[squid-users] https issues for google

[Amos Jeffries]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/12/2014 9:48 p.m., glenn.groves wrote:
> Hi All,
> 
> I have finally been able to spend time upgrading a server to a
> later squid version, I have tried 3.4.9.
> 
> I could not get authentication to work for this test, but proceeded
> to test without (also dismisses auth as the problem).
> 
> I am getting the following in the logs with secure sites now the
> squid is 3.4.9:
> 
> 192.168.9.69 TCP_MISS/200 295 CONNECT www.google.com:443 -
> HIER_DIRECT/216.58.220.1 192.168.9.69 TCP_MISS/200 0 CONNECT
> www.google.com:443 - HIER_DIRECT/216.58.220.132
> 
> Upgrading to 3.4.9 on Centos as been a pain so far, no point in
> proceeding with the problem persisting. Can someone advise why I am
> getting TCP_MISS/200 when going to secure google sites?
> 

"200" because the tunnel was setup successfully.

"TCP_MISS" because a connection being opened does not use an existing
cache object. Old Squid versions do not use the TCP_TUNNEL label.

The above appear to be successful tunnels setup through the proxy.


> Or more importantly, how to fix my squid 3.1 on centos 6.5 with
> this problem.
> 

What browser(s) are showing the problem? and what does a tcpdump trace
of the packets content show happening?

A) It could be they are trying to use SPDY or HTTP/2 inside the
tunnel. CONNECT technically could be followed immediately with traffic
bytes even though the tunnel/Upgrade process was not confirmed
successful by the proxy. Squid does not support that behaviour until
version 3.4.5 (bug 3371) but browsers using SPDY and HTTP/2 rely on it.

You may be able to backport the bug fix
(http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13126.patch),
but this is one unlikely to be easy across so many versions. There
have been numerous tunneling code updates in between.


B) It could be happy-eyeballs algorithm being used by the browser.
Settign up a connection in advance and having it timeout in the proxy
before an attempt to actually use it is made. Although Squid should
append _TIMEOUT to the MISS tag in those cases its not certain if that
happens on tunnels.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUhB8iAAoJELJo5wb/XPRjfsIH/jFvpT7a/lHZfM8uaMxoUVu4
oGLoyjx6m1ZEg/W5Ta+TjlnfJjcyqfZdkHeIJzY9athcAWaxcT/By2sFEhuPqdtJ
hbps9UWbcae3Uu8sL71oABPnNvfH23HpU6q3PBrNRv82K8jrFjS56oEFwCQrKavP
pxfirbNk0MZg9/bLDAGnD05ItKAxo+uQ2xQU0AE/z6z3LE23WaMS4axTNLBS2icP
V9y2D90mH35nMlaFkhSPl1oL8HfQ1yOuKoNJz2YSgIsgiEmGBsF9aRQ+FS1CgiSh
HFFDyY+dAQUOFL9Qv/gJjddWhQAqH3X6kjqUCqgzqp+eHCOfrQGWzG6Wv42X7/k=
=P6Ev
-----END PGP SIGNATURE-----