[squid-users] R: Trouble with an app

Roberto Nunnari roberto.nunnari at edu.ti.ch
Tue Oct 13 07:59:45 UTC 2020 

Hi Amos.

Thank you for your help.

Could it be that the client received the zscaler certificate and because it's wrong for google it closed the connection?
Unfortunately, the logs on the client don't show no clue about it..

Thank you and best regards.
Roberto



-----Messaggio originale-----
Da: squid-users <squid-users-bounces at lists.squid-cache.org> Per conto di Amos Jeffries
Inviato: domenica, 11 ottobre 2020 02:41
A: squid-users at lists.squid-cache.org
Oggetto: Re: [squid-users] Trouble with an app

On 10/10/20 2:54 am, Roberto Nunnari wrote:
> Hello.
> 
>  
> 
> I work in secondary school and our access to internet is protected in 
> two points:
> 
> 1)      Squid proxy (I manage this)
> 
> 2)      Internet service provider (they change *.google.com ssl 
> certificate with zscaler)
> 
>  
> 
> We install these zscaler certificates on all our clients, but I 
> believe this java app doesn’t care to use it.
> 
>  
> 
> Now, can somebody explain these logs to me, please?
> 

Sure:

> 
> Fri Oct  9 15:44:41 2020.521      1 10.20.8.212 TCP_DENIED/407 4076 
> CONNECT google.ch:443 - HIER_NONE/- text/html
> 

Client sent a CONNECT request to the proxy. It did not have credentials, so Squid responded with a 407 message informing it that credentials are required.


> Fri Oct  9 15:44:41 2020.660    122 10.20.8.212 TCP_TUNNEL/200 3552 
> CONNECT google.ch:443 CPT\\docente.test HIER_DIRECT/216.58.215.227 -
> 

Client sent CONNECT requests with credentials.
Squid opened a tunnel to the relevant server as requested by client.
Client spent 122ms using the tunnel for something.


> Fri Oct  9 15:44:52 2020.461      0 10.20.8.212 NONE/000 0 NONE 
> error:transaction-end-before-headers - HIER_NONE/- -
> 

Client opened TCP connection to the proxy. Then closed it.

This is fairly common side effect of "Happy Eyeballs" behaviour where clients open multiple connections and only use the first to succeed.

Or possibly the client had some other reason for closing. The log record is just informative so you know it is happening and useful to explain many sockets having TCP TIME_WAIT status if that becomes a problem.


HTH
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list