[squid-users] squid-users Digest, Vol 27, Issue 28

vze2k3sa at verizon.net vze2k3sa at verizon.net
Wed Nov 16 00:28:56 UTC 2016

On 15/11/2016 9:05 a.m., Patrick Flaherty wrote:
> Hello,
> Can anyone tell me if the 'HIER_NONE' entries below is Squid not able 
> to connect to www.website.com? The 21 sec timeout is a classic Windows 
> TCP connection timeout. I just need confirmation that that Squid on 
> these 2 clients behalf ( & could not connect 
> to www.website.com and timed out after ~21 secs.
> 09/Nov/2016:11:54:53 -0500  21029 TAG_NONE/503 0 CONNECT
> www.website.com:443 - HIER_NONE/- -
> 09/Nov/2016:11:54:53 -0500  21029 TAG_NONE/503 0 CONNECT www.
> website.com:443 - HIER_NONE/- -

HIER_NONE - no upstream server was involved / contacted.

503 - Squid encountered an error which prevented upstream server transaction being successful.

TAG_NONE - non-TCP protocol occuring.

This NONE/503 combo appears usually when SSL-Bump feature is doing TLS interception - either the TLS handshake failed or your configured choice of bumping action is not possible.

Thanks Amos for that clarity although now I'm not sure why this happened. If the upstream server did not respond (which is what I thought) I would say I understand. But if Squid actually made no attempt to contact the server, then Squid itself had an issue. I do not use SSL-Bump so maybe Squid had some internal error?
When you say ' HIER_NONE - no upstream server was involved / contacted.' does that mean Squid did not even try to connect to the upstream server or could it mean that it tried to connect and there was no response?

Here is my Squid.conf file in case of misconfiguration.
# Smart911 CPE/Smart911 Console Squid Proxy Configuration

# Network(s) where proxy traffic is originating
# acl localnet src	# RFC1918 possible internal network
# acl localnet src	# RFC1918 possible internal network
# acl localnet src	# RFC1918 possible internal network
acl localnet src all

# acl and http_access ("rmsc.txt")
acl whitelist dstdomain  "c:/squid/etc/squid/rmsc.txt"
http_access 	allow 	whitelist

acl http      proto      http
acl https     proto      https
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 443		# https

# rules allowing proxy access
http_access allow http  Safe_ports whitelist localnet
http_access allow https SSL_ports whitelist localnet

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Lastly deny all other access to this proxy
http_access deny all

# Listens to port 3128
http_port 3128

# DNS servers 

# Roll log file daily and keep 30 days
logfile_rotate 30

# Access log format
logformat squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt

# Debug 
# debug_options	ALL,2

# Use IPv4 based DNS first
dns_v4_first on

# Log definitions
access_log stdio:c:/Squid/var/log/squid/access.log
cache_store_log stdio:c:/Squid/var/log/squid/store.log
buffered_logs on

Thanks Amos!

More information about the squid-users mailing list