<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1012681590;
mso-list-type:hybrid;
mso-list-template-ids:47593088 525906870 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"\(%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Greetings!<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I am running a transparent proxy for plain http traffic, memory caching only, I have something like 500 devices that are using the proxy at any given time over a satellite and I am averaging in the range of 2,000 requests per minute across the proxy (again, no SSL bump, I do not control the devices at all). I am using 3.5.22 compiled from sources (if it matters). I have been seeing lines in my access log like the following:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>1476535967.570 0 xxx.xxx.xxx.xxx TAG_NONE/400 4538 NONE error:invalid-request - HIER_NONE/- text/html<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>After some digging on this list I began to suspect websockets or other non-http traffic coming across port 80. After additional reading, and as much as anything to test the hypothesis, I decided to try squid 4.0.15 with on-unsupported-protocol. I get what I am guessing to be the same result with new error text around it:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>1476536369.742 0 xxx.xxx.xxx.xxx NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- -<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>An interesting point to interject here is that my “Hits as % bytes sent” in 3.5.x has always been in the 2 to 5% range, but there are periods (sometimes long ones) where the inbound traffic to squid is much higher than the outbound. When I switch to 4.0.x, I am now running about -27% (note, negative twenty-seven) as bytes, which makes me suspect it is logging the higher inbound than outbound now. So, apparently, this unsupported protocol is triggering some sort of large download, but does not end up going to the client. Obviously, this is not good, so I’m digging deeper and I’d appreciate any pointers that come to mind. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I would like to know a couple things, first: is there some debugging level other than ALL,9 that might give me some illumination? ALL,9 generates about 15 MB of debug log per second at my current load level, and these errors aren’t real frequent, so I end up with ~ 400 MB of text that needs to be sifted through. As you can imagine, that can be a bit brutal. If I could even identify the other end point, I would at least be able to figure out if this is Apple, Microsoft, Android, something else, and perhaps get closer to being able to replicate the error. Thoughts would be appreciated. In case its relevant, my compile options were:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>./configure --prefix=/usr --localstatedir=/var --libexecdir=/usr/lib/squid --srcdir=. --datadir=/usr/share/squid --sysconfdir=/etc/squid --with-default-user=proxy --with-logdir=/var/log --with-pidfile=/var/run/squid.pid --enable-linux-netfilter --enable-cache-digests --enable-storeio=ufs,aufs,diskd,rock --enable-async-io=30 --enable-http-violations --enable-zph-qos --with-netfilter-conntrack --with-filedescriptors=65536 --with-large-files<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Note that, a lot of those are based on a very long and tedious guess-and-check session last year, and some of them probably are totally irrelevant to my setup (I’m looking at you --enable-http-violations and --enable-zph-qos) but hey, what is life without the unnecessary noise from lazily copy-and-pasting old compile lines.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>My configuration, edited to eliminate my numerous comments and hashed out lines of experiments and to hide network identifiers, is pasted below. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>///BEGIN /etc/squid/squid.conf<o:p></o:p></p><p class=MsoNormal>workers 4<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>acl localnet src 10.0.0.0/8 # RFC1918 possible internal network<o:p></o:p></p><p class=MsoNormal>acl localnet src 172.16.0.0/12 # RFC1918 possible internal network<o:p></o:p></p><p class=MsoNormal>acl localnet src 192.168.0.0/16 # RFC1918 possible internal network<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>acl localnet src fc00::/7 # RFC 4193 local private network range<o:p></o:p></p><p class=MsoNormal>acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>acl SSL_ports port 443<o:p></o:p></p><p class=MsoNormal>acl Safe_ports port 80 # http<o:p></o:p></p><p class=MsoNormal>acl Safe_ports port 21 # ftp<o:p></o:p></p><p class=MsoNormal>acl Safe_ports port 443 # https<o:p></o:p></p><p class=MsoNormal>acl Safe_ports port 70 # gopher<o:p></o:p></p><p class=MsoNormal>acl Safe_ports port 210 # wais<o:p></o:p></p><p class=MsoNormal>acl Safe_ports port 1025-65535 # unregistered ports<o:p></o:p></p><p class=MsoNormal>acl Safe_ports port 280 # http-mgmt<o:p></o:p></p><p class=MsoNormal>acl Safe_ports port 488 # gss-http<o:p></o:p></p><p class=MsoNormal>acl Safe_ports port 591 # filemaker<o:p></o:p></p><p class=MsoNormal>acl Safe_ports port 777 # multiling http<o:p></o:p></p><p class=MsoNormal>acl CONNECT method CONNECT<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>#Note that I added this line when testing Squid-4, it is commented out when running Squid-3<o:p></o:p></p><p class=MsoNormal>on_unsupported_protocol tunnel all<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>http_access allow localnet<o:p></o:p></p><p class=MsoNormal>http_access allow localhost<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>http_access deny !Safe_ports<o:p></o:p></p><p class=MsoNormal>http_access deny CONNECT !SSL_Ports<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal># And finally deny all other access to this proxy<o:p></o:p></p><p class=MsoNormal>http_access deny all<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>http_port 3128<o:p></o:p></p><p class=MsoNormal>http_port 3129 tproxy<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>visible_hostname squid-proxy.mydomain.tld<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>acl updatesites dstdom_regex "/etc/squid/updatesites.txt"<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>icp_port 3130<o:p></o:p></p><p class=MsoNormal>htcp_port 4827<o:p></o:p></p><p class=MsoNormal>icp_access allow localnet<o:p></o:p></p><p class=MsoNormal>icp_access deny all<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>#Testing QoS Marks<o:p></o:p></p><p class=MsoNormal>qos_flows tos local-hit=0x30<o:p></o:p></p><p class=MsoNormal>qos_flows mark local-hit=0x30<o:p></o:p></p><p class=MsoNormal>qos_flows mark miss=0x0<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>maximum_object_size 800 MB updatesites<o:p></o:p></p><p class=MsoNormal>maximum_object_size 80 MB !updatesites<o:p></o:p></p><p class=MsoNormal>range_offset_limit 0<o:p></o:p></p><p class=MsoNormal>quick_abort_min 0 KB<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>store_id_program /usr/lib/squid/storeid_file_rewrite /etc/squid/storeid_rewrite.conf<o:p></o:p></p><p class=MsoNormal>store_id_children 10 startup=3 idle=1 concurrency=0<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>cache_mem 16384 MB<o:p></o:p></p><p class=MsoNormal>maximum_object_size_in_memory 8 MB<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>cache_swap_low 90<o:p></o:p></p><p class=MsoNormal>cache_swap_high 95<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>cache_store_log daemon:/var/log/squid/store.log<o:p></o:p></p><p class=MsoNormal>access_log daemon:/var/log/squid/access.log squid<o:p></o:p></p><p class=MsoNormal>cache_log /var/log/squid/cache.log<o:p></o:p></p><p class=MsoNormal>logfile_rotate 40<o:p></o:p></p><p class=MsoNormal>max_open_disk_fds 64000<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>refresh_pattern ^ftp: 1440 20% 10080<o:p></o:p></p><p class=MsoNormal>refresh_pattern ^gopher: 1440 0% 1440<o:p></o:p></p><p class=MsoNormal>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<o:p></o:p></p><p class=MsoNormal>refresh_pattern . 0 20% 4320<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>cache_mgr someone@mydomain.td<o:p></o:p></p><p class=MsoNormal>cache_effective_user proxy<o:p></o:p></p><p class=MsoNormal>cache_effective_group proxy<o:p></o:p></p><p class=MsoNormal>///END /etc/squid/squid.conf<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>So, I have a few questions I guess: <o:p></o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='mso-list:Ignore'>(1)<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>For one thing, what are the implications of “on_unsupported_protocol tunnel all”? I did it as a quick attempt to see if that had any new and interesting impacts, but is it safe-ish? Am I letting the bad-guys come pouring through with that?<o:p></o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='mso-list:Ignore'>(2)<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>What debug levels should I be thinking about to try and figure out what is happening. Seems like we won’t get very far without identifying what is throwing that error.<o:p></o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='mso-list:Ignore'>(3)<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Has anyone else seen this? Right now, for example (after 10 minutes of typing an email) I’m actually running -61% Hits as Bytes! (Negative!) Ouch! <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks!<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>--Jester<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>