Google Chrome reports "Too many redirects" on ssl-dumped connections with LA Times News Website

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Google Chrome reports "Too many redirects" on ssl-dumped connections with LA Times News Website

Jeffrey Merkey
This error is extremely hard to reproduce, and I found it can be
cleared by restarting squid, which seems to make it go away.   It
seems to take several hours of non-stop proxy use then once the error
occurs the we browser reports "too many redirects" and certificate
errors.

Doing a restart on Centos 7 clears it:

# systemctl restart squid

The log shows some sort of "refresh unmodified state before it happens:

1509690588.252    167 127.0.0.1 TAG_NONE/200 0 CONNECT
events.bouncex.net:443 - HIER_DIRECT/35.190.62.200 -
1509690588.272    210 127.0.0.1 TAG_NONE/200 0 CONNECT
analytics.twitter.com:443 - HIER_DIRECT/199.59.149.200 -
1509690588.280     62 127.0.0.1 TCP_REFRESH_UNMODIFIED/200 38412 GET
http://www.latimes.com/nation/la-na-vegas-shooting-sheriff-20171102-story.html
- HIER_DIRECT/104.120.143.198 text/html      <================== error
is here
1509690588.356    220 127.0.0.1 TCP_MISS/200 960 GET
https://partners.tremorhub.com/syncnoad? - HIER_DIRECT/34.228.123.38
text/xml
1509690588.366    304 127.0.0.1 TAG_NONE/200 0 CONNECT
geo.moatads.com:443 - HIER_DIRECT/52.21.172.68 -
1509690588.374    303 127.0.0.1 TAG_NONE/200 0 CONNECT
rtr.innovid.com:443 - HIER_DIRECT/13.58.208.14 -
1509690588.377     33 127.0.0.1 TCP_MISS/200 498 GET
https://tribpubdfp745347008913.s.moatpixel.com/pixel.gif? - HIER_

If there are particulars and I attempt to recreate this problem are
there any specific logging parms or settings that would help you
understand this particular error or shed some light on it that I could
set on my end.

Jeff
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Google Chrome reports "Too many redirects" on ssl-dumped connections with LA Times News Website

Jeffrey Merkey
On 11/3/17, Jeffrey Merkey <[hidden email]> wrote:

> This error is extremely hard to reproduce, and I found it can be
> cleared by restarting squid, which seems to make it go away.   It
> seems to take several hours of non-stop proxy use then once the error
> occurs the we browser reports "too many redirects" and certificate
> errors.
>
> Doing a restart on Centos 7 clears it:
>
> # systemctl restart squid
>
> The log shows some sort of "refresh unmodified state before it happens:
>
> 1509690588.252    167 127.0.0.1 TAG_NONE/200 0 CONNECT
> events.bouncex.net:443 - HIER_DIRECT/35.190.62.200 -
> 1509690588.272    210 127.0.0.1 TAG_NONE/200 0 CONNECT
> analytics.twitter.com:443 - HIER_DIRECT/199.59.149.200 -
> 1509690588.280     62 127.0.0.1 TCP_REFRESH_UNMODIFIED/200 38412 GET
> http://www.latimes.com/nation/la-na-vegas-shooting-sheriff-20171102-story.html
> - HIER_DIRECT/104.120.143.198 text/html      <================== error
> is here
> 1509690588.356    220 127.0.0.1 TCP_MISS/200 960 GET
> https://partners.tremorhub.com/syncnoad? - HIER_DIRECT/34.228.123.38
> text/xml
> 1509690588.366    304 127.0.0.1 TAG_NONE/200 0 CONNECT
> geo.moatads.com:443 - HIER_DIRECT/52.21.172.68 -
> 1509690588.374    303 127.0.0.1 TAG_NONE/200 0 CONNECT
> rtr.innovid.com:443 - HIER_DIRECT/13.58.208.14 -
> 1509690588.377     33 127.0.0.1 TCP_MISS/200 498 GET
> https://tribpubdfp745347008913.s.moatpixel.com/pixel.gif? - HIER_
>
> If there are particulars and I attempt to recreate this problem are
> there any specific logging parms or settings that would help you
> understand this particular error or shed some light on it that I could
> set on my end.
>
> Jeff
>

One important thing I failed to mention is that other websites seem to
work fine at fetching pages, it seems to affect cached webpages that
seem to be the problem.  What specific trace functions can I enable to
help run down this issue and narrow it down to a root cause?

