[squid-users] Rewriting HTTP to HTTPS for generic package proxy
Fiehe, Christoph
c.fiehe at eurodata.de
Tue Jul 9 22:25:30 UTC 2024
Hallo,
I hope that somebody has an idea, what I am doing wrong. I try to build a generic package proxy with Squid and need the feature to rewrite (not redirect) a HTTP request to a package repository transparently to a HTTPS-based package source. I was able to get Jesred working and defined the following rewrite rule:
regex ^http:\/\/download\.docker\.com(.*)$ https://download.docker.com\1
I had to use a parent upstream proxy. In my test case the rule gets applied successfully:
1720558404.106 10.2.59.102/molecule-ubuntu-jammy.lx.mycompany.de http://download.docker.com/linux/ubuntu/dists/jammy/InRelease[http://download.docker.com/linux/ubuntu/dists/jammy/InRelease] https://download.docker.com/linux/ubuntu/dists/jammy/InRelease 2
I have validated that the returned URL is correct and that the resource is accessible via my upstream proxy.
But at the very end, the client receives a 503 error code. I have set "debug_options ALL,3" and this gives the log:
[...]
2024/07/09 23:35:40.115 kid1| 11,2| client_side.cc(1333) parseHttpRequest: HTTP Client REQUEST:
---------
HEAD http://download.docker.com/linux/ubuntu/dists/jammy/InRelease[http://download.docker.com/linux/ubuntu/dists/jammy/InRelease] HTTP/1.1
Host: download.docker.com
User-Agent: curl/7.81.0
Accept: */*
Proxy-Connection: Keep-Alive
----------
2024/07/09 23:35:40.115 kid1| 33,3| client_side.cc(1364) parseHttpRequest: complete request received. prefix_sz = 174, request-line-size=77, mime-header-size=97, mime header block:
Host: download.docker.com
User-Agent: curl/7.81.0
Accept: */*
Proxy-Connection: Keep-Alive
----------
2024/07/09 23:35:40.115 kid1| 87,3| clientStream.cc(139) clientStreamInsertHead: clientStreamInsertHead: Inserted node 0x5c3ba4154308 with data 0x5c3ba4152950 after head
2024/07/09 23:35:40.115 kid1| 5,3| comm.cc(599) commSetConnTimeout: conn9 local=10.2.59.103:8000 remote=10.2.59.102:56466 FD 15 flags=1 timeout 86400
2024/07/09 23:35:40.115 kid1| 33,3| client_side.cc(1767) add: 0x5c3ba41518e0*3 to 0/0
2024/07/09 23:35:40.115 kid1| 33,3| Pipeline.cc(24) add: Pipeline 0x5c3ba41501f0 add request 1 0x5c3ba41518e0*4
2024/07/09 23:35:40.115 kid1| 23,3| Uri.cc(446) parse: Split URL 'http://download.docker.com/linux/ubuntu/dists/jammy/InRelease'[http://download.docker.com/linux/ubuntu/dists/jammy/InRelease'] into proto='http', host='download.docker.com', port='80', path='/linux/ubuntu/dists/jammy/InRelease'
2024/07/09 23:35:40.115 kid1| 14,3| Address.cc(389) lookupHostIP: Given Non-IP 'download.docker.com': Name or service not known
2024/07/09 23:35:40.115 kid1| 33,3| client_side.cc(702) clientSetKeepaliveFlag: http_ver = HTTP/1.1
2024/07/09 23:35:40.115 kid1| 33,3| client_side.cc(703) clientSetKeepaliveFlag: method = HEAD
2024/07/09 23:35:40.115 kid1| 85,3| client_side_request.cc(122) ClientRequestContext: ClientRequestContext constructed, this=0x5c3ba4154e78
2024/07/09 23:35:40.115 kid1| 83,3| client_side_request.cc(1708) doCallouts: Doing calloutContext->hostHeaderVerify()
2024/07/09 23:35:40.115 kid1| 85,3| client_side_request.cc(606) hostHeaderVerify: validate host=download.docker.com, port=0, portStr=NULL
2024/07/09 23:35:40.115 kid1| 85,3| client_side_request.cc(620) hostHeaderVerify: validate skipped.
