[squid-users] ssl-bump works, but leads to many client errors being logged (NONE_NONE/200)

R randomrodrick at proton.me
Sat Dec 14 16:26:06 UTC 2024 

Hello,

My current goal is to set up a caching instance for https static content with squid 6.12.

ssl-bump is set up according to https://wiki.squid-cache.org/Features/SslBump and it works fine, at least from the clients' perspectives and without any noticeable issues (e.g. with Firefox or Safari). Sometimes (~5-8% of the total requests) I can even get a few cache hits - including those juicy TCP_MEM_HIT/200s.

What has been bothering me though is the impressive amount of client request errors being logged:

# a few seconds after an instance restart
openvpn-client2:/$ squidclient cache_object://localhost/counters | grep client_http.errors
client_http.errors = 8
openvpn-client2:/$ squidclient cache_object://localhost/counters | grep client_http.errors
client_http.errors = 20

In the access_log, it is possible to see many NONE_NONE/200 being logged for ​**almost every https request**. The amount of logged NONE_NONE/200 seem to vary according to the target website: github.com:443 throws 6-7 errors, while the lists.squid-cache.org throws only one.

As mentioned, everything seems to be fine for the clients (my grafana dashboard disagrees). Switching, for example, the config from:

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

to

ssl_bump peek all
ssl_bump slice all

makes the NONE_NONE/200 disappear from the logs altogether, but that does not meet the initial caching objective.

What do these NONE_NONE/200 mean exactly? How to identify their underlying cause and reduce the total amount of logged errors?

Side question: are there any plans to move from this email-based list to GitHub issues in your repository (https://github.com/squid-cache/squid)?

Thanks and regards,
Rod

---


squid.conf:

cache_effective_user squid
cache_effective_group users
pid_filename /var/run/squid/squid.pid
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl snmppublic snmp_community public
snmp_port 3401
snmp_access allow snmppublic all
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access allow localnet manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
# begin ssl-bump
http_port 3128 \
ssl-bump \
cert=/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=40MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 40MB
sslcrtd_children 5
# end ssl-bump
cache allow all
cache_dir aufs /cache 51200 16 256
cache_mem 2 GB
maximum_object_size_in_memory 512 MB
maximum_object_size 6 GB
cache_swap_low 80
cache_swap_high 95
coredump_dir /cache
acl hasRequest has request
acl hasResponse has response
acl cachemgr1 url_regex ^cache_object://
logformat xsquid %tl %6tr %>a %Ss/%03>Hs %err_code/%err_detail %<st %rm %ru %un %Sh/%<A %mt
access_log daemon:/var/log/squid/access.log logformat=xsquid hasRequest !cachemgr1
refresh_pattern ^ftp: 1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .jpg 120 50% 86400 override-lastmod override-expire ignore-reload ignore-no-store ignore-private store-stale # just to artificially force some hits
refresh_pattern . 3600	80%	14400
range_offset_limit none
forwarded_for on


access_log:

