<div dir="ltr"><div>Alex, thanks for the swift response. Your help is very much appreciated!</div><div><br></div><div>Here are the logs, but first to mention, from the server that is going through the Squid, I am using curl -k (-k to ignore SSL insecure warnings atm). From the Squid iself, I use squidclient, as using curl from Squid doesn't do much.</div><div><br></div><div>So when I curl the newly uploaded test file from the server that has Squid as default gateway, the access logs shows:</div><div>------------------------------------------------------------------------------------------------------------------</div><div>1611941462.501 13 10.10.1.249 NONE/200 0 CONNECT <a href="http://52.217.88.134:443">52.217.88.134:443</a> - ORIGINAL_DST/<a href="http://52.217.88.134">52.217.88.134</a> -<br>1611941462.537 22 10.10.1.249 TCP_MISS/200 488 GET <a href="https://s3.amazonaws.com/test.XXXXX.com/testFile">https://s3.amazonaws.com/test.XXXXX.com/testFile</a> - ORIGINAL_DST/<a href="http://52.217.88.134">52.217.88.134</a> binary/octet-stream</div><div>------------------------------------------------------------------------------------------------------------------</div><div><br></div><div>Cache log is quite long, but won't truncate in order to not omit something potentially important:</div><div>--------------------------------------------------------------------------------------------------------------------------------</div>2021/01/29 17:31:02.488 kid1| 5,2| TcpAcceptor.cc(224) doAccept: New connection on FD 30<br>2021/01/29 17:31:02.488 kid1| 5,2| TcpAcceptor.cc(312) acceptNext: connection on local=[::]:3130 remote=[::] FD 30 flags=41<br>2021/01/29 17:31:02.488 kid1| 33,2| client_side.cc(2748) httpsSslBumpAccessCheckDone: sslBump action stareneeded for local=<a href="http://52.217.88.134:443">52.217.88.134:443</a> remote=<a href="http://10.10.1.249:43538">10.10.1.249:43538</a> FD 13 flags=33<br>2021/01/29 17:31:02.488 kid1| 33,2| client_side.cc(3424) fakeAConnectRequest: fake a CONNECT request to force connState to tunnel for ssl-bump<br>2021/01/29 17:31:02.491 kid1| 85,2| client_side_request.cc(753) clientAccessCheckDone: The request CONNECT <a href="http://52.217.88.134:443">52.217.88.134:443</a> is ALLOWED; last ACL checked: allowed_http_sites<br>2021/01/29 17:31:02.492 kid1| 85,2| client_side_request.cc(729) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW<br>2021/01/29 17:31:02.492 kid1| 85,2| client_side_request.cc(753) clientAccessCheckDone: The request CONNECT <a href="http://52.217.88.134:443">52.217.88.134:443</a> is ALLOWED; last ACL checked: allowed_http_sites<br>2021/01/29 17:31:02.494 kid1| 17,2| FwdState.cc(142) FwdState: Forwarding client request local=<a href="http://52.217.88.134:443">52.217.88.134:443</a> remote=<a href="http://10.10.1.249:43538">10.10.1.249:43538</a> FD 13 flags=33, url=<a href="http://52.217.88.134:443">52.217.88.134:443</a><br>2021/01/29 17:31:02.494 kid1| 44,2| peer_select.cc(302) peerSelectDnsPaths: Found sources for '<a href="http://52.217.88.134:443">52.217.88.134:443</a>'<br>2021/01/29 17:31:02.494 