2024/07/09 23:35:40.115 kid1| 83,3| client_side_request.cc(1715) doCallouts: Doing calloutContext->clientAccessCheck()
2024/07/09 23:35:40.115 kid1| 28,3| Checklist.cc(69) preCheck: 0x5c3ba41552d8 checking slow rules
2024/07/09 23:35:40.115 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.102:56466' found
2024/07/09 23:35:40.115 kid1| 28,3| Acl.cc(175) matches: checked: all = 1
2024/07/09 23:35:40.115 kid1| 28,3| Acl.cc(175) matches: checked: http_access#1 = 1
2024/07/09 23:35:40.115 kid1| 28,3| Acl.cc(175) matches: checked: http_access = 1
2024/07/09 23:35:40.115 kid1| 28,3| Checklist.cc(62) markFinished: 0x5c3ba41552d8 answer ALLOWED for match
2024/07/09 23:35:40.115 kid1| 28,3| Checklist.cc(162) checkCallback: ACLChecklist::checkCallback: 0x5c3ba41552d8 answer=ALLOWED
2024/07/09 23:35:40.115 kid1| 85,2| client_side_request.cc(714) clientAccessCheckDone: The request HEAD http://download.docker.com/linux/ubuntu/dists/jammy/InRelease[http://download.docker.com/linux/ubuntu/dists/jammy/InRelease] is ALLOWED; last ACL checked: all
2024/07/09 23:35:40.115 kid1| 83,3| AccessCheck.cc(42) Start: adaptation off, skipping
2024/07/09 23:35:40.115 kid1| 83,3| client_side_request.cc(1735) doCallouts: Doing calloutContext->clientRedirectStart()
2024/07/09 23:35:40.115 kid1| 78,3| dns_internal.cc(1836) idnsPTRLookup: idnsPTRLookup: buf is 42 bytes for 10.2.59.102, id = 0x8d95
2024/07/09 23:35:40.115 kid1| 50,3| comm.cc(927) comm_udp_sendto: comm_udp_sendto: Attempt to send UDP packet to 127.0.0.53:53 using FD 11 using Port 54280
2024/07/09 23:35:40 kid1| Starting new redirector helpers...
current master transaction: master54
2024/07/09 23:35:40 kid1| helperOpenServers: Starting 1/3 'jesred' processes
current master transaction: master54
2024/07/09 23:35:40.115 kid1| 51,3| fd.cc(168) fd_open: fd_open() FD 17 IPC UNIX STREAM Parent
2024/07/09 23:35:40.115 kid1| 51,3| fd.cc(168) fd_open: fd_open() FD 19 IPC UNIX STREAM Parent
2024/07/09 23:35:40.115 kid1| 54,3| ipc.cc(212) ipcCreate: ipcCreate: prfd FD 17
2024/07/09 23:35:40.115 kid1| 54,3| ipc.cc(213) ipcCreate: ipcCreate: pwfd FD 17
2024/07/09 23:35:40.115 kid1| 54,3| ipc.cc(214) ipcCreate: ipcCreate: crfd FD 19
2024/07/09 23:35:40.115 kid1| 54,3| ipc.cc(215) ipcCreate: ipcCreate: cwfd FD 19
2024/07/09 23:35:40.116 kid1| 5,3| comm.cc(850) _comm_close: start closing FD 19 by ipc.cc:271
2024/07/09 23:35:40.116 kid1| 5,3| comm.cc(586) commUnsetFdTimeout: Remove timeout for FD 19
2024/07/09 23:35:40.116 kid1| 21,3| tools.cc(561) leave_suid: leave_suid: PID 503746 called
2024/07/09 23:35:40.116 kid1| 21,3| tools.cc(651) no_suid: no_suid: PID 503746 giving up root privileges forever
2024/07/09 23:35:40.116 kid1| 5,3| comm.cc(586) commUnsetFdTimeout: Remove timeout for FD 17
2024/07/09 23:35:40.117 kid1| 84,3| helper.cc(1310) GetFirstAvailable: GetFirstAvailable: Least-loaded helper is fully loaded!
