[squid-users] Squid 6.10 on Fedora 40 cannot intercept and bump SSL Traffic
Alex Rousskov
rousskov at measurement-factory.com
Mon Aug 19 19:59:13 UTC 2024
On 2024-08-19 15:27, ngtech1ltd at gmail.com wrote:
> I see that there is a SNI so I am not sure how to look at the issue.
FWIW, as the next step, I still recommend answering the remaining open
questions. Everything else makes a facinating read but is less likely to
help us make progress (and may obscure/hide actual answers and test
results). I will restate those remaining questions for your convenience:
* Do all those 12 access.log records correspond to a single curl
request? If not, please only share access.log record(s) that do correspond.
2. Does everything work for non-intercept ports? Use the same curl test
you have shared below, but specify proxy address for curl to use.
4. Does everything work when you remove "ssl-bump" and related options
from intercepting http_port 33128 (and use that intercepted port in the
same curl test)?
5. Does everything work when you use "ssl_bump splice all" instead of
your current ssl_bump rule? Same curl parameters as in Q4.
6. Does everything work when you use "ssl_bump peek all" instead of your
current ssl_bump rule? Same curl parameters as in Q4.
While going through the above list, top to bottom, if you find a test
that does _not_ work, pause: There is no need to proceed with other,
more complicated tests if an earlier simpler/basic test fails.
HTH,
Alex.
> I was thinking that maybe it's something with the OpenSSL version (3.x.x) on Fedora but then I installed both 5.9 and 6.10 on Almalinux 8 and the result is the same.
>
> I will describe my setup which might give some background.
> I have a very big lab...
> In the front of the Internet connection there are couple NGFW devices and RouterOS.
> Mikrotik RouterOS is the edge and all the others are used with PBR accordingly.
> The proxy sits in a deferent segment on the network and I have tried couple methods to intercept the traffic with squid.
> The only one which works with Squid and the existing equipment and do not cause some weird loop is ethernet level tunnel ie not:
> * GRE
> * IPIP
> And couple others.
>
> The only ones which works fine are:
> * EoIP (Mikrotik which is based on GRE0
> * VxLAN
>
> There are two methods to intercept the traffic:
> * PBR+DNAT on the squid box
> * PBR+TPROXY on the squid box
>
> Since the intercept method terminates the connection and creates a new one with the ip of the proxy it's very simple to even use gre and ipip.
> But, with tproxy to allow the traffic being identified currently as a packet which is not still in the routing stack we the linux OS need to tag it somehow.
> To do that the default "Salt" for the packet hash in the routing stack is the source and destination mac address.
> Due to this the only methods which are allowing to use tproxy are the above mentioned tunnels. (Maybe I will post a video on it later on with a demo)
>
> The Mikrotik RouterOS device re-routes the traffic from the LAN interface into the VxLAN interface directly to the proxy machine which has a
> static or dynamic route to the LAN subnet via the other side of the VxLAN tunnel which is the edge RouterOS device.
> I want to gather a set of configurations and tests for this configurations to verify what might cause this issue and if possible to resolve it.
> For me it seems that if my FortiGate and CheckPoint devices are able to intercept the traffic and "Bump" it, there is no reason why squid should
> be able to do that the same way.
>
> I will later on send you a private link to the pcaps in a zip file so you would be able to inspect this issue in the network level and to see if there is
> some details which can help us understand what cause this specific issue.
>
> I want to say that bumping works fine on non-intercepted connections and that I have tested the interception with the two available methods ie:
> * DNAT Redirect
> * Tproxy
>
> Thanks,
> Eliezer Croitoru
>
> -----Original Message-----
> From: Alex Rousskov <rousskov at measurement-factory.com>
> Sent: Monday, August 19, 2024 7:18 PM
> To: NgTech LTD <ngtech1ltd at gmail.com>
> Subject: Re: [squid-users] Squid 6.10 on Fedora 40 cannot intercept and bump SSL Traffic
>
> Eliezer, please move this thread back to squid-users mailing list
> instead of emailing me personally. When you do so, please clarify
> whether all 12 access.log records correspond to this single curl request
> (if not, please only share access.log record(s) that do correspond). --Alex.