Jeff
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Google Chrome reports "Too many redirects" on ssl-dumped connections with LA Times News Website

Amos Jeffries
Administrator
In reply to this post by Jeffrey Merkey
On 03/11/17 19:45, Jeffrey Merkey wrote:

> This error is extremely hard to reproduce, and I found it can be
> cleared by restarting squid, which seems to make it go away.   It
> seems to take several hours of non-stop proxy use then once the error
> occurs the we browser reports "too many redirects" and certificate
> errors.
>
> Doing a restart on Centos 7 clears it:
>
> # systemctl restart squid
>
> The log shows some sort of "refresh unmodified state before it happens:
>
> 1509690588.252    167 127.0.0.1 TAG_NONE/200 0 CONNECT
> events.bouncex.net:443 - HIER_DIRECT/35.190.62.200 -
> 1509690588.272    210 127.0.0.1 TAG_NONE/200 0 CONNECT
> analytics.twitter.com:443 - HIER_DIRECT/199.59.149.200 -
> 1509690588.280     62 127.0.0.1 TCP_REFRESH_UNMODIFIED/200 38412 GET
> http://www.latimes.com/nation/la-na-vegas-shooting-sheriff-20171102-story.html
> - HIER_DIRECT/104.120.143.198 text/html      <================== error
> is here

This is a 200 status response. So whatever "redirection" is occuring is
not part of the HTTP for that transaction.

The refresh means that something was cached beforehand but was stale so
the server had to be asked for permission to deliver it. UNMODIFIED
means the server responded by indicating it was okay to use.

> 1509690588.356    220 127.0.0.1 TCP_MISS/200 960 GET
> https://partners.tremorhub.com/syncnoad? - HIER_DIRECT/34.228.123.38
> text/xml
> 1509690588.366    304 127.0.0.1 TAG_NONE/200 0 CONNECT
> geo.moatads.com:443 - HIER_DIRECT/52.21.172.68 -
> 1509690588.374    303 127.0.0.1 TAG_NONE/200 0 CONNECT
> rtr.innovid.com:443 - HIER_DIRECT/13.58.208.14 -
> 1509690588.377     33 127.0.0.1 TCP_MISS/200 498 GET
> https://tribpubdfp745347008913.s.moatpixel.com/pixel.gif? - HIER_
>
> If there are particulars and I attempt to recreate this problem are
> there any specific logging parms or settings that would help you
> understand this particular error or shed some light on it that I could
> set on my end.

The tool at redbot.org shows the HTTP protocol and all the content at
that refreshed URL is all relatively normal. Some Vary issues, but that
should not be leading to redirect loops.


Since the error is showing up in the browser and not easily visible in
the server traffic I think the best place to look would be to debug what
the browser is doing exactly. It probably has something to do with how
it handles those cert errors (ie TLS-Everywhere misfeatures always
trying to do broken https:// when http:// works fine).


Also, which Squid version are you using may matter. You didn't say which.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Google Chrome reports "Too many redirects" on ssl-dumped connections with LA Times News Website

Jeffrey Merkey
On 11/3/17, Amos Jeffries <[hidden email]> wrote:

> On 03/11/17 19:45, Jeffrey Merkey wrote:
>> This error is extremely hard to reproduce, and I found it can be
>> cleared by restarting squid, which seems to make it go away.   It
>> seems to take several hours of non-stop proxy use then once the error
>> occurs the we browser reports "too many redirects" and certificate
>> errors.
>>
>> Doing a restart on Centos 7 clears it:
>>
>> # systemctl restart squid
>>
>> The log shows some sort of "refresh unmodified state before it happens:
>>
>> 1509690588.252    167 127.0.0.1 TAG_NONE/200 0 CONNECT
>> events.bouncex.net:443 - HIER_DIRECT/35.190.62.200 -
>> 1509690588.272    210 127.0.0.1 TAG_NONE/200 0 CONNECT
>> analytics.twitter.com:443 - HIER_DIRECT/199.59.149.200 -
>> 1509690588.280     62 127.0.0.1 TCP_REFRESH_UNMODIFIED/200 38412 GET
>> http://www.latimes.com/nation/la-na-vegas-shooting-sheriff-20171102-story.html
>> - HIER_DIRECT/104.120.143.198 text/html      <================== error
>> is here
>
> This is a 200 status response. So whatever "redirection" is occuring is
> not part of the HTTP for that transaction.
>
> The refresh means that something was cached beforehand but was stale so
> the server had to be asked for permission to deliver it. UNMODIFIED
> means the server responded by indicating it was okay to use.
>
>> 1509690588.356    220 127.0.0.1 TCP_MISS/200 960 GET
>> https://partners.tremorhub.com/syncnoad? - HIER_DIRECT/34.228.123.38
>> text/xml
>> 1509690588.366    304 127.0.0.1 TAG_NONE/200 0 CONNECT
>> geo.moatads.com:443 - HIER_DIRECT/52.21.172.68 -
>> 1509690588.374    303 127.0.0.1 TAG_NONE/200 0 CONNECT
>> rtr.innovid.com:443 - HIER_DIRECT/13.58.208.14 -
>> 1509690588.377     33 127.0.0.1 TCP_MISS/200 498 GET
>> https://tribpubdfp745347008913.s.moatpixel.com/pixel.gif? - HIER_
>>
>> If there are particulars and I attempt to recreate this problem are
>> there any specific logging parms or settings that would help you
>> understand this particular error or shed some light on it that I could
>> set on my end.
>
> The tool at redbot.org shows the HTTP protocol and all the content at
> that refreshed URL is all relatively normal. Some Vary issues, but that
> should not be leading to redirect loops.
>
>
> Since the error is showing up in the browser and not easily visible in
> the server traffic I think the best place to look would be to debug what
> the browser is doing exactly. It probably has something to do with how
> it handles those cert errors (ie TLS-Everywhere misfeatures always
> trying to do broken https:// when http:// works fine).
>
>
> Also, which Squid version are you using may matter. You didn't say which.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

