[squid-users] "NF getsockopt(SO_ORIGINAL_DST)" filling cache.log due to AWS ELB healthchecks

Eliezer Croitoru eliezer at ngtech.co.il
Thu Oct 29 20:33:25 UTC 2015

Hey John,

You and me are missing couple things in the picture and you first need 
to understand what you have in order to fix it.
The http_port 3128 intercept cannot and should not handle CONNECT 
request which are the basic form of HTTPS connections that squid knows 
in general how to use.
I am confused which proxies are there and which aren't.
You wrote "My problem is that it appears every single AWS elastic load 
balancer healthcheck triggers a line like this in cache.log:" which 
means that there are couple AWS elastic load balancers.
It kind of confuses me if the squid is the first load balancer or you 
are using some service that AWS sells.
If you are using AWS elastic load balancer which is a service you should 
first make sure you understand what it does exactly and what I am 
talking about is, what is it doing with the packets it receives? Also on 
what level do they work? in the TCP level? in the HTTP level?
Also there are couple missing parts about the squid service itself.
What is to be expected(from a protocol level) from squid to handle?
What HTTP requests should be pointed there? a specific domain? a whole 
bunch of domains? intercepted traffic? do we expect SSL connections to 
be present there?
Do the AWS elastic load balancer handles SSL?

I would describe you the question you are asking in a creative way:
"I have a monkey which eats the banana and every time he is pooping 
after it, I do not understand why he is pooping?"

My and others side of the picture is that you have something that does 
something but cannot is not being described.
Believe me that proxies work the same way for a very long time and your 
setup is probably not that special.
If I understand right the AWS elastic load balancer is something like 
haproxy and from an unknown reason you are using squid in the picture.
Maybe it's for caching maybe it's for network policy or logging.

If you prefer to send me a private email with couple more details and 
the answers to my questions feel free to do that, not everything should 
be publicly available in the mailing list.

I do not know about your TCP and HTTP\HTTPS level of expertise and it 
makes it hard to even know if I am asking you the right questions.
Also do you have someone to ask about any of the system parts? if not... 
TCPDUMP+wireshark is your friend!

All The Bests,

* I am at the squid channel at freenode under the nick elico if you want 
to contact me there.

On 29/10/2015 21:39, John Smith wrote:
> Hi Eliezer,
> It is entirely possible that haproxy is a better solution than squid for
> what we are doing.
> I have never used either solution, and inherited this 'working' squid
> configuration with the task of cleaning things up and stabilizing it.
> Regarding your question of 'How do the first layer of proxies send their
> request to the second layer of proxies?', all I can tell you is that all
> the work is done in the squid.conf, and I've posted the entire contents
> with a few replacements for security reasons.
> As I've said, I've removed the word 'intercept' several times and the
> requests to secondary proxies no longer work.
> I just confirmed this behaviour again.
> If this is as 'quiet' as I can make the logs then it is what it is.
> Thanks!

More information about the squid-users mailing list