[squid-users] Squid 3.5 Disable CONNECT TUNNEL
Amos Jeffries
squid3 at treenet.co.nz
Fri Jun 7 08:44:28 UTC 2019
On 7/06/19 6:50 pm, Techie wrote:
> Hello,
>
> Previously running squid 3.1 on Centos 6, recently went to Centos7 with
> squid 3.5.
> Since the upgrade I have been receiving SSL errors connecting to https
> sites.
>
> I notice in the log for squid 3.1I have entries like this when hitting
> https sites
> 172.16.80.25 TCP_MISS/200 6086 CONNECT www.securesite.com:443
> <http://www.securesite.com:443> - DIRECT/x.x.x.x
>
> Now they look to be utilizing TCP_TUNNEL as seen below with squid 3.5
> 192.168.2.10 TCP_TUNNEL/200 4371 CONNECT www.securesite.com:443
> <http://www.securesite.com:443> - HIER_DIRECT/x.x.x.x
>
> Is there a way to disable the TCP_TUNNEL feature?
The "MISS" earlier was always a lie, implying that the cache had some
involvement. These transactions are simply not involving cache in any
way. The old version log entries that had CONNECT method with "TCP_MISS"
are identical to what the newer versions log as CONNECT with "TCP_TUNNEL"
If you are seeing "TUNNEL" logged, then Squid is not touching that
traffic at all. Any TLS/SSL problems are an issue between the client and
server directly talking that protocol to each other - Squid is
irrelevant to traffic problems.
If you are okay telling us what HTTPS errors exactly are showing up
perhaps someone may be able to help with or at least identify where the
problem actually is.
Amos
More information about the squid-users
mailing list