>
> On 2024-08-19 12:03, NgTech LTD wrote:
>> This is the output of curl on windows 11 desktop:
>> C:\Users\USER>curl https://www.youtube.com/ -k -v -o 1.txt
>> % Total % Received % Xferd Average Speed Time Time Time
>> Current
>> Dload Upload Total Spent Left
>> Speed
>> 0 0 0 0 0 0 0 0 --:--:-- --:--:--
>> --:--:-- 0* Host www.youtube.com:443 <http://www.youtube.com:443>
>> was resolved.
>> * IPv6: 2a00:1450:4001:800::200e, 2a00:1450:4001:80e::200e,
>> 2a00:1450:4001:81c::200e, 2a00:1450:4001:809::200e
>> * IPv4: 142.250.185.78, 142.250.185.110, 142.250.185.142,
>> 142.250.186.174, 142.250.185.174, 142.250.184.238, 142.250.185.238,
>> 142.250.185.206, 142.250.181.238, 142.250.186.46, 142.250.186.78,
>> 172.217.16.142, 216.58.212.174, 216.58.206.46, 172.217.23.110,
>> 216.58.212.142
>> * Trying 142.250.185.78:443...
>> * Connected to www.youtube.com <http://www.youtube.com> (142.250.185.78)
>> port 443
>> * schannel: disabled automatic use of client certificate
>> * ALPN: curl offers http/1.1
>> * ALPN: server accepted http/1.1
>> * using HTTP/1.x
>> > GET / HTTP/1.1
>> > Host: www.youtube.com <http://www.youtube.com>
>> > User-Agent: curl/8.8.0
>> > Accept: */*
>> >
>> * Request completely sent off
>> * schannel: remote party requests renegotiation
>> * schannel: renegotiating SSL/TLS connection
>> * schannel: SSL/TLS connection renegotiated
>> * schannel: failed to decrypt data, need more data
>> < HTTP/1.1 200 OK
>> < Content-Type: text/html; charset=utf-8
>> < X-Content-Type-Options: nosniff
>> < Cache-Control: no-cache, no-store, max-age=0, must-revalidate
>> < Pragma: no-cache
>> < Expires: Mon, 01 Jan 1990 00:00:00 GMT
>> < Date: Mon, 19 Aug 2024 16:02:23 GMT
>> < X-Frame-Options: SAMEORIGIN
>> < Strict-Transport-Security: max-age=31536000
>> < Origin-Trial:
>> AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9
>> < Cross-Origin-Opener-Policy: same-origin-allow-popups;
>> report-to="youtube_main"
>> < Report-To:
>> {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main <https://csp.withgoogle.com/csp/report-to/youtube_main>"}]}
>> < Content-Security-Policy: require-trusted-types-for 'script'
>> < Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*,
>> ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*,
>> ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*,
>> ch-ua-platform-version=*
>> < P3P: CP="This is not a P3P policy! See
>> http://support.google.com/accounts/answer/151657?hl=en
>> <http://support.google.com/accounts/answer/151657?hl=en> for more info."
>> < Server: ESF
>> < X-XSS-Protection: 0
>> < Set-Cookie: GPS=1; Domain=.youtube.com <http://youtube.com>;
>> Expires=Mon, 19-Aug-2024 16:32:23 GMT; Path=/; Secure; HttpOnly
>> < Set-Cookie: YSC=XYs_jViLkFw; Domain=.youtube.com <http://youtube.com>;
>> Path=/; Secure; HttpOnly; SameSite=none
>> < Set-Cookie: VISITOR_INFO1_LIVE=csMabhlNyrI; Domain=.youtube.com
>> <http://youtube.com>; Expires=Sat, 15-Feb-2025 16:02:23 GMT; Path=/;
>> Secure; HttpOnly; SameSite=none
>> < Set-Cookie: VISITOR_PRIVACY_METADATA=CgJJTBIEGgAgVw%3D%3D;
>> Domain=.youtube.com <http://youtube.com>; Expires=Sat, 15-Feb-2025
>> 16:02:23 GMT; Path=/; Secure; HttpOnly; SameSite=none
>> < Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
>> < Accept-Ranges: none
>> < Vary: Accept-Encoding
>> < Transfer-Encoding: chunked
>> <
>> { [3674 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [8008 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [6880 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [2752 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [5504 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [2462 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [4128 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [2752 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [2752 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [4128 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [2752 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [5504 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [5504 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [4128 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [5242 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [2752 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [2752 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [6922 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [2752 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [6880 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [20378 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [6880 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [5504 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [5504 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [3839 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [6880 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [9632 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [6880 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [2752 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [7994 bytes data]
