[squid-users] Squid Cache Issues migration from 5.8 to 6.6

Jonathan Lee jonathanlee571 at gmail.com
Thu Jul 4 19:37:01 UTC 2024


I found it 

#  TAG: sslproxy_cert_sign
#
#        sslproxy_cert_sign <signing algorithm> acl ...
#
#        The following certificate signing algorithms are supported:
#
#	   signTrusted
#		Sign using the configured CA certificate which is usually
#		placed in and trusted by end-user browsers. This is the
#		default for trusted origin server certificates.
#
#	   signUntrusted
#		Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
#		This is the default for untrusted origin server certificates
#		that are not self-signed (see ssl::certUntrusted).
#
#	   signSelf
#		Sign using a self-signed certificate with the right CN to
#		generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
#		browser. This is the default for self-signed origin server
#		certificates (see ssl::certSelfSigned).
#
#	This clause only supports fast acl types.
#
#	When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
#	signing algorithm to generate the certificate and ignores all
#	subsequent sslproxy_cert_sign options (the first match wins). If no
#	acl(s) match, the default signing algorithm is determined by errors
#	detected when obtaining and validating the origin server certificate.
#
#	WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
#	be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
#	CONNECT request that carries a domain name. In all other cases (CONNECT
#	to an IP address or an intercepted SSL connection), Squid cannot detect
#	the domain mismatch at certificate generation time when
#	bump-server-first is used.
#Default:
# none

in Squid.conf I have nothing with that detective. 

Yes I am using SSL bump with this configuration..


# This file is automatically generated by pfSense
# Do not edit manually !

http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

icp_port 0
digest_generation off
dns_v4_first on
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language en
icon_directory /usr/local/etc/squid/icons
visible_hostname Lee_Family.home.arpa
cache_mgr jonathanlee571 at gmail.com
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger
sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/lib/ssl_db -M 4MB -b 2048
tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt
tls_outgoing_options capath=/usr/local/share/certs/
tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslcrtd_children 10

logfile_rotate 7
debug_options rotate=7
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.1.0/27
forwarded_for transparent
httpd_suppress_version_string on
uri_whitespace strip
dns_nameservers 127.0.0.1 
acl block_hours time 00:30-05:00
ssl_bump terminate all block_hours
http_access deny all block_hours
acl getmethod method GET
acl to_ipv6 dst ipv6
acl from_ipv6 src ipv6

#tls_outgoing_options options=0x40000
#request_header_access Accept-Ranges deny all
#reply_header_access Accept-Ranges deny all
#request_header_replace Accept-Ranges none
#reply_header_replace Accept-Ranges none


tls_outgoing_options cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

acl HttpAccess dstdomain "/usr/local/pkg/http.access"
acl windowsupdate dstdomain "/usr/local/pkg/windowsupdate"
acl rewritedoms dstdomain "/usr/local/pkg/desdom"

#store_id_program /usr/local/libexec/squid/storeid_file_rewrite /var/squid/storeid/storeid_rewrite.txt
#store_id_children 10 startup=5 idle=1 concurrency=0
#always_direct allow all
#store_id_access deny connect
#store_id_access deny !getmethod
#store_id_access allow rewritedoms
#store_id_access deny all

refresh_all_ims on
reload_into_ims on
max_stale 20 years
minimum_expiry_time 0

refresh_pattern -i ^http.*squid\.internal.* 43200 100% 79900 override-expire override-lastmod ignore-reload ignore-no-store ignore-must-revalidate ignore-private ignore-auth

#FACEBOOK
#refresh_pattern ^https.*.facebook.com/* 10080 80% 43200

#FACEBOOK IMAGES  
#refresh_pattern -i pixel.facebook.com..(jpg|png|gif|ico|css|js|jpg?) 10080 80% 43200
#refresh_pattern -i .akamaihd.net..(jpg|png|gif|ico|css|js|jpg?) 10080 80% 43200 
#refresh_pattern -i facebook.com.(jpg|png|gif|jpg?) 10080 80% 43200 store-stale
#refresh_pattern static.(xx|ak).fbcdn.net.(jpg|gif|png|jpg?) 10080 80% 43200
#refresh_pattern ^https.*profile.ak.fbcdn.net.*(jpg|gif|png|jpg?) 10080 80% 43200
#refresh_pattern ^https.*fbcdn.net.*(jpg|gif|png|jpg?) 10080 80% 43200

