[squid-users] TFD-CONNECT (501 errors)

Amos Jeffries squid3 at treenet.co.nz
Wed Jul 1 03:24:29 UTC 2015


On 1/07/2015 8:52 a.m., Randal Cowen wrote:
> For years I've been successfully running a squid. Last Wednesday the 17th
> magically only HTTPS requests fail over only AT&T's cellular network....
> 
> Everything still works great on any other land-line provider I've tested
> including AT&T's DSL service. Typically my logs show
> 
> 1435691713.787 240084 <Source IP> TCP_TUNNEL/200 381 CONNECT
> www.google.com:443 - HIER_DIRECT/216.239.32.20 -
> 
> but now magically over the AT&T cell network they come in..
> 
> 1435692019.503      0 <Source IP> TAG_NONE/501 4175 TFD-CONNECT
> https://iecvlist.microsoft.com/ - HIER_NONE/- text/html
> 
> Notice the odd "TFD-CONNECT" which I assume is 501 "Not Implemented" along
> with the URL now containing the https:// prefix...

"TFD-CONNECT" is being sent in as the HTTP request method. It is a
custom method unknown to Squid. It will therefore *not* trigger the
CONNECT method handling code, but be treated as a GET/POST request.

Please double-check this with a "debug_options 11,2" trace to see the
client request message. But I assume the URL also came in either to a
https_port or with "https://" already in the URL.

Your Squid can handle those URLs only if it has been built with OpenSSL
support. Otherwise they get rejected as HTTPS protocol is not implemented.


> 
> I'm not finding much on the TFD-CONNECT, what I am finding is leading me to
> believe AT&T has possibly enabled their "Toll Free Data" in my area and is
> messing with my headers/proxy tunnel.
> 
> Has anyone else been experiencing this? Or have any helpful clues?

I'm getting the nasty suspicion that they are decrypting the traffic and
passing it around un-encrypted. But you will need to investigate closer
to know for sure.

> 
> I have even downloaded and recompiled a completely new box for testing with
> the same behavior. The new box is
> 
> Squid Cache: Version 3.5.5-20150624-r13848
> Service Name: squid
> configure options:  '--prefix=/usr' '--includedir=/usr/include'
> '--datadir=/usr/share' '--bindir=/usr/sbin'
> '--libexecdir=/usr/lib64/squid--localstatedir=/var'
> '--sysconfdir=/etc/squid' --enable-ltdl-convenience

Please try adding --with-openssl (may need to install the openssl-dev
dependency). At the very least it will enable your Squid to service the
https:// URLs. No guarantees about what happens after that though.

Amos


More information about the squid-users mailing list