>> 100 193k 0 193k 0 0 293k 0 --:--:-- --:--:-- --:--:--
>> 294k* schannel: failed to decrypt data, need more data
>> { [28937 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [8414 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [9632 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [5504 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [5504 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [7852 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [5504 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [17888 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [19016 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [15136 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [10760 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [6880 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [34152 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [28648 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [33026 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [14888 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [24768 bytes data]
>> * schannel: failed to decrypt data, need more data
>> { [12136 bytes data]
>> 100 498k 0 498k 0 0 665k 0 --:--:-- --:--:-- --:--:--
>> 669k
>> * Connection #0 to host www.youtube.com <http://www.youtube.com> left intact
>>
>> And the access.log:
>> 1724083303.298 0 192.168.78.15 NONE_NONE/000 0 -
>> error:invalid-request - HIER_NONE/- - -
>> 1724083303.888 589 192.168.78.15 TCP_TUNNEL/200 529157 CONNECT
>> 142.250.185.78:443 <http://142.250.185.78:443> -
>> ORIGINAL_DST/142.250.185.78 <http://142.250.185.78> - -
>> 1724083307.305 0 192.168.78.15 NONE_NONE/000 0 -
>> error:invalid-request - HIER_NONE/- - -
>> 1724083307.908 603 192.168.78.15 TCP_TUNNEL/200 530241 CONNECT
>> 142.250.185.78:443 <http://142.250.185.78:443> -
>> ORIGINAL_DST/142.250.185.78 <http://142.250.185.78> - -
>> 1724083311.615 0 192.168.78.15 NONE_NONE/000 0 -
>> error:invalid-request - HIER_NONE/- - -
>> 1724083312.255 640 192.168.78.15 TCP_TUNNEL/200 528465 CONNECT
>> 142.250.185.78:443 <http://142.250.185.78:443> -
>> ORIGINAL_DST/142.250.185.78 <http://142.250.185.78> - -
>> 1724083316.666 0 192.168.78.15 NONE_NONE/000 0 -
>> error:invalid-request - HIER_NONE/- - -
>> 1724083317.315 649 192.168.78.15 TCP_TUNNEL/200 529617 CONNECT
>> 142.250.185.78:443 <http://142.250.185.78:443> -
>> ORIGINAL_DST/142.250.185.78 <http://142.250.185.78> - -
>> 1724083342.731 0 192.168.78.15 NONE_NONE/000 0 -
>> error:invalid-request - HIER_NONE/- - -
>> 1724083343.377 645 192.168.78.15 TCP_TUNNEL/200 528377 CONNECT
>> 142.250.185.78:443 <http://142.250.185.78:443> -
>> ORIGINAL_DST/142.250.185.78 <http://142.250.185.78> - -
>> 1724083378.565 0 192.168.78.15 NONE_NONE/000 0 -
>> error:invalid-request - HIER_NONE/- - -
>> 1724083378.801 0 192.168.78.15 NONE_NONE/000 0 -
>> error:invalid-request - HIER_NONE/- - -
>>
>>
>> ----
>> Eliezer Croitoru
>> Tech Support
>> Mobile: +972-5-28704261
>> Email: ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com>
>>
>>
>> On Mon, Aug 19, 2024 at 3:21 PM Alex Rousskov
>> <rousskov at measurement-factory.com
>> <mailto:rousskov at measurement-factory.com>> wrote:
>>
>> On 2024-08-19 03:47, NgTech LTD wrote:
>> > I am testing Squid 6.10 on Fedora 40 (their package).
>> > And it seems that Squid is unable to bump clients (ESNI/ECH)?
>> >
>> > I had couple iterations of pek stare and bump and I am not sure
>> what is
>> > the reason for that:
>>
>> What do you use as a client? Judging by the number of
>> error:invalid-request entries in your access.log, that client may
>> not be
>> speaking HTTP/1 inside those CONNECT tunnels.
>>
>> Does everything work for non-intercept ports?
>>
>> Does everything work in a basic curl or wget test?