2024/07/09 23:35:40.117 kid1| 51,3| fd.cc(93) fd_close: fd_close FD 19 IPC UNIX STREAM Parent
2024/07/09 23:35:40.117 kid1| 78,3| dns_internal.cc(1319) idnsRead: idnsRead: starting with FD 11
2024/07/09 23:35:40.117 kid1| 78,3| dns_internal.cc(1365) idnsRead: idnsRead: FD 11: received 92 bytes from 127.0.0.53:53
2024/07/09 23:35:40.117 kid1| 78,3| dns_internal.cc(1172) idnsGrokReply: idnsGrokReply: QID 0x8d95, 1 answers
2024/07/09 23:35:40.117 kid1| 35,3| fqdncache.cc(336) fqdncacheParse: fqdncacheParse: 1 answers for '10.2.59.102'
2024/07/09 23:35:40.117 kid1| 5,3| IoCallback.cc(112) finish: called for conn11 local=[::] remote=[::] FD 17 flags=1 (0, 0)
2024/07/09 23:35:40.125 kid1| 5,3| Read.cc(148) HandleRead: FD 17, size 32767, retval 80, errno 0
2024/07/09 23:35:40.125 kid1| 5,3| IoCallback.cc(112) finish: called for conn10 local=[::] remote=[::] FD 17 flags=1 (0, 0)
2024/07/09 23:35:40.125 kid1| 84,3| helper.cc(1022) helperHandleRead: helperHandleRead: end of reply found
2024/07/09 23:35:40.125 kid1| 84,3| Reply.cc(41) finalize: Parsing helper buffer
2024/07/09 23:35:40.125 kid1| 84,3| Reply.cc(59) finalize: Buff length is larger than 2
2024/07/09 23:35:40.125 kid1| 84,3| Reply.cc(63) finalize: helper Result = OK
2024/07/09 23:35:40.125 kid1| 23,3| Uri.cc(446) parse: Split URL 'https://download.docker.com/linux/ubuntu/dists/jammy/InRelease'[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease'] into proto='https', host='download.docker.com', port='443', path='/linux/ubuntu/dists/jammy/InRelease'
2024/07/09 23:35:40.125 kid1| 14,3| Address.cc(389) lookupHostIP: Given Non-IP 'download.docker.com': Name or service not known
2024/07/09 23:35:40.125 kid1| 61,2| client_side_request.cc(1235) clientRedirectDone: URL-rewriter diverts URL from http://download.docker.com/linux/ubuntu/dists/jammy/InRelease[http://download.docker.com/linux/ubuntu/dists/jammy/InRelease] to https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease]
2024/07/09 23:35:40.125 kid1| 83,3| client_side_request.cc(1743) doCallouts: Doing calloutContext->clientAccessCheck2()
2024/07/09 23:35:40.125 kid1| 85,2| client_side_request.cc(692) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2024/07/09 23:35:40.125 kid1| 85,2| client_side_request.cc(714) clientAccessCheckDone: The request HEAD https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease] is ALLOWED; last ACL checked: all
2024/07/09 23:35:40.126 kid1| 83,3| client_side_request.cc(1761) doCallouts: Doing clientInterpretRequestHeaders()
2024/07/09 23:35:40.126 kid1| 83,3| client_side_request.cc(1770) doCallouts: Doing calloutContext->checkNoCache()
2024/07/09 23:35:40.126 kid1| 28,3| Checklist.cc(69) preCheck: 0x5c3ba41552d8 checking slow rules
2024/07/09 23:35:40.126 kid1| 28,3| RegexData.cc(50) match: checking 'https://download.docker.com/linux/ubuntu/dists/jammy/InRelease'[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease']
2024/07/09 23:35:40.126 kid1| 28,3| Acl.cc(175) matches: checked: no_cache = 0
2024/07/09 23:35:40.126 kid1| 28,3| Acl.cc(175) matches: checked: cache#1 = 0
2024/07/09 23:35:40.126 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.102:56466' found
2024/07/09 23:35:40.126 kid1| 28,3| Acl.cc(175) matches: checked: all = 1
2024/07/09 23:35:40.126 kid1| 28,3| Acl.cc(175) matches: checked: cache#2 = 1
2024/07/09 23:35:40.126 kid1| 28,3| Acl.cc(175) matches: checked: cache = 1
2024/07/09 23:35:40.126 kid1| 28,3| Checklist.cc(62) markFinished: 0x5c3ba41552d8 answer ALLOWED for match
2024/07/09 23:35:40.126 kid1| 28,3| Checklist.cc(162) checkCallback: ACLChecklist::checkCallback: 0x5c3ba41552d8 answer=ALLOWED
2024/07/09 23:35:40.126 kid1| 85,3| client_side_request.cc(116) ~ClientRequestContext: ClientRequestContext destructed, this=0x5c3ba4154e78
2024/07/09 23:35:40.126 kid1| 83,3| client_side_request.cc(1855) doCallouts: calling processRequest()
