <http://23.37.37.211:443>> -
> >      ORIGINAL_DST/23.37.37.211 <http://23.37.37.211>
> >       > <http://23.37.37.211 <http://23.37.37.211>> - -
> >       > 1724028890.297 120381 192.168.78.15 TCP_TUNNEL/200 9176 CONNECT
> >       > 2.18.140.238:443 <http://2.18.140.238:443>
> >      <http://2.18.140.238:443 <http://2.18.140.238:443>> -
> >      ORIGINAL_DST/2.18.140.238 <http://2.18.140.238>
> >       > <http://2.18.140.238 <http://2.18.140.238>> - -
> >       > 1724028891.212      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028891.365    152 192.168.78.15 TCP_TUNNEL/200 2359 CONNECT
> >       > 142.250.185.138:443 <http://142.250.185.138:443>
> >      <http://142.250.185.138:443 <http://142.250.185.138:443>> -
> >       > ORIGINAL_DST/142.250.185.138 <http://142.250.185.138>
> >      <http://142.250.185.138 <http://142.250.185.138>> - -
> >       > 1724028893.885  90253 192.168.78.15 TCP_TUNNEL/200 6374 CONNECT
> >       > 13.107.246.60:443 <http://13.107.246.60:443>
> >      <http://13.107.246.60:443 <http://13.107.246.60:443>> -
> >       > ORIGINAL_DST/13.107.246.60 <http://13.107.246.60>
> >      <http://13.107.246.60 <http://13.107.246.60>> - -
> >       > 1724028900.169      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:invalid-request - HIER_NONE/- - -
> >       > 1724028934.465 900262 192.168.78.15 TCP_TUNNEL/200 5530 CONNECT
> >       > 52.123.243.197:443 <http://52.123.243.197:443>
> >      <http://52.123.243.197:443 <http://52.123.243.197:443>> -
> >       > ORIGINAL_DST/52.123.243.197 <http://52.123.243.197>
> >      <http://52.123.243.197 <http://52.123.243.197>> - -
> >       > 1724028960.494  60324 192.168.78.15 TCP_TUNNEL/503 0 CONNECT
> >       > 172.217.16.206:443 <http://172.217.16.206:443>
> >      <http://172.217.16.206:443 <http://172.217.16.206:443>> -
> >       > ORIGINAL_DST/172.217.16.206 <http://172.217.16.206>
> >      <http://172.217.16.206 <http://172.217.16.206>> - -
> >       > 1724028960.494      0 192.168.78.15 NONE_NONE/000 0 -
> >       > error:transaction-end-before-headers - HIER_NONE/- - -
> >       >
> >       > Thanks for any help,
> >       >
> >       >
> >       > ----
> >       > Eliezer Croitoru
> >       > Tech Support
> >       > Mobile: +972-5-28704261
> >       > Email: ngtech1ltd@xxxxxxxxx <mailto:ngtech1ltd@xxxxxxxxx>
> >      <mailto:ngtech1ltd@xxxxxxxxx <mailto:ngtech1ltd@xxxxxxxxx>>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users