>>
>> Does everything work when you remove "ssl-bump" and related options
>> from
>> intercepting http_port 33128?
>>
>> Does everything work when you use "ssl_bump splice all" instead of your
>> current ssl_bump rule?
>>
>> Does everything work when you use "ssl_bump peek all" instead of your
>> current ssl_bump rule?
>>
>> Alex.
>>
>>
>> > shutdown_lifetime 3 seconds
>> > external_acl_type whitelist-lookup-helper ipv4 ttl=10
>> children-max=10
>> > children-startup=2 \
>> > children-idle=2 concurrency=10 %URI %SRC
>> > /usr/local/bin/squid-conf-url-lookup.rb
>> > acl whitelist-lookup external whitelist-lookup-helper
>> > acl ytmethods method POST GET
>> > acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network
>> (LAN)
>> > acl localnet src 10.0.0.0/8 <http://10.0.0.0/8>
>> <http://10.0.0.0/8 <http://10.0.0.0/8>> # RFC 1918
>> > local private network (LAN)
>> > acl localnet src 100.64.0.0/10 <http://100.64.0.0/10>
>> <http://100.64.0.0/10 <http://100.64.0.0/10>> # RFC
>> > 6598 shared address space (CGN)
>> > acl localnet src 169.254.0.0/16 <http://169.254.0.0/16>
>> <http://169.254.0.0/16 <http://169.254.0.0/16>> # RFC
>> > 3927 link-local (directly plugged) machines
>> > acl localnet src 172.16.0.0/12 <http://172.16.0.0/12>
>> <http://172.16.0.0/12 <http://172.16.0.0/12>> # RFC
>> > 1918 local private network (LAN)
>> > acl localnet src 192.168.0.0/16 <http://192.168.0.0/16>
>> <http://192.168.0.0/16 <http://192.168.0.0/16>> # RFC
>> > 1918 local private network (LAN)
>> > acl localnet src fc00::/7 # RFC 4193 local private
>> network
>> > range
>> > acl localnet src fe80::/10 # RFC 4291 link-local
>> (directly
>> > plugged) machines
>> > acl SSL_ports port 443
>> > acl Safe_ports port 80 # http
>> > acl Safe_ports port 21 # ftp
>> > acl Safe_ports port 443 # https
>> > acl Safe_ports port 70 # gopher
>> > acl Safe_ports port 210 # wais
>> > acl Safe_ports port 1025-65535 # unregistered ports
>> > acl Safe_ports port 280 # http-mgmt
>> > acl Safe_ports port 488 # gss-http
>> > acl Safe_ports port 591 # filemaker
>> > acl Safe_ports port 777 # multiling http
>> > http_access deny !Safe_ports
>> > http_access deny CONNECT !SSL_ports
>> > http_access allow localhost manager
>> > http_access deny manager
>> > http_access allow localhost
>> > http_access deny to_localhost
>> > http_access deny to_linklocal
>> > acl tubedoms dstdomain .ytimg.com <http://ytimg.com>
>> <http://ytimg.com <http://ytimg.com>> .youtube.com <http://youtube.com>
>> > <http://youtube.com <http://youtube.com>> .youtu.be
>> <http://youtu.be> <http://youtu.be <http://youtu.be>>
>> > http_access allow ytmethods localnet tubedoms whitelist-lookup
>> > http_access allow localnet
>> > http_access deny all
>> > http_port 3128
>> > http_port 13128 ssl-bump tls-cert=/etc/squid/ssl/cert.pem
>> > tls-key=/etc/squid/ssl/key.pem \
>> > generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB
>> > http_port 23128 tproxy ssl-bump tls-cert=/etc/squid/ssl/cert.pem
>> > tls-key=/etc/squid/ssl/key.pem \
>> > generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB
>> > http_port 33128 intercept ssl-bump tls-cert=/etc/squid/ssl/cert.pem
>> > tls-key=/etc/squid/ssl/key.pem \
>> > generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB
>> > sslcrtd_program /usr/lib64/squid/security_file_certgen -s
>> > /var/spool/squid/ssl_db -M 4MB
>> > sslcrtd_children 5
>> > acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
>> > acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
>> > on_unsupported_protocol tunnel foreignProtocol
>> > on_unsupported_protocol tunnel serverTalksFirstProtocol
>> > on_unsupported_protocol respond all
>> > acl monitoredSites ssl::server_name .youtube.com
>> <http://youtube.com> <http://youtube.com <http://youtube.com>>
>> > .ytimg.com <http://ytimg.com> <http://ytimg.com <http://ytimg.com>>
>> > acl monitoredSitesRegex ssl::server_name_regex \.youtube\.com
>> \.ytimg\.com
>> > acl serverIsBank ssl::server_name .visa.com <http://visa.com>
>> <http://visa.com <http://visa.com>>
>> > acl step1 at_step SslBump1
>> > acl step2 at_step SslBump2
>> > acl step3 at_step SslBump3
>> > ssl_bump bump all
>> > strip_query_terms off
>> > coredump_dir /var/spool/squid
>> > refresh_pattern ^ftp: 1440 20% 10080
>> > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> > refresh_pattern . 0 20% 4320
>> > logformat ssl_custom_format %ts.%03tu %6tr %>a %Ss/%03>Hs %<st
>> %rm %ru
>> > %[un %Sh/%<a %mt %ssl::>sni
>> > access_log daemon:/var/log/squid/access.log ssl_custom_format
>> > ##EOF
>> >
>> > access.log from before:
>> > 1724028804.797 486 192.168.78.15 TCP_TUNNEL/200 17764 CONNECT
>> > 40.126.31.73:443 <http://40.126.31.73:443>
>> <http://40.126.31.73:443 <http://40.126.31.73:443>> -
>> ORIGINAL_DST/40.126.31.73 <http://40.126.31.73>
>> > <http://40.126.31.73 <http://40.126.31.73>> - -
>> > 1724028805.413 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028806.028 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028806.028 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028806.029 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028806.030 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028806.085 57 192.168.78.15 TCP_TUNNEL/200 4513 CONNECT
>> > 104.18.72.113:443 <http://104.18.72.113:443>
>> <http://104.18.72.113:443 <http://104.18.72.113:443>> -
>> > ORIGINAL_DST/104.18.72.113 <http://104.18.72.113>
>> <http://104.18.72.113 <http://104.18.72.113>> - -
>> > 1724028806.086 56 192.168.78.15 TCP_TUNNEL/200 4513 CONNECT
>> > 104.18.72.113:443 <http://104.18.72.113:443>
>> <http://104.18.72.113:443 <http://104.18.72.113:443>> -
>> > ORIGINAL_DST/104.18.72.113 <http://104.18.72.113>
>> <http://104.18.72.113 <http://104.18.72.113>> - -
>> > 1724028806.086 56 192.168.78.15 TCP_TUNNEL/200 4512 CONNECT
>> > 104.18.72.113:443 <http://104.18.72.113:443>
>> <http://104.18.72.113:443 <http://104.18.72.113:443>> -
>> > ORIGINAL_DST/104.18.72.113 <http://104.18.72.113>
>> <http://104.18.72.113 <http://104.18.72.113>> - -
>> > 1724028806.208 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028806.213 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028806.338 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028806.469 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028806.596 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028807.006 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028807.262 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028808.922 5037 192.168.78.15 TCP_TUNNEL/200 6096 CONNECT
>> > 13.107.246.60:443 <http://13.107.246.60:443>
>> <http://13.107.246.60:443 <http://13.107.246.60:443>> -
>> > ORIGINAL_DST/13.107.246.60 <http://13.107.246.60>
>> <http://13.107.246.60 <http://13.107.246.60>> - -
>> > 1724028812.906 8336 192.168.78.15 TCP_TUNNEL/200 1071500 CONNECT
>> > 104.126.37.171:443 <http://104.126.37.171:443>
>> <http://104.126.37.171:443 <http://104.126.37.171:443>> -
