[squid-users] strange thing in the squid logs ...

Wed Feb 6 03:14:48 UTC 2019

On 6/02/19 9:27 am, Walter H. wrote:
> Hello,
> 
> in iptables I have this:
> 
> *nat
> ...
> -A PREROUTING -i br0 -p tcp -s 192.168.1.100 --dport 80 -j DNAT
> --to-destination 192.168.1.1:3129
> 
> 
> 
> 192.168.1.100 is my PC and 192.168.1.1 is my NAT-Router, that has squid,
> ... running
> 
> here the log
> 
> 192.168.1.100 - - [05/Feb/2019:20:57:09 +0100] "CONNECT 77.74.177.233:80
> HTTP/1.1" 403 1516 "-" "-" TCP_DENIED:HIER_NONE
> 192.168.1.100 - - [05/Feb/2019:20:58:41 +0100] "CONNECT
> 130.117.190.168:80 HTTP/1.1" 403 1520 "-" "-" TCP_DENIED:HIER_NONE
> 192.168.1.100 - - [05/Feb/2019:21:06:12 +0100] "CONNECT
> 207.123.56.252:80 HTTP/1.1" 403 1518 "-" "-" TCP_DENIED:HIER_NONE
> this are only examples in real there are many of these with exakt these
> IP addresses
> 
> what is causing such strange?
> 

Unknown.

> 
> here the squid.conf
> 
...
> 
> http_access deny CONNECT !SSL_ports    # i guess this rule is causing
> DENIED in the log, but why port 80 there???
> 

Yes. This is the rule blocking those transactions.

The answer to your question though is known only to the client software
requesting those tunnels be opened.

Could be some form of attack against those servers or abusive use of
port 80 for non-HTTP. At very least it is trying to bypass the proxy for
some type of port 80 traffic.

If it worries you, then investigation of the traffic may prove fruitful.
Then you can decide what to do based on better information that your log
contains.

[ following is just some comments about polish to your squid.conf ]

> 
> http_reply_access allow all

Does the default action, but in a slow way. You can simplify your config
and speed up Squid a little by removing the above line.

> 
> always_direct allow all

Does the default action, but in a slow way. You can simplify your config
and speed up Squid a little by removing the above line.

> 
> acl crl-mime rep_mime_type application/x-pkcs7-crl
> no_cache deny crl-mime
> 

"no_cache" does not exist since Squid-1.x. It is called just "cache" so
at very least please remove that "no_" part.

Also, the "cache" directive is tested for HTTP *requests*. There is no
HTTP *reply* mime type in request messages.

Either;

a) use req_mime_type (note the 'q'), or

b) remove both the above lines as pointless config, or

c) replace the "no_cache" name with "store_miss" in latest Squid-3.5+
proxies.

FWIW: it is not clear why you forbid CRL objects from being cached. They
are public information and caching works as well as with any other HTTP
objects.

> 
> logformat combined %>A %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
> "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
> access_log /var/log/squid/access.log combined
> 

FYI: The Apache "common" format is designed for use by web servers.
Which are quite different software from proxies. In particular they
typically do not have upstream origin-server connection and multiplexing
to deal with - which is a core part of being a proxy. So you are missing
out on several useful details the "squid" native log format provides.

Amos