Re: [squid-users] RE: Squid Question?

On Thu, Jan 7, 2010 at 2:30 PM, Johann Terblanche
<jterblanche_at_ebisafrica.co.za> wrote:
> Hi Kinkie
>
> Thanks for your response.
>
> I've looked at the log file and below is a extract of a site but I do
> not fully understand the meaning of _MISS _HIT _DENIED
> ok DENIED is obvious but why?
>
> 1262869421.378   6417 172.30.36.254 TCP_MISS/200 1762 CONNECT
> www.ibm.com:443 jterblanche DIRECT/129.42.60.216 -

This means that there was an https tunneling request from IP
172.30.36.254 by user "jterblanche" to www.ibm.com, which was allowed
("/200"), was not satisfied from cache ("TCP_MISS" - https request
cannot be cached, so not surprising).

> 1262869421.378   6426 172.30.36.254 TCP_MISS/200 1764 CONNECT
> www.ibm.com:443 jterblanche DIRECT/129.42.60.216 -
> 1262869421.379   6422 172.30.36.254 TCP_MISS/200 1751 CONNECT
> www.ibm.com:443 jterblanche DIRECT/129.42.60.216 -
> 1262869421.380   6405 172.30.36.254 TCP_MISS/200 1763 CONNECT
> www.ibm.com:443 jterblanche DIRECT/129.42.60.216 -
> 1262869421.400      0 172.30.36.254 TCP_DENIED/407 1849 CONNECT
> www-03.ibm.com:443 - NONE/- text/html

This says that an https tunnel-setup request from ip 172.30.36.254 was
denied ("TCP_DENIED") with a request user identification ("/407")
caused by missing or incorrect user credentials. This does not
necessarily indicate a problem: if you're using NTLM to authenticate
users, there's going to be 2 407's for each TCP connection used by the
client. If you're using other authentication protocols, it's up to the
client really - usually they're going to 407 once per process per
proxy, and then remember that they have to authenticate. But there may
be misbehaving software.

> 1262869421.442      1 172.30.36.254 TCP_DENIED/407 2083 CONNECT
> www-03.ibm.com:443 - NONE/- text/html
> 1262869422.508      0 172.30.36.254 TCP_DENIED/407 1837 CONNECT
> w3.ibm.com:443 - NONE/- text/html
> 1262869422.515      0 172.30.36.254 TCP_DENIED/407 1840 CONNECT
> www.ibm.com:443 - NONE/- text/html
> 1262869422.521      1 172.30.36.254 TCP_DENIED/407 1840 CONNECT
> www.ibm.com:443 - NONE/- text/html
> 1262869422.522      0 172.30.36.254 TCP_DENIED/407 1840 CONNECT
> www.ibm.com:443 - NONE/- text/html
> 1262869422.529      2 172.30.36.254 TCP_DENIED/407 1840 CONNECT
> www.ibm.com:443 - NONE/- text/html
> 1262869422.532      1 172.30.36.254 TCP_DENIED/407 2071 CONNECT
> w3.ibm.com:443 - NONE/- text/html
> 1262869422.541      4 172.30.36.254 TCP_DENIED/407 2074 CONNECT
> www.ibm.com:443 - NONE/- text/html
> 1262869422.542      2 172.30.36.254 TCP_DENIED/407 2074 CONNECT
> www.ibm.com:443 - NONE/- text/html
> 1262869422.542      2 172.30.36.254 TCP_DENIED/407 2074 CONNECT
> www.ibm.com:443 - NONE/- text/html
> 1262869422.542      1 172.30.36.254 TCP_DENIED/407 2074 CONNECT
> www.ibm.com:443 - NONE/- text/html
> 1262869422.543      3 172.30.36.254 TCP_MISS/404 0 CONNECT
> w3.ibm.com:443 jterblanche DIRECT/- -
>
> I think it has something to do with automatic certificate signing how do
> I make a generic certificate that will work with all https sites in
> squid?

This is a forward proxy. Squid does not participate in the SSL
transaction, but only creates a TCP link along which the SSL
transaction takes place.

-- 
    /kinkie