#FACEBOOK VIDEO
#refresh_pattern -i .video.ak.fbcdn.net.*.(mp4|flv|mp3|amf) 10080 80% 43200
#refresh_pattern (audio|video)/(webm|mp4) 10080 80% 43200

#APPLE STUFF
refresh_pattern -i apple.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$ 0 80% 43200  refresh-ims

#apple update
refresh_pattern -i (download|adcdownload).apple.com/.*\.(pkg|dmg) 4320 100% 43200
refresh_pattern -i appldnld\.apple\.com 129600 100% 129600
refresh_pattern -i phobos\.apple\.com 129600 100% 129600
refresh_pattern -i iosapps\.itunes\.apple\.com 129600 100% 129600

# Updates: Windows
refresh_pattern -i microsoft.com/..(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320 80% 43200  refresh-ims
refresh_pattern -i windowsupdate.com/..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200  refresh-ims
refresh_pattern -i windows.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ 4320 80% 43200  refresh-ims
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 
refresh_pattern -i .*windowsupdate.com/.*\.(cab|exe) 259200 100% 259200   
refresh_pattern -i .*update.microsoft.com/.*\.(cab|exe|dll|msi|psf) 259200 100% 259200   
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 
refresh_pattern www.microsoft.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi|psf) 4320 100% 43200 
refresh_pattern bg.v4.pr.dl.ws.microsoft.com/.*\.(cab|exe|dll|msi|psf) 4320 100% 43200
#windows update NEW UPDATE 0.04
refresh_pattern update.microsoft.com/.*\.(cab|exe) 43200 100% 129600    
refresh_pattern ([^.]+\.)?(download|(windows)?update)\.(microsoft\.)?com/.*\.(cab|exe|msi|msp|psf) 4320 100% 43200  
refresh_pattern update.microsoft.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 
refresh_pattern -i \.update.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600       
refresh_pattern -i \.windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600       
refresh_pattern -i \.download.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600       
refresh_pattern -i \.ws.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600       
    
#refresh_pattern ([^.]+\.)?(cs|content[1-9]|hsar|content-origin|client-download).[steampowered|steamcontent].com/.*\.* 43200 100% 43200     
#refresh_pattern ([^.]+\.)?.akamai.steamstatic.com/.*\.* 43200 100% 43200

#refresh_pattern -i ([^.]+\.)?.adobe.com/.*\.(zip|exe) 43200 100% 43200
#refresh_pattern -i ([^.]+\.)?.java.com/.*\.(zip|exe) 43200 100% 43200
#refresh_pattern -i ([^.]+\.)?.sun.com/.*\.(zip|exe) 43200 100% 43200
#refresh_pattern -i ([^.]+\.)?.oracle.com/.*\.(zip|exe|tar.gz) 43200 100% 43200

refresh_pattern -i appldnld\.apple\.com 43200 100% 43200
refresh_pattern -i ([^.]+\.)?apple.com/.*\.(ipa) 43200 100% 43200
 
refresh_pattern -i ([^.]+\.)?.google.com/.*\.(exe|crx) 10080 80% 43200
refresh_pattern -i ([^.]+\.)?g.static.com/.*\.(exe|crx) 10080 80% 43200

acl https_login url_regex -i ^https.*(login|Login).*
cache deny https_login

range_offset_limit 512 MB windowsupdate
range_offset_limit 4 MB
range_offset_limit 0
quick_abort_min -1 KB

cache_mem 64 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 512 MB
cache_dir diskd /var/squid/cache 64000 256 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
acl donotcache dstdomain "/var/squid/acl/donotcache.acl"
cache deny donotcache
cache allow all
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
refresh_pattern .    0  20%  4320