>> > ORIGINAL_DST/104.126.37.171 <http://104.126.37.171>
>> <http://104.126.37.171 <http://104.126.37.171>> - -
>> > 1724028819.209 247893 192.168.78.15 TCP_TUNNEL/200 4023 CONNECT
>> > 142.250.186.34:443 <http://142.250.186.34:443>
>> <http://142.250.186.34:443 <http://142.250.186.34:443>> -
>> > ORIGINAL_DST/142.250.186.34 <http://142.250.186.34>
>> <http://142.250.186.34 <http://142.250.186.34>> - -
>> > 1724028820.097 250033 192.168.78.15 TCP_TUNNEL/200 549611 CONNECT
>> > 142.250.184.246:443 <http://142.250.184.246:443>
>> <http://142.250.184.246:443 <http://142.250.184.246:443>> -
>> > ORIGINAL_DST/142.250.184.246 <http://142.250.184.246>
>> <http://142.250.184.246 <http://142.250.184.246>> - -
>> > 1724028820.154 246850 192.168.78.15 TCP_TUNNEL/200 15119 CONNECT
>> > 216.58.206.65:443 <http://216.58.206.65:443>
>> <http://216.58.206.65:443 <http://216.58.206.65:443>> -
>> > ORIGINAL_DST/216.58.206.65 <http://216.58.206.65>
>> <http://216.58.206.65 <http://216.58.206.65>> - -
>> > 1724028820.164 246856 192.168.78.15 TCP_TUNNEL/200 3037 CONNECT
>> > 142.250.181.227:443 <http://142.250.181.227:443>
>> <http://142.250.181.227:443 <http://142.250.181.227:443>> -
>> > ORIGINAL_DST/142.250.181.227 <http://142.250.181.227>
>> <http://142.250.181.227 <http://142.250.181.227>> - -
>> > 1724028820.203 246893 192.168.78.15 TCP_TUNNEL/200 3031 CONNECT
>> > 172.217.16.196:443 <http://172.217.16.196:443>
>> <http://172.217.16.196:443 <http://172.217.16.196:443>> -
>> > ORIGINAL_DST/172.217.16.196 <http://172.217.16.196>
>> <http://172.217.16.196 <http://172.217.16.196>> - -
>> > 1724028822.656 271833 192.168.78.15 TCP_TUNNEL/200 387583 CONNECT
>> > 142.250.185.238:443 <http://142.250.185.238:443>
>> <http://142.250.185.238:443 <http://142.250.185.238:443>> -
>> > ORIGINAL_DST/142.250.185.238 <http://142.250.185.238>
>> <http://142.250.185.238 <http://142.250.185.238>> - -
>> > 1724028830.336 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028830.781 444 192.168.78.15 TCP_TUNNEL/200 18505 CONNECT
>> > 40.126.31.73:443 <http://40.126.31.73:443>
>> <http://40.126.31.73:443 <http://40.126.31.73:443>> -
>> ORIGINAL_DST/40.126.31.73 <http://40.126.31.73>
>> > <http://40.126.31.73 <http://40.126.31.73>> - -
>> > 1724028841.781 155018 192.168.78.15 TCP_TUNNEL/200 15960 CONNECT
>> > 13.107.6.158:443 <http://13.107.6.158:443>
>> <http://13.107.6.158:443 <http://13.107.6.158:443>> -
>> ORIGINAL_DST/13.107.6.158 <http://13.107.6.158>
>> > <http://13.107.6.158 <http://13.107.6.158>> - -
>> > 1724028849.443 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028849.698 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028865.261 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028865.779 517 192.168.78.15 TCP_TUNNEL/200 18557 CONNECT
>> > 40.126.31.73:443 <http://40.126.31.73:443>
>> <http://40.126.31.73:443 <http://40.126.31.73:443>> -
>> ORIGINAL_DST/40.126.31.73 <http://40.126.31.73>
>> > <http://40.126.31.73 <http://40.126.31.73>> - -
>> > 1724028870.718 109994 192.168.78.15 TCP_TUNNEL/200 6972 CONNECT
>> > 20.42.65.94:443 <http://20.42.65.94:443> <http://20.42.65.94:443
>> <http://20.42.65.94:443>> - ORIGINAL_DST/20.42.65.94
>> <http://20.42.65.94>
>> > <http://20.42.65.94 <http://20.42.65.94>> - -
>> > 1724028871.179 64583 192.168.78.15 TCP_TUNNEL/200 1903 CONNECT
>> > 104.18.10.207:443 <http://104.18.10.207:443>
>> <http://104.18.10.207:443 <http://104.18.10.207:443>> -