kid1| 44,2| peer_select.cc(303) peerSelectDnsPaths: always_direct = DENIED<br>2021/01/29 17:31:02.494 kid1| 44,2| peer_select.cc(304) peerSelectDnsPaths: never_direct = DENIED<br>2021/01/29 17:31:02.494 kid1| 44,2| peer_select.cc(310) peerSelectDnsPaths: ORIGINAL_DST = local=0.0.0.0 remote=<a href="http://52.217.88.134:443">52.217.88.134:443</a> flags=1<br>2021/01/29 17:31:02.494 kid1| 44,2| peer_select.cc(317) peerSelectDnsPaths: timedout = 0<br>2021/01/29 17:31:02.496 kid1| 83,2| bio.cc(316) readAndParse: parsing error on FD 15: check failed: state < atHelloReceived<br> exception location: Handshake.cc(324) parseHandshakeMessage<br><br>2021/01/29 17:31:02.496 kid1| Error parsing SSL Server Hello Message on FD 15<br>2021/01/29 17:31:02.501 kid1| 37,2| IcmpSquid.cc(91) SendEcho: to 52.217.88.134, opcode 3, len 13<br>2021/01/29 17:31:02.501| 42,2| IcmpPinger.cc(205) Recv: Pass 52.217.88.134 off to ICMPv4 module.<br>2021/01/29 17:31:02.501| 42,2| Icmp.cc(95) Log: pingerLog: 1611941462.501640 52.217.88.134 32<br>2021/01/29 17:31:02.501 kid1| 20,2| store.cc(986) checkCachable: StoreEntry::checkCachable: NO: not cachable<br>2021/01/29 17:31:02.501 kid1| 20,2| store.cc(986) checkCachable: StoreEntry::checkCachable: NO: not cachable<br>2021/01/29 17:31:02.502| 42,2| IcmpPinger.cc(218) SendResult: return result to squid. len=7994<br>2021/01/29 17:31:02.502| 42,2| Icmp.cc(95) Log: pingerLog: 1611941462.502816 52.217.88.134 0 Echo Reply 1ms 6 hops<br>2021/01/29 17:31:02.514 kid1| 83,2| client_side.cc(2683) clientNegotiateSSL: New session 0x19d4690 on FD 13 (<a href="http://10.10.1.249:43538">10.10.1.249:43538</a>)<br>2021/01/29 17:31:02.515 kid1| 11,2| client_side.cc(1306) parseHttpRequest: HTTP Client local=<a href="http://52.217.88.134:443">52.217.88.134:443</a> remote=<a href="http://10.10.1.249:43538">10.10.1.249:43538</a> FD 13 flags=33<br>2021/01/29 17:31:02.515 kid1| 11,2| client_side.cc(1310) parseHttpRequest: HTTP Client REQUEST:<br>---------<br>GET /<a href="http://test.XXXXX.com/testFile">test.XXXXX.com/testFile</a> HTTP/1.1<br>Host: <a href="http://s3.amazonaws.com">s3.amazonaws.com</a><br>User-Agent: curl/7.61.1<br>Accept: */*<br><br><br>----------<br>2021/01/29 17:31:02.520 kid1| 85,2| client_side_request.cc(753) clientAccessCheckDone: The request GET <a href="https://s3.amazonaws.com/test.XXXXX.com/testFile">https://s3.amazonaws.com/test.XXXXX.com/testFile</a> is ALLOWED; last ACL checked: allowed_http_sites<br>2021/01/29 17:31:02.520 kid1| 85,2| client_side_request.cc(729) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW<br>2021/01/29 17:31:02.520 kid1| 85,2| client_side_request.cc(753) clientAccessCheckDone: The request GET <a href="https://s3.amazonaws.com/test.XXXXX.com/testFile">https://s3.amazonaws.com/test.XXXXX.com/testFile</a> is ALLOWED; last ACL checked: allowed_http_sites<br>2021/01/29 17:31:02.520 kid1| 17,2| FwdState.cc(142) FwdState: Forwarding client request local=<a href="http://52.217.88.134:443">52.217.88.134:443</a> remote=<a href="http://10.10.1.249:43538">10.10.1.249:43538</a> FD 13 flags=33, url=<a