2024/07/09 23:35:40.126 kid1| 87,3| clientStream.cc(178) clientStreamRead: clientStreamRead: Calling 1 with cbdata 0x5c3ba4153e70 from node 0x5c3ba4154308
2024/07/09 23:35:40.126 kid1| 73,3| HttpRequest.cc(742) storeId: sent back effectiveRequestUrl: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease]
2024/07/09 23:35:40.126 kid1| 20,3| Controller.cc(429) peek: DE850794EBC405A27A7718F51795E32A
2024/07/09 23:35:40.126 kid1| 73,3| HttpRequest.cc(742) storeId: sent back effectiveRequestUrl: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease]
2024/07/09 23:35:40.126 kid1| 20,3| Controller.cc(429) peek: D3522EE27FB0ED7004DD594AF7674667
2024/07/09 23:35:40.126 kid1| 85,3| client_side_reply.cc(1523) identifyFoundObject: StoreEntry is NULL - MISS
2024/07/09 23:35:40.126 kid1| 20,3| store.cc(730) storeCreatePureEntry: storeCreateEntry: 'https://download.docker.com/linux/ubuntu/dists/jammy/InRelease'[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease']
2024/07/09 23:35:40.126 kid1| 20,3| MemObject.cc(99) MemObject: MemObject constructed, this=0x5c3ba416ef10
2024/07/09 23:35:40.126 kid1| 88,3| MemObject.cc(82) setUris: 0x5c3ba416ef10 storeId: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease]
2024/07/09 23:35:40.126 kid1| 20,3| store.cc(434) lock: storeCreateEntry locked key [null_store_key] e:=V/0x5c3ba416ee90*1
2024/07/09 23:35:40.126 kid1| 20,3| store.cc(536) setPrivateKey: 00 e:=V/0x5c3ba416ee90*1
2024/07/09 23:35:40.126 kid1| 20,3| store.cc(412) hashInsert: StoreEntry::hashInsert: Inserting Entry e:=IV/0x5c3ba416ee90*1 key '020000000000000061AF070001000000'
2024/07/09 23:35:40.126 kid1| 20,3| store.cc(434) lock: store_client locked key 020000000000000061AF070001000000 e:=IV/0x5c3ba416ee90*2
2024/07/09 23:35:40.126 kid1| 90,3| store_client.cc(243) copy: store_client::copy: 020000000000000061AF070001000000, from 0, for length 4096, cb 1, cbdata 0x5c3ba4152dd8
2024/07/09 23:35:40.126 kid1| 20,3| store.cc(434) lock: store_client::copy locked key 020000000000000061AF070001000000 e:=IV/0x5c3ba416ee90*3
2024/07/09 23:35:40.126 kid1| 90,3| store_client.cc(343) storeClientCopy2: storeClientCopy2: 020000000000000061AF070001000000
2024/07/09 23:35:40.126 kid1| 90,3| store_client.cc(390) doCopy: store_client::doCopy: Waiting for more
2024/07/09 23:35:40.126 kid1| 20,3| store.cc(457) unlock: store_client::copy unlocking key 020000000000000061AF070001000000 e:=IV/0x5c3ba416ee90*3
2024/07/09 23:35:40.126 kid1| 17,3| FwdState.cc(373) Start: 'https://download.docker.com/linux/ubuntu/dists/jammy/InRelease'[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease']
2024/07/09 23:35:40.126 kid1| 17,2| FwdState.cc(133) FwdState: Forwarding client request conn9 local=10.2.59.103:8000 remote=10.2.59.102:56466 FD 15 flags=1, url=https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease]
2024/07/09 23:35:40.126 kid1| 20,3| store.cc(434) lock: FwdState locked key 020000000000000061AF070001000000 e:=IV/0x5c3ba416ee90*3
2024/07/09 23:35:40.126 kid1| 17,3| FwdState.cc(140) FwdState: FwdState constructed, this=0x5c3ba416fa18
2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(309) peerSelect: e:=IV/0x5c3ba416ee90*3 https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease]
2024/07/09 23:35:40.126 kid1| 20,3| store.cc(434) lock: peerSelect locked key 020000000000000061AF070001000000 e:=IV/0x5c3ba416ee90*4
2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(612) selectMore: HEAD download.docker.com
2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(626) selectMore: direct = DIRECT_UNKNOWN (never_direct to be checked)
2024/07/09 23:35:40.126 kid1| 28,3| Checklist.cc(69) preCheck: 0x5c3ba4170638 checking slow rules
2024/07/09 23:35:40.126 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.2.59.102:56466' found
2024/07/09 23:35:40.126 kid1| 28,3| Acl.cc(175) matches: checked: all = 1
2024/07/09 23:35:40.126 kid1| 28,3| Acl.cc(175) matches: checked: never_direct#1 = 1