>> > ORIGINAL_DST/104.18.10.207 <http://104.18.10.207>
>> <http://104.18.10.207 <http://104.18.10.207>> - -
>> > 1724028871.179 63917 192.168.78.15 TCP_TUNNEL/200 2430 CONNECT
>> > 142.250.186.99:443 <http://142.250.186.99:443>
>> <http://142.250.186.99:443 <http://142.250.186.99:443>> -
>> > ORIGINAL_DST/142.250.186.99 <http://142.250.186.99>
>> <http://142.250.186.99 <http://142.250.186.99>> - -
>> > 1724028871.179 64709 192.168.78.15 TCP_TUNNEL/200 2439 CONNECT
>> > 142.250.185.170:443 <http://142.250.185.170:443>
>> <http://142.250.185.170:443 <http://142.250.185.170:443>> -
>> > ORIGINAL_DST/142.250.185.170 <http://142.250.185.170>
>> <http://142.250.185.170 <http://142.250.185.170>> - -
>> > 1724028871.308 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028871.731 422 192.168.78.15 TCP_TUNNEL/200 17789 CONNECT
>> > 40.126.31.73:443 <http://40.126.31.73:443>
>> <http://40.126.31.73:443 <http://40.126.31.73:443>> -
>> ORIGINAL_DST/40.126.31.73 <http://40.126.31.73>
>> > <http://40.126.31.73 <http://40.126.31.73>> - -
>> > 1724028872.486 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028873.477 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028873.745 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028873.902 424 192.168.78.15 TCP_TUNNEL/200 18520 CONNECT
>> > 40.126.31.73:443 <http://40.126.31.73:443>
>> <http://40.126.31.73:443 <http://40.126.31.73:443>> -
>> ORIGINAL_DST/40.126.31.73 <http://40.126.31.73>
>> > <http://40.126.31.73 <http://40.126.31.73>> - -
>> > 1724028877.056 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028877.060 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028877.060 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028877.060 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028877.430 312389 192.168.78.15 TCP_TUNNEL/200 7884 CONNECT
>> > 142.250.186.78:443 <http://142.250.186.78:443>
>> <http://142.250.186.78:443 <http://142.250.186.78:443>> -
>> > ORIGINAL_DST/142.250.186.78 <http://142.250.186.78>
>> <http://142.250.186.78 <http://142.250.186.78>> - -
>> > 1724028878.800 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028878.920 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028879.072 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028880.808 7062 192.168.78.15 TCP_TUNNEL/200 836391 CONNECT
>> > 104.126.37.145:443 <http://104.126.37.145:443>
>> <http://104.126.37.145:443 <http://104.126.37.145:443>> -
>> > ORIGINAL_DST/104.126.37.145 <http://104.126.37.145>
>> <http://104.126.37.145 <http://104.126.37.145>> - -
>> > 1724028882.468 33024 192.168.78.15 TCP_TUNNEL/200 1488697 CONNECT
>> > 49.12.59.2:443 <http://49.12.59.2:443> <http://49.12.59.2:443
>> <http://49.12.59.2:443>> - ORIGINAL_DST/49.12.59.2 <http://49.12.59.2>
>> > <http://49.12.59.2 <http://49.12.59.2>> - -
>> > 1724028883.728 6671 192.168.78.15 TCP_TUNNEL/200 69351 CONNECT
>> > 52.216.185.251:443 <http://52.216.185.251:443>
>> <http://52.216.185.251:443 <http://52.216.185.251:443>> -
>> > ORIGINAL_DST/52.216.185.251 <http://52.216.185.251>
>> <http://52.216.185.251 <http://52.216.185.251>> - -
>> > 1724028883.789 6728 192.168.78.15 TCP_TUNNEL/200 69216 CONNECT
>> > 52.216.185.251:443 <http://52.216.185.251:443>
>> <http://52.216.185.251:443 <http://52.216.185.251:443>> -
>> > ORIGINAL_DST/52.216.185.251 <http://52.216.185.251>
>> <http://52.216.185.251 <http://52.216.185.251>> - -
>> > 1724028883.797 6736 192.168.78.15 TCP_TUNNEL/200 104657 CONNECT