href="https://s3.amazonaws.com/test.XXXXX.com/testFile">https://s3.amazonaws.com/test.XXXXX.com/testFile</a><br>2021/01/29 17:31:02.520 kid1| 44,2| peer_select.cc(281) peerSelectDnsPaths: Find IP destination for: <a href="https://s3.amazonaws.com/test.XXXXX.com/testFile">https://s3.amazonaws.com/test.XXXXX.com/testFile</a>' via <a href="http://s3.amazonaws.com">s3.amazonaws.com</a><br>2021/01/29 17:31:02.520 kid1| 44,2| peer_select.cc(302) peerSelectDnsPaths: Found sources for '<a href="https://s3.amazonaws.com/test.XXXXX.com/testFile">https://s3.amazonaws.com/test.XXXXX.com/testFile</a>'<br>2021/01/29 17:31:02.520 kid1| 44,2| peer_select.cc(303) peerSelectDnsPaths: always_direct = DENIED<br>2021/01/29 17:31:02.520 kid1| 44,2| peer_select.cc(304) peerSelectDnsPaths: never_direct = DENIED<br>2021/01/29 17:31:02.520 kid1| 44,2| peer_select.cc(312) peerSelectDnsPaths: PINNED = local=0.0.0.0 remote=<a href="http://52.216.80.75:443">52.216.80.75:443</a> flags=1<br>2021/01/29 17:31:02.521 kid1| 44,2| peer_select.cc(310) peerSelectDnsPaths: ORIGINAL_DST = local=0.0.0.0 remote=<a href="http://52.217.88.134:443">52.217.88.134:443</a> flags=1<br>2021/01/29 17:31:02.521 kid1| 44,2| peer_select.cc(317) peerSelectDnsPaths: timedout = 0<br>2021/01/29 17:31:02.521 kid1| 37,2| IcmpSquid.cc(91) SendEcho: to 52.216.80.75, opcode 3, len 16<br>2021/01/29 17:31:02.521| 42,2| IcmpPinger.cc(205) Recv: Pass 52.216.80.75 off to ICMPv4 module.<br>2021/01/29 17:31:02.521| 42,2| Icmp.cc(95) Log: pingerLog: 1611941462.521215 52.216.80.75 32<br>2021/01/29 17:31:02.521 kid1| 11,2| http.cc(2260) sendRequest: HTTP Server local=<a href="http://10.10.0.135:36120">10.10.0.135:36120</a> remote=<a href="http://52.217.88.134:443">52.217.88.134:443</a> FD 15 flags=1<br>2021/01/29 17:31:02.521 kid1| 11,2| http.cc(2261) sendRequest: HTTP Server REQUEST:<br>---------<br>GET /<a href="http://test.XXXXX.com/testFile">test.XXXXX.com/testFile</a> HTTP/1.1<br>User-Agent: curl/7.61.1<br>Accept: */*<br>Host: <a href="http://s3.amazonaws.com">s3.amazonaws.com</a><br>Via: 1.1 squid (squid/4.9)<br>X-Forwarded-For: 10.10.1.249<br>Cache-Control: max-age=259200<br>Connection: keep-alive<br><br><br>----------<br>2021/01/29 17:31:02.521| 42,2| IcmpPinger.cc(218) SendResult: return result to squid. len=7997<br>2021/01/29 17:31:02.521| 42,2| Icmp.cc(95) Log: pingerLog: 1611941462.521561 52.216.80.75 0 Echo Reply 0ms 5 hops<br>2021/01/29 17:31:02.536 kid1| ctx: enter level 0: '<a href="https://s3.amazonaws.com/test.XXXXX.com/testFile">https://s3.amazonaws.com/test.XXXXX.com/testFile</a>'<br>2021/01/29 17:31:02.536 kid1| 11,2| http.cc(719) processReplyHeader: HTTP Server local=<a href="http://10.10.0.135:36120">10.10.0.135:36120</a> remote=<a href="http://52.217.88.134:443">52.217.88.134:443</a> FD 15 flags=1<br>2021/01/29 17:31:02.536 kid1| 11,2| http.cc(723) processReplyHeader: HTTP Server RESPONSE:<br>---------<br>HTTP/1.1 200 OK<br>x-amz-id-2: hZbtwwRSyeN8TkE+V7V9iUuEEMwyXLVblsFhmazae3kqofWK5EuQf+dH6rU3CF8hDUbj8YcMyw4=<br>x-amz-request-id: CD6D86AAA3FDA43F<br>Date: Fri, 29 Jan 2021 17:31:03 GMT<br>Last-Modified: Fri, 29 Jan 2021 17:27:47 GMT<br>ETag: "eb1a3227cdc3fedbaec2fe38bf6c044a"<br>Accept-Ranges: bytes<br>Content-Type: binary/octet-stream<br>Content-Length: 8<br>Server: AmazonS3<br><br>----------<br>2021/01/29 17:31:02.536 kid1| ctx: exit level 0<br>2021/01/29 17:31:02.537 kid1| 20,2| store.cc(986) checkCachable: StoreEntry::checkCachable: NO: not cachable<br>2021/01/29 17:31:02.537 kid1| 20,2| store.cc(986) checkCachable: StoreEntry::checkCachable: NO: not cachable<br>2021/01/29 17:31:02.537 kid1| 88,2| client_side_reply.cc(2061) processReplyAccessResult: The reply for GET <a href="https://s3.amazonaws.com/test.XXXXX.com/testFile">https://s3.amazonaws.com/test.XXXXX.com/testFile</a> is ALLOWED, because it matched allowed_http_sites<br>2021/01/29 17:31:02.537 kid1| 11,2| Stream.cc(266) sendStartOfMessage: HTTP Client local=<a href="http://52.217.88.134:443">52.217.88.134:443</a> remote=<a href="http://10.10.1.249:43538">10.10.1.249:43538</a> FD 13 flags=33<br>2021/01/29 17:31:02.537 kid1| 11,2| Stream.cc(267) sendStartOfMessage: HTTP Client REPLY:<br>---------<br>HTTP/1.1 200 OK<br>x-amz-id-2: hZbtwwRSyeN8TkE+V7V9iUuEEMwyXLVblsFhmazae3kqofWK5EuQf+dH6rU3CF8hDUbj8YcMyw4=<br>x-amz-request-id: CD6D86AAA3FDA43F<br>Date: Fri, 29 Jan 2021 17:31:03 GMT<br>Last-Modified: Fri, 29 Jan 2021 17:27:47 GMT<br>ETag: "eb1a3227cdc3fedbaec2fe38bf6c044a"<br>Accept-Ranges: bytes<br>Content-Type: binary/octet-stream<br>Content-Length: 8<br>Server: AmazonS3<br>X-Cache: MISS from squid<br>X-Cache-Lookup: MISS from squid:3128<br>Via: 1.1 squid (squid/4.9)<br>Connection: keep-alive<br><br><br>----------<br>2021/01/29 17:31:02.537 kid1| 20,2| store.cc(986) checkCachable: StoreEntry::checkCachable: NO: not cachable<br>2021/01/29 17:31:02.537 kid1| 20,2| store.cc(986) checkCachable: StoreEntry::checkCachable: NO: not cachable<br>2021/01/29 17:31:02.537 kid1| 20,2| store.cc(986) checkCachable: StoreEntry::checkCachable: NO: not cachable<br>2021/01/29 17:31:02.537 kid1| 20,2| store.cc(986) checkCachable: StoreEntry::checkCachable: NO: not cachable<br>2021/01/29 17:31:02.538 kid1| 33,2| client_side.cc(582) swanSong: local=<a href="http://52.217.88.134:443">52.217.88.134:443</a> remote=<a href="http://10.10.1.249:43538">10.10.1.249:43538</a> flags=33<br>2021/01/29 17:31:02.538 kid1| 20,2| store.cc(986) checkCachable: StoreEntry::checkCachable: NO: not cachable<br><div>--------------------------------------------------------------------------------------------------------------------------------</div><div><br></div><div><br></div><div><br></div><div><br></div><div>On the other hand, with squidclient from the Squid itself, access log (the first run, when nothing is cached for the new test file yet):</div><div><br></div><div>------------------------------------------------------------------------------------------------------------------</div><div>1611942152.986 29 127.0.0.1 TCP_MISS/200 483 GET <a href="https://s3.amazonaws.com/test.dvabearqloza.com/testFile">https://s3.amazonaws.com/test.dvabearqloza.com/testFile</a> - HIER_DIRECT/<a