2024/07/09 23:35:40.126 kid1| 28,3| Acl.cc(175) matches: checked: never_direct = 1
2024/07/09 23:35:40.126 kid1| 28,3| Checklist.cc(62) markFinished: 0x5c3ba4170638 answer ALLOWED for match
2024/07/09 23:35:40.126 kid1| 28,3| Checklist.cc(162) checkCallback: ACLChecklist::checkCallback: 0x5c3ba4170638 answer=ALLOWED
2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(345) checkNeverDirectDone: ALLOWED
2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(351) checkNeverDirectDone: direct = DIRECT_NO (never_direct allow)
2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(612) selectMore: HEAD download.docker.com
2024/07/09 23:35:40.126 kid1| 14,3| ipcache.cc(732) ipcache_gethostbyname: ipcache_gethostbyname: 'download.docker.com', flags=0
2024/07/09 23:35:40.126 kid1| 14,3| Address.cc(389) lookupHostIP: Given Non-IP 'download.docker.com': Name or service not known
2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(286) peerSelectIcpPing: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease]
2024/07/09 23:35:40.126 kid1| 15,3| neighbors.cc(283) neighborsCount: neighborsCount: 0
2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(297) peerSelectIcpPing: counted 0 neighbors
2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(833) selectSomeParent: HEAD download.docker.com
2024/07/09 23:35:40.126 kid1| 15,3| neighbors.cc(350) getRoundRobinParent: returning [nil]
2024/07/09 23:35:40.126 kid1| 15,3| neighbors.cc(403) getWeightedRoundRobinParent: returning [nil]
2024/07/09 23:35:40.126 kid1| 15,3| neighbors.cc(309) getFirstUpParent: returning 212.89.128.96
2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(1102) addSelection: adding FIRSTUP_PARENT/212.89.128.96
2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(1095) addSelection: skipping ANY_OLD_PARENT/212.89.128.96; have FIRSTUP_PARENT/212.89.128.96
2024/07/09 23:35:40.126 kid1| 15,3| neighbors.cc(493) getDefaultParent: returning 212.89.128.96
2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(1095) addSelection: skipping DEFAULT_PARENT/212.89.128.96; have FIRSTUP_PARENT/212.89.128.96
2024/07/09 23:35:40.126 kid1| 44,2| peer_select.cc(460) resolveSelected: Find IP destination for: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease'[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease'] via 212.89.128.96
2024/07/09 23:35:40.126 kid1| 44,2| peer_select.cc(1174) handlePath: PeerSelector1 found conn12 local=0.0.0.0 remote=212.89.128.96:3128 FIRSTUP_PARENT flags=1, destination #1 for https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease]
2024/07/09 23:35:40.126 kid1| 44,2| peer_select.cc(1180) handlePath: always_direct = DENIED
2024/07/09 23:35:40.126 kid1| 44,2| peer_select.cc(1181) handlePath: never_direct = ALLOWED
2024/07/09 23:35:40.126 kid1| 44,2| peer_select.cc(1182) handlePath: timedout = 0
2024/07/09 23:35:40.126 kid1| 17,3| FwdState.cc(610) noteDestination: conn12 local=0.0.0.0 remote=212.89.128.96:3128 FIRSTUP_PARENT flags=1
2024/07/09 23:35:40.126 kid1| 17,3| FwdState.cc(1124) connectStart: 1+ paths to https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease]
2024/07/09 23:35:40.126 kid1| 44,2| peer_select.cc(479) resolveSelected: PeerSelector1 found all 1 destinations for https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease]
2024/07/09 23:35:40.126 kid1| 44,2| peer_select.cc(480) resolveSelected: always_direct = DENIED
2024/07/09 23:35:40.126 kid1| 44,2| peer_select.cc(481) resolveSelected: never_direct = ALLOWED
2024/07/09 23:35:40.126 kid1| 44,2| peer_select.cc(482) resolveSelected: timedout = 0
2024/07/09 23:35:40.126 kid1| 44,3| peer_select.cc(241) ~PeerSelector: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease]
2024/07/09 23:35:40.126 kid1| 20,3| store.cc(457) unlock: peerSelect unlocking key 020000000000000061AF070001000000 e:=p2IV/0x5c3ba416ee90*4
2024/07/09 23:35:40.126 kid1| 48,3| pconn.cc(474) popStored: lookup for key {212.89.128.96:3128} failed.
