[squid-users] Squid returns NONE_ABORTED/000 and high response time but the internet access itself looks okay

Amos Jeffries squid3 at treenet.co.nz
Tue Aug 7 15:33:48 UTC 2018

On 08/08/18 02:14, Ahmad, Sarfaraz wrote:
> I cannot reproduce this. This is intermittent.  In Chrome's dev
> tools, it appeared to take over 20 secs to setup the TCP connection. 
> I am SSL bumping all TLS connections unless they match certain ACLs.
> So it is safe to assume that the vast majority of the traffic was
> bumped.
> I don't see any TLS handshake failure messages in cache.log. I think
> the access.log messages I posted earlier are fake CONNECT requests
> created using TCP-level info (the response time logged there is
> directly proportionate to what I see in Chrome's dev tools). Guessing
> that Squid would send TCP SYN-ACK only after it receives SYN-ACK from
> remote/origin server.

Your guess is wrong. The TCP level setup is only between Squid and the
client. It has to have completed before the TLS stuff can begin.

The first fake-CONNECT is done after TCP connection setup to see whether
the client is allowed to perform TLS inside it - and how Squid handles
that TLS.

> I don’t think ICAP(reqmod) would come into the
> picture yet either (assuming that even the TCP connections have not
> been set up yet) so that is safe to rule out. Am I right here ?

You are right about that in relation to TCP.

But TCP is already over and done with by the time the fake-CONNECT gets
generated. So wrong about ICAP's lack of involvement - it may (or not) be.

NP: The only thing fake about the early CONNECT's is that the client did
not actually generate it. They are handled in Squid same as a regular
CONNECT message would be.


More information about the squid-users mailing list