href="http://52.216.226.131">52.216.226.131</a> binary/octet-stream</div><div>------------------------------------------------------------------------------------------------------------------</div><div><br></div><div>And cache log:</div><div>------------------------------------------------------------------------------------------------------------------</div><div>2021/01/29 17:42:32.956 kid1| 5,2| TcpAcceptor.cc(312) acceptNext: connection on local=[::]:3128 remote=[::] FD 28 flags=9<br>2021/01/29 17:42:32.957 kid1| 11,2| client_side.cc(1306) parseHttpRequest: HTTP Client local=<a href="http://127.0.0.1:3128">127.0.0.1:3128</a> remote=<a href="http://127.0.0.1:50584">127.0.0.1:50584</a> FD 13 flags=1<br>2021/01/29 17:42:32.957 kid1| 11,2| client_side.cc(1310) parseHttpRequest: HTTP Client REQUEST:<br>---------<br>GET <a href="https://s3.amazonaws.com/test.XXXXX.com/testFile">https://s3.amazonaws.com/test.XXXXX.com/testFile</a> HTTP/1.0<br>Host: <a href="http://s3.amazonaws.com">s3.amazonaws.com</a><br>User-Agent: squidclient/4.9<br>Accept: */*<br>Connection: close<br><br>----------<br>2021/01/29 17:42:32.957 kid1| 85,2| client_side_request.cc(753) clientAccessCheckDone: The request GET <a href="https://s3.amazonaws.com/test.XXXXX.com/testFile">https://s3.amazonaws.com/test.XXXXX.com/testFile</a> is ALLOWED; last ACL checked: allowed_http_sites<br>2021/01/29 17:42:32.957 kid1| 85,2| client_side_request.cc(729) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW<br>2021/01/29 17:42:32.957 kid1| 85,2| client_side_request.cc(753) clientAccessCheckDone: The request GET <a href="https://s3.amazonaws.com/test.XXXXX.com/testFile">https://s3.amazonaws.com/test.XXXXX.com/testFile</a> is ALLOWED; last ACL checked: allowed_http_sites<br>2021/01/29 17:42:32.957 kid1| 17,2| FwdState.cc(142) FwdState: Forwarding client request local=<a href="http://127.0.0.1:3128">127.0.0.1:3128</a> remote=<a href="http://127.0.0.1:50584">127.0.0.1:50584</a> FD 13 flags=1, url=<a href="https://s3.amazonaws.com/test.XXXXX.com/testFile">https://s3.amazonaws.com/test.XXXXX.com/testFile</a><br>2021/01/29 17:42:32.957 kid1| 44,2| peer_select.cc(281) peerSelectDnsPaths: Find IP destination for: <a href="https://s3.amazonaws.com/test.XXXXX.com/testFile">https://s3.amazonaws.com/test.XXXXX.com/testFile</a>' via <a href="http://s3.amazonaws.com">s3.amazonaws.com</a><br>2021/01/29 17:42:32.959 kid1| 44,2| peer_select.cc(302) peerSelectDnsPaths: Found sources for '<a href="https://s3.amazonaws.com/test.XXXXX.com/testFile">https://s3.amazonaws.com/test.XXXXX.com/testFile</a>'<br>2021/01/29 17:42:32.959 kid1| 44,2| peer_select.cc(303) peerSelectDnsPaths: always_direct = DENIED<br>2021/01/29 17:42:32.959 kid1| 44,2| peer_select.cc(304) peerSelectDnsPaths: never_direct = DENIED<br>2021/01/29 17:42:32.959 kid1| 44,2| peer_select.cc(308) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=<a href="http://52.216.226.131:443">52.216.226.131:443</a> flags=1<br>2021/01/29 17:42:32.959 kid1| 44,2| peer_select.cc(317) peerSelectDnsPaths: timedout = 0<br>2021/01/29 17:42:32.961 kid1| 83,2| bio.cc(316) readAndParse: parsing error on FD 15: check failed: state < atHelloReceived<br> exception location: Handshake.cc(324) parseHandshakeMessage<br><br>2021/01/29 17:42:32.961 kid1| Error parsing SSL Server Hello Message on FD 15<br>2021/01/29 17:42:32.965 kid1| 37,2| IcmpSquid.cc(91) SendEcho: to 52.216.226.131, opcode 3, len 16<br>2021/01/29 17:42:32.965| 42,2| IcmpPinger.cc(205) Recv: Pass 52.216.226.131 off to ICMPv4 module.