2024/07/09 23:35:40.126 kid1| 17,3| FwdState.cc(1568) GetMarkingsToServer: from 0.0.0.0 tos 0 netfilter mark 0
2024/07/09 23:35:40.126 kid1| 5,3| ConnOpener.cc(42) ConnOpener: will connect to conn14 local=0.0.0.0 remote=212.89.128.96:3128 FIRSTUP_PARENT flags=1 with 30 timeout
2024/07/09 23:35:40.126 kid1| 50,3| comm.cc(378) comm_openex: comm_openex: Attempt open socket for: 0.0.0.0
2024/07/09 23:35:40.126 kid1| 50,3| comm.cc(420) comm_openex: comm_openex: Opened socket conn15 local=0.0.0.0 remote=[::] FD 19 flags=1 : family=2, type=1, protocol=6
2024/07/09 23:35:40.126 kid1| 51,3| fd.cc(168) fd_open: fd_open() FD 19
2024/07/09 23:35:40.126 kid1| 5,3| ConnOpener.cc(312) createFd: conn14 local=0.0.0.0 remote=212.89.128.96:3128 FIRSTUP_PARENT flags=1 will timeout in 30
2024/07/09 23:35:40.127 kid1| 17,3| FwdState.cc(1197) dispatch: conn9 local=10.2.59.103:8000 remote=10.2.59.102:56466 FD 15 flags=1: Fetching HEAD https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease]
2024/07/09 23:35:40.127 kid1| 14,3| Address.cc(389) lookupHostIP: Given Non-IP 'download.docker.com': Name or service not known
2024/07/09 23:35:40.127 kid1| 78,3| dns_internal.cc(1793) idnsALookup: idnsALookup: buf is 37 bytes for download.docker.com, id = 0xe779
2024/07/09 23:35:40.127 kid1| 50,3| comm.cc(927) comm_udp_sendto: comm_udp_sendto: Attempt to send UDP packet to 127.0.0.53:53 using FD 11 using Port 54280
2024/07/09 23:35:40.127 kid1| 78,3| dns_internal.cc(1729) idnsSendSlaveAAAAQuery: buf is 37 bytes for download.docker.com, id = 0x8aee
2024/07/09 23:35:40.127 kid1| 50,3| comm.cc(927) comm_udp_sendto: comm_udp_sendto: Attempt to send UDP packet to 127.0.0.53:53 using FD 11 using Port 54280
2024/07/09 23:35:40.127 kid1| 11,3| http.cc(2516) httpStart: HEAD https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease]
2024/07/09 23:35:40.127 kid1| 20,3| store.cc(434) lock: Client locked key 020000000000000061AF070001000000 e:=p2IV/0x5c3ba416ee90*4
2024/07/09 23:35:40.127 kid1| 5,3| comm.cc(599) commSetConnTimeout: conn14 local=10.2.59.103:39370 remote=212.89.128.96:3128 FIRSTUP_PARENT FD 19 flags=1 timeout 86400
2024/07/09 23:35:40.127 kid1| 22,3| refresh.cc(636) getMaxAge: getMaxAge: 'https://download.docker.com/linux/ubuntu/dists/jammy/InRelease'[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease']
2024/07/09 23:35:40.127 kid1| 11,2| http.cc(2472) sendRequest: HTTP Server conn14 local=10.2.59.103:39370 remote=212.89.128.96:3128 FIRSTUP_PARENT FD 19 flags=1
2024/07/09 23:35:40.127 kid1| 11,2| http.cc(2473) sendRequest: HTTP Server REQUEST:
---------
HEAD https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease] HTTP/1.1
Host: download.docker.com
User-Agent: curl/7.81.0
Accept: */*
Via: 1.1 pkg-proxy (squid/6.6)
X-Forwarded-For: 10.2.59.102
Cache-Control: max-age=0
Connection: keep-alive
