[squid-users] Why some traffic is TCP_DENIED
Vieri
rentorbuy at yahoo.com
Tue Feb 16 10:09:04 UTC 2021
Hi,
I'm trying to understand why Squid denies access to some sites, eg:
[Tue Feb 16 10:15:36 2021].044 0 - TCP_DENIED/302 0 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html
[Tue Feb 16 10:15:36 2021].050 46 10.215.248.160 TCP_DENIED/403 3352 - 52.109.12.25:443 - HIER_NONE/- text/html
[Tue Feb 16 10:15:36 2021].050 0 10.215.248.160 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
[Tue Feb 16 10:15:36 2021].052 140 10.215.246.144 TCP_MISS/200 193311 GET https://outlook.office.com/mail/ - ORIGINAL_DST/52.97.168.210 text/html
[Tue Feb 16 10:15:36 2021].053 49 10.215.248.74 TCP_MISS/200 2037 GET https://puk1-collabhubrtc.officeapps.live.com/rtc2/signalr/negotiate? - ORIGINAL_DST/52.108.88.1 application/json
[Tue Feb 16 10:15:36 2021].057 0 10.215.247.159 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- -
[Tue Feb 16 10:15:36 2021].057 0 10.215.247.159 TCP_DENIED/403 3353 - 40.67.251.132:443 - HIER_NONE/- text/html
[Tue Feb 16 10:15:36 2021].057 0 10.215.247.159 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
If I take the first line in the log and I open the URL from a client I use then the site opens as expected, and the corresponding Squid log is:
[Tue Feb 16 10:45:50 2021].546 628 10.215.111.210 TCP_MISS/200 2134 GET https://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - ORIGINAL_DST/23.210.36.30 application/octet-stream
[Tue Feb 16 10:45:52 2021].668 49 10.215.111.210 NONE_NONE/000 0 CONNECT 216.58.215.138:443 - ORIGINAL_DST/216.58.215.138 -
In this log I see my host's IP addr. 10.215.111.210.
However, in the first log I do not see a source IP address. Why?
Other clients seem to be denied access with errors in the log such as "NONE_NONE/000" followed by error:invalid-request or error:transaction-end-before-headers. How can I find out why I get "invalid requests"? Would a tcpdump on the server or client help? Or should I enable verbose debugging in Squid?
BTW this might be irrelevant but these messages seem to come up when accessing office 365 sites.
Thanks,
Vieri
More information about the squid-users
mailing list