<br>2021/01/29 17:42:32.965| 42,2| Icmp.cc(95) Log: pingerLog: 1611942152.965403 52.216.226.131 32<br>2021/01/29 17:42:32.965 kid1| 11,2| http.cc(2260) sendRequest: HTTP Server local=<a href="http://10.10.0.135:33004">10.10.0.135:33004</a> remote=<a href="http://52.216.226.131:443">52.216.226.131:443</a> FD 15 flags=1<br>2021/01/29 17:42:32.965 kid1| 11,2| http.cc(2261) sendRequest: HTTP Server REQUEST:<br>---------<br>GET /<a href="http://test.XXXXX.com/testFile">test.XXXXX.com/testFile</a> HTTP/1.1<br>User-Agent: squidclient/4.9<br>Accept: */*<br>Host: <a href="http://s3.amazonaws.com">s3.amazonaws.com</a><br>Via: 1.0 squid (squid/4.9)<br>X-Forwarded-For: 127.0.0.1<br>Cache-Control: max-age=259200<br>Connection: keep-alive<br><br><br>----------<br>2021/01/29 17:42:32.966| 42,2| IcmpPinger.cc(218) SendResult: return result to squid. len=7997<br>2021/01/29 17:42:32.966| 42,2| Icmp.cc(95) Log: pingerLog: 1611942152.966514 52.216.226.131 0 Echo Reply 1ms 6 hops<br>2021/01/29 17:42:32.985 kid1| ctx: enter level 0: '<a href="https://s3.amazonaws.com/test.XXXXX.com/testFile">https://s3.amazonaws.com/test.XXXXX.com/testFile</a>'<br>2021/01/29 17:42:32.985 kid1| 11,2| http.cc(719) processReplyHeader: HTTP Server local=<a href="http://10.10.0.135:33004">10.10.0.135:33004</a> remote=<a href="http://52.216.226.131:443">52.216.226.131:443</a> FD 15 flags=1<br>2021/01/29 17:42:32.985 kid1| 11,2| http.cc(723) processReplyHeader: HTTP Server RESPONSE:<br>---------<br>HTTP/1.1 200 OK<br>x-amz-id-2: z//C9o0g1wI5ep44MaSBbU7ptfDlvOjTZLIBYSpaI8+h8oxt607nyA9zumm8eEk+wTJb3jRD7wU=<br>x-amz-request-id: A6E14CC59FE63894<br>Date: Fri, 29 Jan 2021 17:42:33 GMT<br>Last-Modified: Fri, 29 Jan 2021 17:27:47 GMT<br>ETag: "eb1a3227cdc3fedbaec2fe38bf6c044a"<br>Accept-Ranges: bytes<br>Content-Type: binary/octet-stream<br>Content-Length: 8<br>Server: AmazonS3<br><br>----------<br>2021/01/29 17:42:32.986 kid1| ctx: exit level 0<br>2021/01/29 17:42:32.986 kid1| 88,2| client_side_reply.cc(2061) processReplyAccessResult: The reply for GET <a href="https://s3.amazonaws.com/test.XXXXX.com/testFile">https://s3.amazonaws.com/test.XXXXX.com/testFile</a> is ALLOWED, because it matched allowed_http_sites<br>2021/01/29 17:42:32.986 kid1| 11,2| Stream.cc(266) sendStartOfMessage: HTTP Client local=<a href="http://127.0.0.1:3128">127.0.0.1:3128</a> remote=<a href="http://127.0.0.1:50584">127.0.0.1:50584</a> FD 13 flags=1<br>2021/01/29 17:42:32.986 kid1| 11,2| Stream.cc(267) sendStartOfMessage: HTTP Client REPLY:<br>---------<br>HTTP/1.1 200 OK<br>x-amz-id-2: z//C9o0g1wI5ep44MaSBbU7ptfDlvOjTZLIBYSpaI8+h8oxt607nyA9zumm8eEk+wTJb3jRD7wU=<br>x-amz-request-id: A6E14CC59FE63894<br>Date: Fri, 29 Jan 2021 17:42:33 