----------
2024/07/09 23:35:40.127 kid1| 5,3| IoCallback.cc(112) finish: called for conn14 local=10.2.59.103:39370 remote=212.89.128.96:3128 FIRSTUP_PARENT FD 19 flags=1 (0, 0)
2024/07/09 23:35:40.127 kid1| 5,3| comm.cc(599) commSetConnTimeout: conn14 local=10.2.59.103:39370 remote=212.89.128.96:3128 FIRSTUP_PARENT FD 19 flags=1 timeout 900
2024/07/09 23:35:40.137 kid1| 78,3| dns_internal.cc(1319) idnsRead: idnsRead: starting with FD 11
2024/07/09 23:35:40.137 kid1| 78,3| dns_internal.cc(1365) idnsRead: idnsRead: FD 11: received 304 bytes from 127.0.0.53:53
2024/07/09 23:35:40.137 kid1| 78,3| dns_internal.cc(1172) idnsGrokReply: idnsGrokReply: QID 0x8aee, 9 answers
2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(480) ipcacheParse: 9 answers for download.docker.com
2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #1 [2600:9000:2490:6c00:3:db06:4200:93a1]
2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #2 [2600:9000:2490:a600:3:db06:4200:93a1]
2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #3 [2600:9000:2490:9c00:3:db06:4200:93a1]
2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #4 [2600:9000:2490:6000:3:db06:4200:93a1]
2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #5 [2600:9000:2490:c00:3:db06:4200:93a1]
2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #6 [2600:9000:2490:5200:3:db06:4200:93a1]
2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #7 [2600:9000:2490:9a00:3:db06:4200:93a1]
2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #8 [2600:9000:2490:2c00:3:db06:4200:93a1]
2024/07/09 23:35:40.137 kid1| 78,3| dns_internal.cc(1319) idnsRead: idnsRead: starting with FD 11
2024/07/09 23:35:40.137 kid1| 78,3| dns_internal.cc(1365) idnsRead: idnsRead: FD 11: received 144 bytes from 127.0.0.53:53
2024/07/09 23:35:40.137 kid1| 78,3| dns_internal.cc(1172) idnsGrokReply: idnsGrokReply: QID 0xe779, 5 answers
2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(480) ipcacheParse: 5 answers for download.docker.com
2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #9 108.138.7.33
2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #10 108.138.7.18
2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #11 108.138.7.88
2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(535) addGood: download.docker.com #12 108.138.7.48
2024/07/09 23:35:40.137 kid1| 14,3| ipcache.cc(586) ipcacheHandleReply: done with download.docker.com: [2600:9000:2490:6c00:3:db06:4200:93a1] #1/12-0
2024/07/09 23:35:40.137 kid1| 38,3| net_db.cc(337) netdbSendPing: netdbSendPing: pinging download.docker.com
2024/07/09 23:35:40.137 kid1| 37,2| IcmpSquid.cc(88) SendEcho: to [2600:9000:2490:6c00:3:db06:4200:93a1], opcode 3, len 19
2024/07/09 23:35:40.137 pinger| 42,2| IcmpPinger.cc(198) Recv: Pass [2600:9000:2490:6c00:3:db06:4200:93a1] off to ICMPv6 module.