14/Dec/2024:15:28:14 +0000    122 192.168.1.125 NONE_NONE/200 -/- 0 CONNECT 4chan.org:443 - HIER_DIRECT/4chan.org -
14/Dec/2024:15:28:14 +0000    239 192.168.1.125 TCP_MISS/200 -/- 4876 GET https://4chan.org/ - HIER_DIRECT/4chan.org text/html
14/Dec/2024:15:28:14 +0000    145 192.168.1.125 NONE_NONE/200 -/- 0 CONNECT i.4cdn.org:443 - HIER_DIRECT/i.4cdn.org -
14/Dec/2024:15:28:14 +0000    145 192.168.1.125 NONE_NONE/200 -/- 0 CONNECT i.4cdn.org:443 - HIER_DIRECT/i.4cdn.org -
14/Dec/2024:15:28:14 +0000    145 192.168.1.125 NONE_NONE/200 -/- 0 CONNECT i.4cdn.org:443 - HIER_DIRECT/i.4cdn.org -
14/Dec/2024:15:28:14 +0000    144 192.168.1.125 NONE_NONE/200 -/- 0 CONNECT i.4cdn.org:443 - HIER_DIRECT/i.4cdn.org -
14/Dec/2024:15:28:14 +0000    147 192.168.1.125 NONE_NONE/200 -/- 0 CONNECT i.4cdn.org:443 - HIER_DIRECT/i.4cdn.org -
14/Dec/2024:15:28:14 +0000    153 192.168.1.125 NONE_NONE/200 -/- 0 CONNECT i.4cdn.org:443 - HIER_DIRECT/i.4cdn.org -
14/Dec/2024:15:28:14 +0000     60 192.168.1.125 TCP_MISS/200 -/- 9636 GET https://i.4cdn.org/sp/1734116081466614s.jpg - HIER_DIRECT/i.4cdn.org image/jpeg
14/Dec/2024:15:28:14 +0000     65 192.168.1.125 TCP_MISS/200 -/- 4521 GET https://i.4cdn.org/a/1734088830105726s.jpg - HIER_DIRECT/i.4cdn.org image/jpeg
14/Dec/2024:15:28:14 +0000     64 192.168.1.125 TCP_MISS/200 -/- 7356 GET https://i.4cdn.org/v/1734174698931944s.jpg - HIER_DIRECT/i.4cdn.org image/jpeg
14/Dec/2024:15:28:14 +0000     66 192.168.1.125 TCP_MISS/200 -/- 12559 GET https://i.4cdn.org/vr/1734154519311392s.jpg - HIER_DIRECT/i.4cdn.org image/jpeg
14/Dec/2024:15:28:14 +0000     67 192.168.1.125 TCP_MISS/200 -/- 4810 GET https://i.4cdn.org/vg/1734151107375798s.jpg - HIER_DIRECT/i.4cdn.org image/jpeg
14/Dec/2024:15:28:14 +0000     77 192.168.1.125 TCP_MISS/200 -/- 5194 GET https://i.4cdn.org/int/1734146907548086s.jpg - HIER_DIRECT/i.4cdn.org image/jpeg
14/Dec/2024:15:28:14 +0000     74 192.168.1.125 TCP_MISS/200 -/- 8464 GET https://i.4cdn.org/fit/1734081397035134s.jpg - HIER_DIRECT/i.4cdn.org image/jpeg
14/Dec/2024:15:28:14 +0000     75 192.168.1.125 TCP_MISS/200 -/- 7634 GET https://i.4cdn.org/co/1734014992706889s.jpg - HIER_DIRECT/i.4cdn.org image/jpeg
14/Dec/2024:15:28:17 +0000    105 192.168.1.125 NONE_NONE/200 -/- 0 CONNECT boards.4chan.org:443 - HIER_DIRECT/boards.4chan.org -
14/Dec/2024:15:28:17 +0000    117 192.168.1.125 TCP_REFRESH_MODIFIED/200 -/- 21264 GET https://boards.4chan.org/hr/ - HIER_DIRECT/boards.4chan.org text/html
14/Dec/2024:15:28:17 +0000    104 192.168.1.125 NONE_NONE/200 -/- 0 CONNECT s.4cdn.org:443 - HIER_DIRECT/s.4cdn.org -
14/Dec/2024:15:28:17 +0000     66 192.168.1.125 TCP_MISS/200 -/- 7329 GET https://s.4cdn.org/image/contest_banners/4da91e15078cd0b401a3df182447d7f6ef53a041.png - HIER_DIRECT/s.4cdn.org image/png
14/Dec/2024:15:28:17 +0000     64 192.168.1.125 TCP_MISS/200 -/- 2195 GET https://i.4cdn.org/hr/1734185018492644s.jpg - HIER_DIRECT/i.4cdn.org image/jpeg
14/Dec/2024:15:28:17 +0000     64 192.168.1.125 TCP_MISS/200 -/- 2488 GET https://i.4cdn.org/hr/1734184210267895s.jpg - HIER_DIRECT/i.4cdn.org image/jpeg
14/Dec/2024:15:28:17 +0000     67 192.168.1.125 TCP_MISS/200 -/- 2743 GET https://i.4cdn.org/hr/1734129280051325s.jpg - HIER_DIRECT/i.4cdn.org image/jpeg
14/Dec/2024:15:28:17 +0000     70 192.168.1.125 TCP_MISS/200 -/- 9838 GET https://i.4cdn.org/hr/1729975559696842s.jpg - HIER_DIRECT/i.4cdn.org image/jpeg
14/Dec/2024:15:28:17 +0000     68 192.168.1.125 TCP_MISS/200 -/- 8271 GET https://s.4cdn.org/image/title/1.jpg - HIER_DIRECT/s.4cdn.org image/jpeg
14/Dec/2024:15:28:17 +0000     76 192.168.1.125 TCP_MISS/200 -/- 2586 GET https://i.4cdn.org/hr/1734190031181606s.jpg - HIER_DIRECT/i.4cdn.org image/jpeg
14/Dec/2024:15:28:17 +0000     98 192.168.1.125 TCP_MISS/200 -/- 8941 GET https://i.4cdn.org/hr/1732533823407555s.jpg - HIER_DIRECT/i.4cdn.org image/jpeg
14/Dec/2024:15:28:17 +0000     65 192.168.1.125 TCP_MISS/200 -/- 6828 GET https://i.4cdn.org/hr/1729098446168049s.jpg - HIER_DIRECT/i.4cdn.org image/jpeg
14/Dec/2024:15:28:21 +0000     63 192.168.1.125 TCP_MISS/200 -/- 587 HEAD https://i.4cdn.org/hr/1732533823407555.jpg - HIER_DIRECT/i.4cdn.org image/jpeg
14/Dec/2024:15:28:21 +0000    269 192.168.1.125 TCP_MISS/200 -/- 757840 GET https://i.4cdn.org/hr/1732533823407555.jpg - HIER_DIRECT/i.4cdn.org image/jpeg
14/Dec/2024:15:28:25 +0000      4 192.168.1.125 TCP_MEM_HIT/200 -/- 757841 GET https://i.4cdn.org/hr/1732533823407555.jpg - HIER_NONE/- image/jpeg

More information about the squid-users mailing list