#Remote proxies


# Setup some default acls
# ACLs all, manager, localhost, and to_localhost are predefined.
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 3128 3129 1025-65535 
acl sslports port 443 563 8080 5223 2197

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS

# SslBump Peek and Splice
# http://wiki.squid-cache.org/Features/SslPeekAndSplice
# http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
# Match against the current step during ssl_bump evaluation [fast]
# Never matches and should not be used outside the ssl_bump context.
#
# At each SslBump step, Squid evaluates ssl_bump directives to find
# the next bumping action (e.g., peek or splice). Valid SslBump step
# values and the corresponding ssl_bump evaluation moments are:
#   SslBump1: After getting TCP-level and HTTP CONNECT info.
#   SslBump2: After getting TLS Client Hello info.
#   SslBump3: After getting TLS Server Hello info.
# These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that
# they can be used there for custom configuration.
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl banned_hosts src "/var/squid/acl/banned_hosts.acl"
acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl"
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 95
request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings

deny_info TCP_RESET allsrc

# Package Integration
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
url_rewrite_bypass off
url_rewrite_children 32 startup=8 idle=4 concurrency=0

# Custom options before auth
#host_verify_strict on

# These hosts are banned
http_access deny banned_hosts
# Always allow access to whitelist domains
http_access allow whitelist
# Block access to blacklist domains
http_access deny blacklist
# List of domains allowed to logging in to Google services
request_header_access X-GoogApps-Allowed-Domains deny all
request_header_add X-GoogApps-Allowed-Domains consumer_accounts
# Set YouTube safesearch restriction
acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com
request_header_access YouTube-Restrict deny all
request_header_add YouTube-Restrict none youtubedst
acl sglog url_regex -i sgr=ACCESSDENIED
http_access deny sglog
# Custom SSL/MITM options before auth
cachemgr_passwd disable offline_toggle reconfigure shutdown
cachemgr_passwd redacted all
eui_lookup on
acl no_miss url_regex -i gateway\.facebook\.com\/ws\/realtime\?
acl no_miss url_regex -i web-chat-e2ee\.facebook\.com\/ws\/chat
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
http_access allow CONNECT wuCONNECT localnet
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate localnet
http_access allow windowsupdate localhost
http_access allow HttpAccess localnet
http_access allow HttpAccess localhost
http_access deny manager
http_access deny to_ipv6
http_access deny from_ipv6

acl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken"
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

acl splice_only src 192.168.1.8 #Tasha iPhone
acl splice_only src 192.168.1.10 #Jon iPhone
acl splice_only src 192.168.1.11 #Amazon Fire
acl splice_only src 192.168.1.15 #Tasha HP
acl splice_only src 192.168.1.16 #iPad

acl splice_only_mac arp redacted
acl splice_only_mac arp redacted
acl splice_only_mac arp redacted
acl splice_only_mac arp redacted
acl splice_only_mac arp redacted

acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/reg.url.nobump"
acl NoBumpDNS dstdomain "/usr/local/pkg/dns.nobump"

acl markBumped annotate_client bumped=true
acl active_use annotate_client active=true
acl bump_only src 192.168.1.3 #webtv
acl bump_only src 192.168.1.4 #toshiba
acl bump_only src 192.168.1.5 #imac
acl bump_only src 192.168.1.9 #macbook
acl bump_only src 192.168.1.13 #dell

acl bump_only_mac arp redacted redacted redacted
acl bump_only_mac arp 
acl bump_only_mac arp 
acl bump_only_mac arp 
acl bump_only_mac arp 

ssl_bump peek step1
miss_access deny no_miss active_use
ssl_bump splice https_login active_use
ssl_bump splice splice_only_mac splice_only active_use
ssl_bump splice NoBumpDNS active_use
ssl_bump splice NoSSLIntercept active_use
ssl_bump bump bump_only_mac bump_only active_use
acl activated note active_use true
ssl_bump terminate !activated

acl markedBumped note bumped true
url_rewrite_access deny markedBumped

#workers 3
read_ahead_gap 32 KB
#negative_ttl 1 second
#connect_timeout 30 seconds
#request_timeout 60 seconds
#half_closed_clients off
#shutdown_lifetime 10 seconds
#negative_dns_ttl 1 seconds
#ignore_unknown_nameservers on
#client_persistent_connections off
#server_persistent_connections off
#pipeline_prefetch 100