2024/07/09 23:35:40 pinger| SendEcho ERROR: sending to ICMPv6 packet to [2600:9000:2490:6c00:3:db06:4200:93a1]: (101) Network is unreachable
2024/07/09 23:35:40.138 pinger| 42,2| Icmp.cc(90) Log: pingerLog: 1720560940.138021 [2600:9000:2490:6c00:3:db06:4200:93a1] 0
2024/07/09 23:35:40.323 kid1| 5,3| IoCallback.cc(112) finish: called for conn14 local=10.2.59.103:39370 remote=212.89.128.96:3128 FIRSTUP_PARENT FD 19 flags=1 (0, 0)
2024/07/09 23:35:40.324 kid1| 5,3| Read.cc(93) ReadNow: conn14 local=10.2.59.103:39370 remote=212.89.128.96:3128 FIRSTUP_PARENT FD 19 flags=1, size 65536, retval 348, errno 0
2024/07/09 23:35:40.324 kid1| 11,3| http.cc(649) processReplyHeader: processReplyHeader: key '020000000000000061AF070001000000'
2024/07/09 23:35:40.324 kid1| 11,2| http.cc(696) processReplyHeader: HTTP Server conn14 local=10.2.59.103:39370 remote=212.89.128.96:3128 FIRSTUP_PARENT FD 19 flags=1
2024/07/09 23:35:40.324 kid1| 11,2| http.cc(697) processReplyHeader: HTTP Server RESPONSE:
---------
HTTP/1.1 503 Service Unavailable
Server: squid/4.10
Mime-Version: 1.0
Date: Tue, 09 Jul 2024 21:35:40 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3879
X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71
X-Cache: MISS from proxy-srv2
X-Cache-Lookup: MISS from proxy-srv2:3128
Via: 1.1 proxy-srv2 (squid/4.10)
Connection: keep-alive
----------
2024/07/09 23:35:40.324 kid1| 83,3| AccessCheck.cc(42) Start: adaptation off, skipping
2024/07/09 23:35:40.324 kid1| 20,3| store.cc(1693) replaceHttpReply: StoreEntry::replaceHttpReply: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease[https://download.docker.com/linux/ubuntu/dists/jammy/InRelease]
2024/07/09 23:35:40.324 kid1| 11,3| http.cc(949) haveParsedReplyHeaders: HTTP CODE: 503
Has anybody an idea what I can do to solve the issue?
This is my configuration borrowed from squid-deb-proxy:
# this file contains private networks (10.0.0.0/8, 172.16.0.0/12,
# 192.168.0.0/16) by default, you can add/remove additional allowed
# source networks in it to customize it for your setup
acl src_networks src "/etc/squid/acl/src-networks.acl"
# this file contains the archive mirrors by default,
# if you use a different mirror, add it there
acl to_archive_mirrors dstdomain "/etc/squid/acl/archive-mirrors.acl"
# Disable Cache for defined domains
acl no_cache url_regex "/etc/squid/acl/no-cache.acl"
# this contains the package blacklist
acl blockedpkgs urlpath_regex "/etc/squid/pkg-blacklist-regexp.acl"
# default to a different port than stock squid
http_port 8000
# -------------------------------------------------
# settings below probably do not need customization
# user visible name
visible_hostname pkg-proxy
# we need a big cache, some debs are huge
maximum_object_size 512 MB
# use a different dir than stock squid and default to 40G
cache_dir aufs /var/cache/squid 40000 16 256
cache_peer 212.89.128.96 parent 3128 0 no-query default
never_direct allow all
# use different logs
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
# tweaks to speed things up
cache_mem 200 MB
maximum_object_size_in_memory 10240 KB
# pid
pid_filename /var/run/squid.pid
# refresh pattern for debs and udebs
refresh_pattern deb$ 129600 100% 129600
refresh_pattern udeb$ 129600 100% 129600
refresh_pattern tar.gz$ 129600 100% 129600
refresh_pattern tar.xz$ 129600 100% 129600
refresh_pattern tar.bz2$ 129600 100% 129600
# always refresh Packages and Release files
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
# handle meta-release and changelogs.ubuntu.com special
# (fine to have this on debian too)
refresh_pattern changelogs.ubuntu.com\/.* 0 1% 1
# only allow connects to ports for http, https
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 443 563
# only allow ports we trust
http_access deny !Safe_ports
# do not allow to download from the pkg blacklist
http_access deny blockedpkgs
# allow access only to official archive mirrors
# uncomment the third and fouth line to permit any unlisted domain
http_access deny !to_archive_mirrors
# allow access from our network and localhost
http_access allow src_networks
# And finally deny all other access to this proxy
http_access deny all
# don't cache domains not listed in the mirrors file
# uncomment the third and fourth line to cache any unlisted domains
cache deny no_cache
# And finally cache everything else
cache allow all
url_rewrite_children 3 startup=0 idle=1 concurrency=1
url_rewrite_program /usr/lib/squid/jesred
debug_options ALL,3
Thanks a lot.
Regards,
Christoph
More information about the squid-users
mailing list