[squid-users] Google Chrome reports "Too many redirects" on ssl-dumped connections with LA Times News Website

Jeffrey Merkey jeffmerkey at gmail.com
Fri Nov 3 19:35:05 UTC 2017


On 11/3/17, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 03/11/17 19:45, Jeffrey Merkey wrote:
>> This error is extremely hard to reproduce, and I found it can be
>> cleared by restarting squid, which seems to make it go away.   It
>> seems to take several hours of non-stop proxy use then once the error
>> occurs the we browser reports "too many redirects" and certificate
>> errors.
>>
>> Doing a restart on Centos 7 clears it:
>>
>> # systemctl restart squid
>>
>> The log shows some sort of "refresh unmodified state before it happens:
>>
>> 1509690588.252    167 127.0.0.1 TAG_NONE/200 0 CONNECT
>> events.bouncex.net:443 - HIER_DIRECT/35.190.62.200 -
>> 1509690588.272    210 127.0.0.1 TAG_NONE/200 0 CONNECT
>> analytics.twitter.com:443 - HIER_DIRECT/199.59.149.200 -
>> 1509690588.280     62 127.0.0.1 TCP_REFRESH_UNMODIFIED/200 38412 GET
>> http://www.latimes.com/nation/la-na-vegas-shooting-sheriff-20171102-story.html
>> - HIER_DIRECT/104.120.143.198 text/html      <================== error
>> is here
>
> This is a 200 status response. So whatever "redirection" is occuring is
> not part of the HTTP for that transaction.
>
> The refresh means that something was cached beforehand but was stale so
> the server had to be asked for permission to deliver it. UNMODIFIED
> means the server responded by indicating it was okay to use.
>
>> 1509690588.356    220 127.0.0.1 TCP_MISS/200 960 GET
>> https://partners.tremorhub.com/syncnoad? - HIER_DIRECT/34.228.123.38
>> text/xml
>> 1509690588.366    304 127.0.0.1 TAG_NONE/200 0 CONNECT
>> geo.moatads.com:443 - HIER_DIRECT/52.21.172.68 -
>> 1509690588.374    303 127.0.0.1 TAG_NONE/200 0 CONNECT
>> rtr.innovid.com:443 - HIER_DIRECT/13.58.208.14 -
>> 1509690588.377     33 127.0.0.1 TCP_MISS/200 498 GET
>> https://tribpubdfp745347008913.s.moatpixel.com/pixel.gif? - HIER_
>>
>> If there are particulars and I attempt to recreate this problem are
>> there any specific logging parms or settings that would help you
>> understand this particular error or shed some light on it that I could
>> set on my end.
>
> The tool at redbot.org shows the HTTP protocol and all the content at
> that refreshed URL is all relatively normal. Some Vary issues, but that
> should not be leading to redirect loops.
>
>
> Since the error is showing up in the browser and not easily visible in
> the server traffic I think the best place to look would be to debug what
> the browser is doing exactly. It probably has something to do with how
> it handles those cert errors (ie TLS-Everywhere misfeatures always
> trying to do broken https:// when http:// works fine).
>
>
> Also, which Squid version are you using may matter. You didn't say which.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

Hi Amos,

Thanks for responding, the squid version is:

Squid Cache: Version 3.5.27
Service Name: squid

This binary uses OpenSSL 1.0.1e-fips 11 Feb 2013. For legal
restrictions on distribution see
https://www.openssl.org/source/license.html

configure options:  '--with-openssl' '--enable-ssl'
'--enable-ssl-crtd' '--enable-http-violations'

I also wanted to let you know that I upgraded my Chrome browser about
a week ago and that's when the redirect errors started showing up.
This makes me lean towards the possibility that it's a bug of some
sort in the Chrome browser itself.   What makes me suspect another bug
in Squid is the fact that restarting the squid server clears the
browser error.  I will attempt to log the error better the next time I
see it and perhaps that will help run it down.  If the bug is in
Chrome then its clearly not a problem with Squid, but the fact that
reloading squid clears the bug gives me pause to review both.

The specific Chrome version I am seeing this error with is:

obtained from about:version

Google Chrome	60.0.3112.101 (Official Build) (64-bit)
Revision	1f3c0cf4b3083dfbe4da434af1726820cf384ce3-refs/branch-heads/3112@{#723}
OS	Linux
JavaScript	V8 6.0.286.54
Flash	27.0.0.183
/home/jmerkey/.config/google-chrome/PepperFlash/27.0.0.183/libpepflashplayer.so
User Agent	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/60.0.3112.101 Safari/537.36
Command Line	/usr/bin/google-chrome-stable --flag-switches-begin
--flag-switches-end
Executable Path	/opt/google/chrome/google-chrome
Profile Path	/home/jmerkey/.config/google-chrome/Profile 1
Variations	241fff6c-4eda1c57
3095aa95-3f4a17df
7c1bc906-f55a7974
47e5d3db-3d47f4f4
d43bf3e5-bd7cd813
ba3f87da-45bda656
5ca89f9-3f4a17df
f3499283-7711d854
9e201a2b-7e3ae057
5b3ed0a1-3f4a17df
68812885-4d2fac87
9bd94ed7-b1c9f6b0
b791c1b8-3f4a17df
9773d3bd-f23d1dea
2e109477-f3b42e62
99144bc3-3cc2175e
9e5c75f1-dadcfe94
f79cb77b-3d47f4f4
b7786474-d93a0620
27219e67-b2047178
23a898eb-e0e2610f
64224f74-5087fa4a
56302f8c-2f882e70
de03e059-e65e20f2
f56e0452-f23d1dea
1354da85-f34af386
494d8760-91c810ef
3ac60855-486e2a9c
f296190c-a0af34c0
4442aae2-75cb33fc
ed1d377-e1cc0f14
75f0f0a0-e1cc0f14
e2b18481-e1cc0f14
e7e71889-e1cc0f14
828a5926-9d7acf42
a88c475d-3d47f4f4

Jeff


More information about the squid-users mailing list