#acl SSLIntercept ssl::server_name_regex -i "/usr/local/pkg/url.bump"
#ssl_bump bump SSLIntercept

# Setup allowed ACLs
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny allsrc

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024

icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squid_clamav bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squid_clamav bypass=on
adaptation_access service_avi_resp allow all


I see nothing with that derivative I also added my firewalls cert a bit ago as an extra cert but it had no affect on the errors..

So would I use this directive like this

 sslproxy_cert_sign signTrusted bump_only_mac

with bump only mac as my ACL? the reference does not really show a good example of use it explains it well 

 sslproxy_cert_sign <signing algorithm> acl ...

        The following certificate signing algorithms are supported:

	   signTrusted
		Sign using the configured CA certificate which is usually
		placed in and trusted by end-user browsers. This is the
		default for trusted origin server certificates.

	   signUntrusted
		Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
		This is the default for untrusted origin server certificates
		that are not self-signed (see ssl::certUntrusted).

	   signSelf
		Sign using a self-signed certificate with the right CN to
		generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
		browser. This is the default for self-signed origin server
		certificates (see ssl::certSelfSigned).

	This clause only supports fast acl types.

	When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
	signing algorithm to generate the certificate and ignores all
	subsequent sslproxy_cert_sign options (the first match wins). If no
	acl(s) match, the default signing algorithm is determined by errors
	detected when obtaining and validating the origin server certificate.

	WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
	be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
	CONNECT request that carries a domain name. In all other cases (CONNECT
	to an IP address or an intercepted SSL connection), Squid cannot detect
	the domain mismatch at certificate generation time when
	bump-server-first is used.




