Why some traffic is TCP_DENIED

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Why some traffic is TCP_DENIED

Vieri
Hi,

I'm trying to understand why Squid denies access to some sites, eg:

[Tue Feb 16 10:15:36 2021].044      0 - TCP_DENIED/302 0 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html
[Tue Feb 16 10:15:36 2021].050     46 10.215.248.160 TCP_DENIED/403 3352 - 52.109.12.25:443 - HIER_NONE/- text/html
[Tue Feb 16 10:15:36 2021].050      0 10.215.248.160 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
[Tue Feb 16 10:15:36 2021].052    140 10.215.246.144 TCP_MISS/200 193311 GET https://outlook.office.com/mail/ - ORIGINAL_DST/52.97.168.210 text/html
[Tue Feb 16 10:15:36 2021].053     49 10.215.248.74 TCP_MISS/200 2037 GET https://puk1-collabhubrtc.officeapps.live.com/rtc2/signalr/negotiate? - ORIGINAL_DST/52.108.88.1 application/json
[Tue Feb 16 10:15:36 2021].057      0 10.215.247.159 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- -
[Tue Feb 16 10:15:36 2021].057      0 10.215.247.159 TCP_DENIED/403 3353 - 40.67.251.132:443 - HIER_NONE/- text/html
[Tue Feb 16 10:15:36 2021].057      0 10.215.247.159 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -


If I take the first line in the log and I open the URL from a client I use then the site opens as expected, and the corresponding Squid log is:

[Tue Feb 16 10:45:50 2021].546    628 10.215.111.210 TCP_MISS/200 2134 GET https://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - ORIGINAL_DST/23.210.36.30 application/octet-stream
[Tue Feb 16 10:45:52 2021].668     49 10.215.111.210 NONE_NONE/000 0 CONNECT 216.58.215.138:443 - ORIGINAL_DST/216.58.215.138 -

In this log I see my host's IP addr. 10.215.111.210.
However, in the first log I do not see a source IP address. Why?

Other clients seem to be denied access with errors in the log such as "NONE_NONE/000"  followed by error:invalid-request or error:transaction-end-before-headers. How can I find out why I get "invalid requests"? Would a tcpdump on the server or client help? Or should I enable verbose debugging in Squid?

BTW this might be irrelevant but these messages seem to come up when accessing office 365 sites.

Thanks,

Vieri

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Why some traffic is TCP_DENIED

Amos Jeffries
Administrator
On 16/02/21 11:09 pm, Vieri wrote:

> Hi,
>
> I'm trying to understand why Squid denies access to some sites, eg:
>
> [Tue Feb 16 10:15:36 2021].044      0 - TCP_DENIED/302 0 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html
> [Tue Feb 16 10:15:36 2021].050     46 10.215.248.160 TCP_DENIED/403 3352 - 52.109.12.25:443 - HIER_NONE/- text/html
> [Tue Feb 16 10:15:36 2021].050      0 10.215.248.160 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
> [Tue Feb 16 10:15:36 2021].052    140 10.215.246.144 TCP_MISS/200 193311 GET https://outlook.office.com/mail/ - ORIGINAL_DST/52.97.168.210 text/html
> [Tue Feb 16 10:15:36 2021].053     49 10.215.248.74 TCP_MISS/200 2037 GET https://puk1-collabhubrtc.officeapps.live.com/rtc2/signalr/negotiate? - ORIGINAL_DST/52.108.88.1 application/json
> [Tue Feb 16 10:15:36 2021].057      0 10.215.247.159 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- -
> [Tue Feb 16 10:15:36 2021].057      0 10.215.247.159 TCP_DENIED/403 3353 - 40.67.251.132:443 - HIER_NONE/- text/html
> [Tue Feb 16 10:15:36 2021].057      0 10.215.247.159 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
>
>
> If I take the first line in the log and I open the URL from a client I use then the site opens as expected, and the corresponding Squid log is:
>
> [Tue Feb 16 10:45:50 2021].546    628 10.215.111.210 TCP_MISS/200 2134 GET https://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - ORIGINAL_DST/23.210.36.30 application/octet-stream
> [Tue Feb 16 10:45:52 2021].668     49 10.215.111.210 NONE_NONE/000 0 CONNECT 216.58.215.138:443 - ORIGINAL_DST/216.58.215.138 -
>
> In this log I see my host's IP addr. 10.215.111.210.
> However, in the first log I do not see a source IP address. Why?


Because this is Squid downloading the cert for its own use. For example
SSL-Bump needing it to complete a TLS cert chain.


>
> Other clients seem to be denied access with errors in the log such as "NONE_NONE/000"  followed by error:invalid-request or error:transaction-end-before-headers. How can I find out why I get "invalid requests"? Would a tcpdump on the server or client help? Or should I enable verbose debugging in Squid?

Looking at all these lines together I see;

  * a client TLS connection being intercepted, the server cert chain in
incomplete.
  * Squid attempts to download the missing cert(s).
  * squid.conf rules force the cert download to get a 302 instead of a
valid cert.
  * which leaves Squid unable to send the TLS connection client a valid
cert chain.
  * the client rejects the TLS handshake and disconnects before any HTTP
happens.


To avoid these, you need to prevent your squid.conf rules generating
that 302 when Squid is initiating the request. The ACL type
"transaction_initiator" can be used for that.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users