[squid-users] Bypassed Proxy

Amos Jeffries squid3 at treenet.co.nz
Fri Dec 23 03:56:27 UTC 2016 

On 23/12/2016 10:02 a.m., Sameh Onaissi wrote:
> Hello,
> 
> 
> Eliezer’s recommended fix did not work.
> 
> The user was on YouTube watching UFC all day today.
> 
> Here’s a copy of the log at the time.
> 1482436450.285    353 10.0.0.105 TAG_NONE/200 0 CONNECT 167.114.159.186:443 - ORIGINAL_DST/167.114.159.186 -
> 1482436450.303      0 10.0.0.105 TAG_NONE/503 4462 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
> 1482436450.318   4756 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - ORIGINAL_DST/139.59.225.84 -
> 1482436450.340      0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
> 1482436450.567    839 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.70.138:443 - ORIGINAL_DST/188.166.70.138 -
> 1482436450.585      0 10.0.0.105 TAG_NONE/503 4459 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
> 1482436450.650    373 10.0.0.105 TAG_NONE/200 0 CONNECT 85.203.7.35:443 - ORIGINAL_DST/85.203.7.35 -
> 1482436450.669      0 10.0.0.105 TAG_NONE/503 4450 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
> 1482436450.682   1969 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - ORIGINAL_DST/139.59.225.84 -
> 1482436450.706    386 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.73.9:443 - ORIGINAL_DST/188.166.73.9 -
> 1482436450.740   6540 10.0.0.105 TAG_NONE/200 0 CONNECT 85.203.18.254:443 - ORIGINAL_DST/85.203.18.254 -
> 1482436450.784      0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
> 1482436450.784      0 10.0.0.105 TAG_NONE/503 4453 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
> 1482436450.784      0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
> 1482436450.909    469 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.93.229:443 - ORIGINAL_DST/138.68.93.229 -
> 1482436450.927   1882 10.0.0.105 TAG_NONE/200 0 CONNECT 208.123.223.254:443 - ORIGINAL_DST/208.123.223.254 -
> 1482436450.940      0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
> 1482436450.955      0 10.0.0.105 TAG_NONE/503 4462 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
> 1482436451.063    197 10.0.0.105 TAG_NONE/200 0 CONNECT 208.123.223.254:443 - ORIGINAL_DST/208.123.223.254 -
> 1482436451.080      0 10.0.0.105 TAG_NONE/503 4462 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
> 1482436451.217    434 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.97.9:443 - ORIGINAL_DST/138.68.97.9 -
> 1482436451.236      0 10.0.0.105 TAG_NONE/503 4450 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
> 1482436451.322    271 10.0.0.105 TAG_NONE/200 0 CONNECT 65.52.108.76:443 - ORIGINAL_DST/65.52.108.76 -
> 1482436451.345    479 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.93.229:443 - ORIGINAL_DST/138.68.93.229 -
> 1482436451.361      0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
> 1482436451.498   4240 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - ORIGINAL_DST/139.59.225.84 -
> 1482436451.530      0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
> 1482436451.909    817 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.70.138:443 - ORIGINAL_DST/188.166.70.138 -
> 
> 
> 
> I know 503 is an error, but the user was using youtube without any hassles.
> Those IPs are for Digital Ocean and Alentus Corporation.

rDNS says they are being used by the northghost "Touch VPN" network.

> 
> Squid is being “fooled” somehow.
>  I did notice the 503, which made it more confusing to me.

Squid is rejecting the YT traffic attempts asked of it. Maybe not in the
way you intended, but to the same effect.

The above log implies they are visiting northghost. Nothing is
prohibiting that. Then Squid during the bumping process sees the YT
domain in SNI or somesuch, and tries to reject it but cant at that late
stage so 503 occurs.

There are very likely other attempts being made in other ways since
these did not succeed. If any of those do succeed the user gets their YT
access.

Amos

More information about the squid-users mailing list