Hi Amos,

Thanks for responding, the squid version is:

Squid Cache: Version 3.5.27
Service Name: squid

This binary uses OpenSSL 1.0.1e-fips 11 Feb 2013. For legal
restrictions on distribution see
https://www.openssl.org/source/license.html

configure options:  '--with-openssl' '--enable-ssl'
'--enable-ssl-crtd' '--enable-http-violations'

I also wanted to let you know that I upgraded my Chrome browser about
a week ago and that's when the redirect errors started showing up.
This makes me lean towards the possibility that it's a bug of some
sort in the Chrome browser itself.   What makes me suspect another bug
in Squid is the fact that restarting the squid server clears the
browser error.  I will attempt to log the error better the next time I
see it and perhaps that will help run it down.  If the bug is in
Chrome then its clearly not a problem with Squid, but the fact that
reloading squid clears the bug gives me pause to review both.

The specific Chrome version I am seeing this error with is:

obtained from about:version

Google Chrome 60.0.3112.101 (Official Build) (64-bit)
Revision 1f3c0cf4b3083dfbe4da434af1726820cf384ce3-refs/branch-heads/3112@{#723}
OS Linux
JavaScript V8 6.0.286.54
Flash 27.0.0.183
/home/jmerkey/.config/google-chrome/PepperFlash/27.0.0.183/libpepflashplayer.so
User Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/60.0.3112.101 Safari/537.36
Command Line /usr/bin/google-chrome-stable --flag-switches-begin
--flag-switches-end
Executable Path /opt/google/chrome/google-chrome
Profile Path /home/jmerkey/.config/google-chrome/Profile 1
Variations 241fff6c-4eda1c57
3095aa95-3f4a17df
7c1bc906-f55a7974
47e5d3db-3d47f4f4
d43bf3e5-bd7cd813
ba3f87da-45bda656
5ca89f9-3f4a17df
f3499283-7711d854
9e201a2b-7e3ae057
5b3ed0a1-3f4a17df
68812885-4d2fac87
9bd94ed7-b1c9f6b0
b791c1b8-3f4a17df
9773d3bd-f23d1dea
2e109477-f3b42e62
99144bc3-3cc2175e
9e5c75f1-dadcfe94
f79cb77b-3d47f4f4
b7786474-d93a0620
27219e67-b2047178
23a898eb-e0e2610f
64224f74-5087fa4a
56302f8c-2f882e70
de03e059-e65e20f2
f56e0452-f23d1dea
1354da85-f34af386
494d8760-91c810ef
3ac60855-486e2a9c
f296190c-a0af34c0
4442aae2-75cb33fc
ed1d377-e1cc0f14
75f0f0a0-e1cc0f14
e2b18481-e1cc0f14
e7e71889-e1cc0f14
828a5926-9d7acf42
a88c475d-3d47f4f4

Jeff
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Google Chrome reports "Too many redirects" on ssl-dumped connections with LA Times News Website

Jeffrey Merkey
I have done extensive testing and have been able to recreate this
error reliably on both Chrome and Firefox with or without squid loaded
or installed.    I have determined that it is not a bug in Squid, and
it also does not appear to be a bug in the browser but some sort of
problem with websites involved.

Most notable I have seen it not only on the LA Times Website but also
the Social Security website as well among others.   It appears to be a
side effect of some sort of spyware or adware on the websites
involved.

Since it can be recreated with or without squid and it occurs with
more than one browser it is clearly not a bug in Squid, c-icap, or the
browsers.

Jeff
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users