> On Jul 4, 2024, at 09:56, Alex Rousskov <rousskov at measurement-factory.com> wrote:
> 
> On 2024-07-04 12:11, Jonathan Lee wrote:
>> failure while accepting a TLS connection on conn5887 local=192.168.1.1:3128
>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417
> 
> A000417 is an "unknown CA" alert sent by client to Squid while the client is trying to establish a TLS connection to/through Squid. The client does not trust the Certificate Authority that signed the certificate that was used for that TLS connection.
> 
> As the next step in triage, I recommend determining what that CA is in these cases (e.g., by capturing raw TLS packets and matching them with connection information from A000417 error messages in cache.log or %err_detail in access.log).
> 
> If you use SslBump for port 3128 traffic, then one of the possibilities here is that Squid is using an unknown-to-client CA to report an origin server that Squid itself does not trust (see signUntrusted in squid.conf.documented). In those cases, logging a level-1 ERROR is a Squid bug because that expected/desirable outcome should be treated as success (and a successful TLS accept treated as an error!).
> 
> 
> HTH,
> 
> Alex.
> P.S. For free Squid support, please keep the discussion on the mailing list.
> 
> 
>> Is my main concern however I use the squid guard URL blocker
>> Sent from my iPhone
>>> On Jul 4, 2024, at 07:41, Alex Rousskov <rousskov at measurement-factory.com> wrote:
>>> 
>>> On 2024-07-03 13:56, Jonathan Lee wrote:
>>>> Hello fellow Squid users does anyone know how to fix this issue?
>>> 
>>> I counted about eight different "issues" in your cache.log sample. Most of them are probably independent. I recommend that you explicitly pick _one_, search mailing list archives for previous discussions about it, and then provide as many details about it as you can (e.g., what traffic causes it and/or matching access.log records).
>>> 
>>> 
>>> HTH,
>>> 
>>> Alex.
>>> 
>>> 
>>>> Squid - Cache Logs
>>>> Date-Time    Message
>>>> 31.12.1969 16:00:00
>>>> 03.07.2024 10:54:34    kick abandoning conn7853 local=192.168.1.1:3128 remote=192.168.1.5:49710 FD 89 flags=1
>>>> 31.12.1969 16:00:00
>>>> 03.07.2024 10:54:29    kick abandoning conn7844 local=192.168.1.1:3128 remote=192.168.1.5:49702 FD 81 flags=1
>>>> 03.07.2024 10:54:09    ERROR: failure while accepting a TLS connection on conn7648 local=192.168.1.1:3128 remote=192.168.1.5:49672 FD 44 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>> 03.07.2024 10:54:09    ERROR: failure while accepting a TLS connection on conn7647 local=192.168.1.1:3128 remote=192.168.1.5:49670 FD 43 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>> 03.07.2024 10:54:09    ERROR: failure while accepting a TLS connection on conn7646 local=192.168.1.1:3128 remote=192.168.1.5:49668 FD 34 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>> 03.07.2024 10:53:04    ERROR: failure while accepting a TLS connection on conn7367 local=192.168.1.1:3128 remote=192.168.1.5:49627 FD 22 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>> 03.07.2024 10:52:47    ERROR: failure while accepting a TLS connection on conn7345 local=192.168.1.1:3128 remote=192.168.1.5:49618 FD 31 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>> 03.07.2024 10:52:38    ERROR: failure while accepting a TLS connection on conn7340 local=192.168.1.1:3128 remote=192.168.1.5:49616 FD 45 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>> 03.07.2024 10:52:34    ERROR: failure while accepting a TLS connection on conn7316 local=192.168.1.1:3128 remote=192.168.1.5:49609 FD 45 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>> 31.12.1969 16:00:00
>>>> 03.07.2024 10:51:55    WARNING: Error Pages Missing Language: en-us
>>>> 31.12.1969 16:00:00
>>>> 03.07.2024 10:51:55    ERROR: loading file 9;/usr/local/etc/squid/errors/en-us/ERR_ZERO_SIZE_OBJECT': (2) No such file or directory
>>>> 03.07.2024 10:51:44    ERROR: failure while accepting a TLS connection on conn7102 local=192.168.1.1:3128 remote=192.168.1.5:49574 FD 34 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>> 03.07.2024 10:51:28    ERROR: failure while accepting a TLS connection on conn7071 local=192.168.1.1:3128 remote=192.168.1.5:49568 FD 92 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>> 03.07.2024 10:50:29    ERROR: failure while accepting a TLS connection on conn6944 local=192.168.1.1:3128 remote=192.168.1.5:49534 FD 101 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>> 03.07.2024 10:49:54    ERROR: failure while accepting a TLS connection on conn6866 local=192.168.1.1:3128 remote=192.168.1.5:49519 FD 31 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>> 03.07.2024 10:49:38    ERROR: failure while accepting a TLS connection on conn6809 local=192.168.1.1:3128 remote=192.168.1.5:49503 FD 31 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>> 31.12.1969 16:00:00