GMT<br>Last-Modified: Fri, 29 Jan 2021 17:27:47 GMT<br>ETag: "eb1a3227cdc3fedbaec2fe38bf6c044a"<br>Accept-Ranges: bytes<br>Content-Type: binary/octet-stream<br>Content-Length: 8<br>Server: AmazonS3<br>X-Cache: MISS from squid<br>X-Cache-Lookup: MISS from squid:3128<br>Via: 1.1 squid (squid/4.9)<br>Connection: close<br><br><br>----------<br>2021/01/29 17:42:32.986 kid1| 20,2| store_io.cc(43) storeCreate: storeCreate: Selected dir 0 for e:=sp2V/0x1f582b0*4<br>2021/01/29 17:42:32.986 kid1| 33,2| client_side.cc(891) kick: local=<a href="http://127.0.0.1:3128">127.0.0.1:3128</a> remote=<a href="http://127.0.0.1:50584">127.0.0.1:50584</a> flags=1 Connection was closed<br>2021/01/29 17:42:32.986 kid1| 33,2| client_side.cc(582) swanSong: local=<a href="http://127.0.0.1:3128">127.0.0.1:3128</a> remote=<a href="http://127.0.0.1:50584">127.0.0.1:50584</a> flags=1</div><div>------------------------------------------------------------------------------------------------------------------</div><div><br></div><div>The first thing that caught my attention was the line:</div><div>"checkCachable: StoreEntry::checkCachable: NO: not cachable", that appears in the logs when server tries to go through proxy.</div><div><br></div><div>Any idea what might be the issue overall?</div><div><br></div><div>Thanks again!!!<br></div><div><br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 29, 2021 at 5:40 PM Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 1/28/21 1:34 PM, Milos Dodic wrote:<br>
<br>
> I have noticed that the test server also doesn't cache anything<br>
> So if I try to go for a file in S3, it says MISS, and after that, MISS<br>
> again, and I see no new objects in cache being created.<br>
<br>
> If I try the same thing from the proxy itself, I get the MISS, and the<br>
> object gets cached, as it should.<br>
> When I go back to the test server, and try again, it sees the object in<br>
> cache and returns TCP_MEM_HIT/200 instead.<br>
<br>
Without more details, I can only speculate that the client running on<br>
the test server sends different HTTP request headers than the client<br>
running on the proxy itself. You can see the headers in cache.log if you<br>
set debug_options to ALL,2. If you are not sure whether they are the<br>
same, please share those logs. They will also contain response headers<br>
and other potentially useful details.<br>
<br>
If the request headers are the same in both tests, then I would<br>
recommend sharing compressed ALL,7 or ALL,9 debugging logs of both<br>
successful and unsuccessful tests (four transactions, two logs) for<br>
analysis. Do not use sensitive data for these tests.<br>
<br>
<a href="https://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction" rel="noreferrer" target="_blank">https://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction</a><br>
<br>
Alex.<br>
<br>
<br>
<br>
> This is the entire config file:<br>
> <br>
> <br>
> visible_hostname squid<br>
> cache_dir ufs /test/cache/squid 10000 16 256<br>
> <br>
> http_access allow localhost<br>
> http_access alow all<br>
> <br>
> http_port 3128<br>
