[squid-users] Why some traffic is TCP_DENIED

Amos Jeffries squid3 at treenet.co.nz
Tue Feb 16 18:09:37 UTC 2021


On 16/02/21 11:09 pm, Vieri wrote:
> Hi,
> 
> I'm trying to understand why Squid denies access to some sites, eg:
> 
> [Tue Feb 16 10:15:36 2021].044      0 - TCP_DENIED/302 0 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html
> [Tue Feb 16 10:15:36 2021].050     46 10.215.248.160 TCP_DENIED/403 3352 - 52.109.12.25:443 - HIER_NONE/- text/html
> [Tue Feb 16 10:15:36 2021].050      0 10.215.248.160 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
> [Tue Feb 16 10:15:36 2021].052    140 10.215.246.144 TCP_MISS/200 193311 GET https://outlook.office.com/mail/ - ORIGINAL_DST/52.97.168.210 text/html
> [Tue Feb 16 10:15:36 2021].053     49 10.215.248.74 TCP_MISS/200 2037 GET https://puk1-collabhubrtc.officeapps.live.com/rtc2/signalr/negotiate? - ORIGINAL_DST/52.108.88.1 application/json
> [Tue Feb 16 10:15:36 2021].057      0 10.215.247.159 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- -
> [Tue Feb 16 10:15:36 2021].057      0 10.215.247.159 TCP_DENIED/403 3353 - 40.67.251.132:443 - HIER_NONE/- text/html
> [Tue Feb 16 10:15:36 2021].057      0 10.215.247.159 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
> 
> 
> If I take the first line in the log and I open the URL from a client I use then the site opens as expected, and the corresponding Squid log is:
> 
> [Tue Feb 16 10:45:50 2021].546    628 10.215.111.210 TCP_MISS/200 2134 GET https://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - ORIGINAL_DST/23.210.36.30 application/octet-stream
> [Tue Feb 16 10:45:52 2021].668     49 10.215.111.210 NONE_NONE/000 0 CONNECT 216.58.215.138:443 - ORIGINAL_DST/216.58.215.138 -
> 
> In this log I see my host's IP addr. 10.215.111.210.
> However, in the first log I do not see a source IP address. Why?


Because this is Squid downloading the cert for its own use. For example 
SSL-Bump needing it to complete a TLS cert chain.


> 
> Other clients seem to be denied access with errors in the log such as "NONE_NONE/000"  followed by error:invalid-request or error:transaction-end-before-headers. How can I find out why I get "invalid requests"? Would a tcpdump on the server or client help? Or should I enable verbose debugging in Squid?

Looking at all these lines together I see;

  * a client TLS connection being intercepted, the server cert chain in 
incomplete.
  * Squid attempts to download the missing cert(s).
  * squid.conf rules force the cert download to get a 302 instead of a 
valid cert.
  * which leaves Squid unable to send the TLS connection client a valid 
cert chain.
  * the client rejects the TLS handshake and disconnects before any HTTP 
happens.


To avoid these, you need to prevent your squid.conf rules generating 
that 302 when Squid is initiating the request. The ACL type 
"transaction_initiator" can be used for that.


Amos


More information about the squid-users mailing list