>> > 52.216.185.251:443 <http://52.216.185.251:443>
>> <http://52.216.185.251:443 <http://52.216.185.251:443>> -
>> > ORIGINAL_DST/52.216.185.251 <http://52.216.185.251>
>> <http://52.216.185.251 <http://52.216.185.251>> - -
>> > 1724028883.845 6784 192.168.78.15 TCP_TUNNEL/200 80277 CONNECT
>> > 52.216.185.251:443 <http://52.216.185.251:443>
>> <http://52.216.185.251:443 <http://52.216.185.251:443>> -
>> > ORIGINAL_DST/52.216.185.251 <http://52.216.185.251>
>> <http://52.216.185.251 <http://52.216.185.251>> - -
>> > 1724028884.460 170355 192.168.78.15 TCP_TUNNEL/200 44690 CONNECT
>> > 185.199.108.153:443 <http://185.199.108.153:443>
>> <http://185.199.108.153:443 <http://185.199.108.153:443>> -
>> > ORIGINAL_DST/185.199.108.153 <http://185.199.108.153>
>> <http://185.199.108.153 <http://185.199.108.153>> - -
>> > 1724028889.845 120370 192.168.78.15 TCP_TUNNEL/200 5868 CONNECT
>> > 104.126.37.161:443 <http://104.126.37.161:443>
>> <http://104.126.37.161:443 <http://104.126.37.161:443>> -
>> > ORIGINAL_DST/104.126.37.161 <http://104.126.37.161>
>> <http://104.126.37.161 <http://104.126.37.161>> - -
>> > 1724028890.011 122862 192.168.78.15 TCP_TUNNEL/200 136726 CONNECT
>> > 23.37.37.211:443 <http://23.37.37.211:443>
>> <http://23.37.37.211:443 <http://23.37.37.211:443>> -
>> ORIGINAL_DST/23.37.37.211 <http://23.37.37.211>
>> > <http://23.37.37.211 <http://23.37.37.211>> - -
>> > 1724028890.297 120381 192.168.78.15 TCP_TUNNEL/200 9176 CONNECT
>> > 2.18.140.238:443 <http://2.18.140.238:443>
>> <http://2.18.140.238:443 <http://2.18.140.238:443>> -
>> ORIGINAL_DST/2.18.140.238 <http://2.18.140.238>
>> > <http://2.18.140.238 <http://2.18.140.238>> - -
>> > 1724028891.212 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028891.365 152 192.168.78.15 TCP_TUNNEL/200 2359 CONNECT
>> > 142.250.185.138:443 <http://142.250.185.138:443>
>> <http://142.250.185.138:443 <http://142.250.185.138:443>> -
>> > ORIGINAL_DST/142.250.185.138 <http://142.250.185.138>
>> <http://142.250.185.138 <http://142.250.185.138>> - -
>> > 1724028893.885 90253 192.168.78.15 TCP_TUNNEL/200 6374 CONNECT
>> > 13.107.246.60:443 <http://13.107.246.60:443>
>> <http://13.107.246.60:443 <http://13.107.246.60:443>> -
>> > ORIGINAL_DST/13.107.246.60 <http://13.107.246.60>
>> <http://13.107.246.60 <http://13.107.246.60>> - -
>> > 1724028900.169 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:invalid-request - HIER_NONE/- - -
>> > 1724028934.465 900262 192.168.78.15 TCP_TUNNEL/200 5530 CONNECT
>> > 52.123.243.197:443 <http://52.123.243.197:443>
>> <http://52.123.243.197:443 <http://52.123.243.197:443>> -
>> > ORIGINAL_DST/52.123.243.197 <http://52.123.243.197>
>> <http://52.123.243.197 <http://52.123.243.197>> - -
>> > 1724028960.494 60324 192.168.78.15 TCP_TUNNEL/503 0 CONNECT
>> > 172.217.16.206:443 <http://172.217.16.206:443>
>> <http://172.217.16.206:443 <http://172.217.16.206:443>> -
>> > ORIGINAL_DST/172.217.16.206 <http://172.217.16.206>
>> <http://172.217.16.206 <http://172.217.16.206>> - -
>> > 1724028960.494 0 192.168.78.15 NONE_NONE/000 0 -
>> > error:transaction-end-before-headers - HIER_NONE/- - -
>> >
>> > Thanks for any help,
>> >
>> >
>> > ----
>> > Eliezer Croitoru
>> > Tech Support
>> > Mobile: +972-5-28704261
>> > Email: ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com>
>> <mailto:ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com>>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list