> http_port 3129 intercept<br>
> acl allowed_http_sites dstdomain .<a href="http://amazonaws.com" rel="noreferrer" target="_blank">amazonaws.com</a> <<a href="http://amazonaws.com" rel="noreferrer" target="_blank">http://amazonaws.com</a>><br>
> http_access allow allowed_http_sites<br>
> <br>
> https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept<br>
> acl SSL_port port 443<br>
> http_access allow SSL_port<br>
> acl allowed_https_sites ssl::server_name .<a href="http://amazonaws.com" rel="noreferrer" target="_blank">amazonaws.com</a><br>
> <<a href="http://amazonaws.com" rel="noreferrer" target="_blank">http://amazonaws.com</a>><br>
> <br>
> ssl_bump stare all<br>
> ssl_bump bump allowed_https_sites<br>
> ssl_bump terminate all<br>
<br>
<br>
> On Tue, Jan 26, 2021 at 9:14 PM Alex Rousskov wrote:<br>
> <br>
> On 1/26/21 1:54 PM, Milos Dodic wrote:<br>
> <br>
> > when the test server goes for a picture I have stored somewhere in<br>
> > the cloud, the squid access log shows "TCP_TUNNEL/200". But when I<br>
> > try from the proxy itself with squidclient tool, I get<br>
> > "TCP_MEM_HIT/200"<br>
> <br>
> <br>
> Given the very limited information you have provided, I am guessing that<br>
> <br>
> * the primary tests opens a CONNECT tunnel through Squid<br>
> * the squidclient test sends a plain text HTTP request to Squid<br>
> <br>
> The final origin server destination may be the same in both tests, but<br>
> the two transactions are completely different from Squid point of view.<br>
> <br>
> <br>
> > ssl_bump peek step1 all<br>
> > ssl_bump peek step2 allowed_https_sites<br>
> > ssl_bump splice step3 allowed_https_sites<br>
> > ssl_bump terminate step3 all<br>
> <br>
> <br>
> AFAICT, this configuration is splicing or terminating all TLS traffic.<br>
> No bumping at all. If you want your Squid to bump TLS tunnels, then you<br>
> have to have at least one "bump" rule!<br>
> <br>
> I do not know what your overall SslBump needs are, but perhaps you meant<br>
> something like the following?<br>
> <br>
> acl shouldBeBumped ssl::server_name .<a href="http://amazonaws.com" rel="noreferrer" target="_blank">amazonaws.com</a><br>
> <<a href="http://amazonaws.com" rel="noreferrer" target="_blank">http://amazonaws.com</a>><br>
> <br>
> ssl_bump stare all<br>
> ssl_bump bump shouldBeBumped<br>
> ssl_bump terminate all<br>
> <br>
> Please do not use the configuration above until you understand what it<br>
> does. Please see <a href="https://wiki.squid-cache.org/Features/SslPeekAndSplice" rel="noreferrer" target="_blank">https://wiki.squid-cache.org/Features/SslPeekAndSplice</a><br>
> for details.<br>
> <br>
> Depending on your environment, the http_access rules may need to be<br>
> adjusted to allow CONNECT requests (to TLS-safe ports) to IP addresses<br>
> that do not result in .<a href="http://amazonaws.com" rel="noreferrer" target="_blank">amazonaws.com</a> <<a href="http://amazonaws.com" rel="noreferrer" target="_blank">http://amazonaws.com</a>> in<br>
> reverse DNS lookups.<br>
> <br>
> <br>
> HTH,<br>
> <br>
> Alex.<br>
> <br>
<br>
</blockquote></div>