<div dir="ltr"><span class="gmail-im">>Does child Squid bump the TLS client connection, tunnel it, or<br>
>terminates it (i.e. the child works as a reverse proxy)?<br>
<br></span>* client connects to child Squid's http_port without "ssl-bump".<br>* client sends a plain text CONNECT request to child Squid.<br>* child Squid connects to parent using cache_peer with mTLS.<span class="gmail-im"><br>
<br>
> What are those TLS alerts?<br></span>
Code 21 - decryption_failed_RESERVED(21).<span class="gmail-im"> <br>
<br>
<br>
>If those TLS alerts are close_notify alerts, then the RST packets you<br>
>are seeing are probably triggered by the other side doing clean TLS<br>
>shutdown (i.e. sending a TLS close_notify alert before closing the<br>
>connection), either after receiving a FIN packet (unlikely with<br>
>half_closed_clients off?) or while that FIN packet is being generated or<br>
>is in-flight. When Such RST packets would be sent by the TCP stack<br>
>rather than Squid code itself. They may be an indication of a benign<br>
>race condition, a bug, or some other deficiency.<br>
<br></span>
half_closed_clients is off<span class="gmail-im"><br>
<br>
>Higher-level information (who initiates closure and why) may be needed<br>
>to figure this out. I recommend sharing a link to a compressed ALL,9<br>
>cache.log reproducing the problem with a single transaction _combined_<br>
>with a matching packet trace file in libpcap format.<br>
<br></span>
There is no other way than turning debug on.<br>
<br>
Maciek</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">wt., 28 lut 2023 o 15:15 Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>> napisał(a):<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 2/28/23 08:35, Maciej Leks wrote:<br>
> Am I right in saying that RST it's a design intent of squid to end<br>
> connections quickly? I've started digging into the squid code and see<br>
> SO_LINGER and timeout set to 0, which means that it's done on purpose<br>
> not to hang on connections in TIME_WAIT state?<br>
<br>
Does child Squid bump the TLS client connection, tunnel it, or <br>
terminates it (i.e. the child works as a reverse proxy)?<br>
<br>
What are those TLS alerts?<br>
<br>
If those TLS alerts are close_notify alerts, then the RST packets you <br>
are seeing are probably triggered by the other side doing clean TLS <br>
shutdown (i.e. sending a TLS close_notify alert before closing the <br>
connection), either after receiving a FIN packet (unlikely with <br>
half_closed_clients off?) or while that FIN packet is being generated or <br>
is in-flight. When Such RST packets would be sent by the TCP stack <br>
rather than Squid code itself. They may be an indication of a benign <br>
race condition, a bug, or some other deficiency.<br>
<br>
Higher-level information (who initiates closure and why) may be needed <br>
to figure this out. I recommend sharing a link to a compressed ALL,9 <br>
cache.log reproducing the problem with a single transaction _combined_ <br>
with a matching packet trace file in libpcap format.<br>
<br>
<a href="https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction" rel="noreferrer" target="_blank">https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction</a><br>
<br>
HTH,<br>
<br>
Alex.<br>
<br>
<br>
> wt., 28 lut 2023 o 08:12 Maciej Leks <<a href="mailto:maciej.leks@gmail.com" target="_blank">maciej.leks@gmail.com</a>> napisał(a):<br>
>><br>
>> For a couple of days we've been encountering many ECONNRESET error<br>
>> messages in our nodejs client to Salesforce. Even if access.log shows<br>
>> only /200 tshark shows a messy communication between client->squid<br>
>> (child squid).<br>
>><br>
>> The architecture: nodejs client->3..* child squid->2*parent<br>
>> squids->cloud Salesforce<br>
>><br>
>> Some examples ([RST]]: 46 1.015513576 100.121.10.169 → 100.113.27.73<br>
>> TCP 66 46098 → 3128 [ACK] Seq=1721 Ack=140135 Win=214656 Len=0<br>
>> TSval=2672547296 TSecr=1443424287<br>
>><br>
>> 47 1.016152326 100.113.27.73 → 100.121.10.169 TCP 66 3128 → 46098<br>
>> [FIN, ACK] Seq=140135 Ack=1721 Win=42368 Len=0 TSval=1443424288<br>
>> TSecr=2672547296<br>
>> 48 1.017856001 100.121.10.169 → 100.113.27.73 TLSv1.2 97 Encrypted Alert<br>
>> 49 1.017893411 100.121.10.169 → 100.113.27.73 TCP 66 46098 → 3128<br>
>> [FIN, ACK] Seq=1752 Ack=140136 Win=214656 Len=0 TSval=2672547298<br>
>> TSecr=1443424288<br>
>> 50 1.018002285 100.113.27.73 → 100.121.10.169 TCP 54 3128 → 46098<br>
>> [RST] Seq=140136 Win=0 Len=0<br>
>> 51 1.018019806 100.113.27.73 → 100.121.10.169 TCP 54 3128 → 46098<br>
>> [RST] Seq=140136 Win=0 Len=0<br>
>><br>
>> [RST,ACK]:<br>
>> 592 67.664585034 100.121.10.169 → 100.113.27.73 TLSv1.2 97 Encrypted Alert<br>
>> 593 67.664737552 100.113.27.73 → 100.121.10.169 TCP 66 3128 → 52202<br>
>> [ACK] Seq=7973 Ack=1129 Win=42752 Len=0 TSval=1443490937<br>
>> TSecr=2672613945<br>
>> 594 67.664841613 100.121.10.169 → 100.113.27.73 TCP 66 52202 → 3128<br>
>> [FIN, ACK] Seq=1129 Ack=7973 Win=42368 Len=0 TSval=2672613945<br>
>> TSecr=1443490937<br>
>> 595 67.664895660 100.113.27.73 → 100.121.10.169 TCP 66 3128 → 52202<br>
>> [RST, ACK] Seq=7973 Ack=1129 Win=42752 Len=0 TSval=1443490937<br>
>> TSecr=2672613945<br>
>> 596 67.664936264 100.113.27.73 → 100.121.10.169 TCP 54 3128 → 52202<br>
>> [RST] Seq=7973 Win=0 Len=0<br>
>><br>
>> I'm wondering how to debug it (what exactly) and whether the reason<br>
>> may be on the squid side (specific configuration?).<br>
>><br>
>> env: GKE/k8s<br>
>> client container: alpine linux<br>
>> child squid container: alpine linux<br>
>> version: 5.7<br>
>><br>
>> Cheers,<br>
>> Maciek Leks<br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>