>>>> 03.07.2024 10:49:32    ERROR: system call failure while accepting a TLS connection on conn6794 local=192.168.1.1:3128 remote=192.168.1.5:49496 FD 19 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_IO_ERR=5+errno=54
>>>> 03.07.2024 10:49:24    ERROR: failure while accepting a TLS connection on conn6776 local=192.168.1.1:3128 remote=192.168.1.5:49481 FD 137 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>> 03.07.2024 10:48:49    ERROR: failure while accepting a TLS connection on conn6440 local=192.168.1.1:3128 remote=192.168.1.5:49424 FD 16 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>> 03.07.2024 10:48:49    ERROR: failure while accepting a TLS connection on conn6445 local=192.168.1.1:3128 remote=192.168.1.5:49426 FD 34 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>> 03.07.2024 10:48:22    ERROR: failure while accepting a TLS connection on conn6035 local=192.168.1.1:3128 remote=192.168.1.5:49355 FD 226 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>> 03.07.2024 10:48:09    ERROR: failure while accepting a TLS connection on conn5887 local=192.168.1.1:3128 remote=192.168.1.5:49318 FD 33 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>> 03.07.2024 10:48:09    ERROR: failure while accepting a TLS connection on conn5875 local=192.168.1.1:3128 remote=192.168.1.5:49312 FD 216 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>> 03.07.2024 10:48:09    ERROR: failure while accepting a TLS connection on conn5876 local=192.168.1.1:3128 remote=192.168.1.5:49314 FD 217 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>> 03.07.2024 10:47:57    ERROR: failure while accepting a TLS connection on conn5815 local=192.168.1.1:3128 remote=192.168.1.5:49297 FD 201 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>> 03.07.2024 10:47:54    ERROR: failure while accepting a TLS connection on conn5760 local=192.168.1.1:3128 remote=192.168.1.5:49289 FD 195 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>> 03.07.2024 10:47:52    ERROR: failure while accepting a TLS connection on conn5717 local=192.168.1.1:3128 remote=192.168.1.5:49284 FD 195 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>> 03.07.2024 10:47:50    ERROR: failure while accepting a TLS connection on conn5552 local=192.168.1.1:3128 remote=192.168.1.5:49268 FD 142 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>> 31.12.1969 16:00:00
>>>> 03.07.2024 10:47:34    kick abandoning conn5254 local=192.168.1.1:3128 remote=192.168.1.5:49209 FD 100 flags=1
>>>> 31.12.1969 16:00:00
>>>> 03.07.2024 10:47:21    kick abandoning conn5022 local=192.168.1.1:3128 remote=192.168.1.5:49167 FD 37 flags=1
>>>> 31.12.1969 16:00:00
>>>> 03.07.2024 10:47:21    kick abandoning conn5020 local=192.168.1.1:3128 remote=192.168.1.5:49165 FD 36 flags=1
>>>> 31.12.1969 16:00:00
>>>> 31.12.1969 16:00:00
>>>> 31.12.1969 16:00:00
>>>> 31.12.1969 16:00:00
>>>> 31.12.1969 16:00:00
>>>> 31.12.1969 16:00:00
>>>> 31.12.1969 16:00:00
>>>> 31.12.1969 16:00:00
>>>> 31.12.1969 16:00:00
>>>> 31.12.1969 16:00:00
>>>> 03.07.2024 10:42:22    WARNING: Forwarding loop detected for:
>>>> 03.07.2024 10:40:08    ERROR: failure while accepting a TLS connection on conn4955 local=192.168.1.1:3128 remote=192.168.1.5:52339 FD 98 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>> 31.12.1969 16:00:00
>>>> 03.07.2024 10:39:52    kick abandoning conn4927 local=192.168.1.1:3128 remote=192.168.1.5:52331 FD 105 flags=1
>>>> 03.07.2024 10:39:09    ERROR: failure while accepting a TLS connection on conn4846 local=192.168.1.1:3128 remote=192.168.1.5:52314 FD 19 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>> 03.07.2024 10:38:14    ERROR: failure while accepting a TLS connection on conn4650 local=192.168.1.1:3128 remote=192.168.1.5:52274 FD 35 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>> 03.07.2024 10:38:08    ERROR: failure while accepting a TLS connection on conn4645 local=192.168.1.1:3128 remote=192.168.1.5:52272 FD 35 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>> 03.07.2024 10:38:04    ERROR: Unsupported TLS option SINGLE_ECDH_USE
>>>> 03.07.2024 10:38:04    ERROR: Unsupported TLS option SINGLE_DH_USE
>>>> 31.12.1969 16:00:00
>>>> 31.12.1969 16:00:00
>>>> 31.12.1969 16:00:00
>>>> 31.12.1969 16:00:00
>>>> 31.12.1969 16:00:00
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> squid-users at lists.squid-cache.org
>>>> https://lists.squid-cache.org/listinfo/squid-users
>>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240704/54f35b1a/attachment-0001.htm>


More information about the squid-users mailing list