[squid-users] ssl-bump works, but leads to many client errors being logged (NONE_NONE/200)
Amon Ott
lists at compuniverse.de
Mon Dec 16 08:43:01 UTC 2024
Am 14.12.24 um 17:26 schrieb R:
> My current goal is to set up a caching instance for https static content with squid 6.12.
>
> ssl-bump is set up according to https://wiki.squid-cache.org/Features/SslBump and it works fine, at least from the clients' perspectives and without any noticeable issues (e.g. with Firefox or Safari). Sometimes (~5-8% of the total requests) I can even get a few cache hits - including those juicy TCP_MEM_HIT/200s.
>
> What has been bothering me though is the impressive amount of client request errors being logged:
>
> # a few seconds after an instance restart
> openvpn-client2:/$ squidclient cache_object://localhost/counters | grep client_http.errors
> client_http.errors = 8
> openvpn-client2:/$ squidclient cache_object://localhost/counters | grep client_http.errors
> client_http.errors = 20
>
> In the access_log, it is possible to see many NONE_NONE/200 being logged for **almost every https request**. The amount of logged NONE_NONE/200 seem to vary according to the target website: github.com:443 throws 6-7 errors, while the lists.squid-cache.org throws only one.
When using ssl-bump, you must allow the initial CONNECT request and then
decide on the broken up requests. E.g. add
http_access allow CONNECT
before your first http_access line.
Amon Ott
--
Dr. Amon Ott
m-privacy GmbH Tel: +49 30 24342334
Werner-Voß-Damm 62 Fax: +49 30 99296856
12101 Berlin http://www.m-privacy.de
Amtsgericht Charlottenburg, HRB 84946
Geschäftsführer:
Dipl.-Kfm. Holger Maczkowsky,
Roman Maczkowsky
GnuPG-Key-ID: 0x2DD3A649
More information about the squid-users
mailing list