Hello,
Eliezer’s recommended fix did not work. The user was on YouTube watching UFC all day today. Here’s a copy of the log at the time. 1482436450.285 353 10.0.0.105 TAG_NONE/200 0 CONNECT 167.114.159.186:443 - ORIGINAL_DST/167.114.159.186 - 1482436450.303 0 10.0.0.105 TAG_NONE/503 4462 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html 1482436450.318 4756 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - ORIGINAL_DST/139.59.225.84 - 1482436450.340 0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html 1482436450.567 839 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.70.138:443 - ORIGINAL_DST/188.166.70.138 - 1482436450.585 0 10.0.0.105 TAG_NONE/503 4459 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html 1482436450.650 373 10.0.0.105 TAG_NONE/200 0 CONNECT 85.203.7.35:443 - ORIGINAL_DST/85.203.7.35 - 1482436450.669 0 10.0.0.105 TAG_NONE/503 4450 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html 1482436450.682 1969 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - ORIGINAL_DST/139.59.225.84 - 1482436450.706 386 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.73.9:443 - ORIGINAL_DST/188.166.73.9 - 1482436450.740 6540 10.0.0.105 TAG_NONE/200 0 CONNECT 85.203.18.254:443 - ORIGINAL_DST/85.203.18.254 - 1482436450.784 0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html 1482436450.784 0 10.0.0.105 TAG_NONE/503 4453 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html 1482436450.784 0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html 1482436450.909 469 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.93.229:443 - ORIGINAL_DST/138.68.93.229 - 1482436450.927 1882 10.0.0.105 TAG_NONE/200 0 CONNECT 208.123.223.254:443 - ORIGINAL_DST/208.123.223.254 - 1482436450.940 0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html 1482436450.955 0 10.0.0.105 TAG_NONE/503 4462 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html 1482436451.063 197 10.0.0.105 TAG_NONE/200 0 CONNECT 208.123.223.254:443 - ORIGINAL_DST/208.123.223.254 - 1482436451.080 0 10.0.0.105 TAG_NONE/503 4462 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html 1482436451.217 434 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.97.9:443 - ORIGINAL_DST/138.68.97.9 - 1482436451.236 0 10.0.0.105 TAG_NONE/503 4450 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html 1482436451.322 271 10.0.0.105 TAG_NONE/200 0 CONNECT 65.52.108.76:443 - ORIGINAL_DST/65.52.108.76 - 1482436451.345 479 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.93.229:443 - ORIGINAL_DST/138.68.93.229 - 1482436451.361 0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html 1482436451.498 4240 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - ORIGINAL_DST/139.59.225.84 - 1482436451.530 0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html 1482436451.909 817 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.70.138:443 - ORIGINAL_DST/188.166.70.138 - I know 503 is an error, but the user was using youtube without any hassles. Those IPs are for Digital Ocean and Alentus Corporation. Squid is being “fooled” somehow. I did notice the 503, which made it more confusing to me. The reason I investigated the issue was because I saw youtube working on the client’s PC with a blue shield-like icon along with some words on top of the youtube page (was not close enough to see the exact logo/words). The video was working fine, but that blue shield extension seems to be the reason behind “fooling” squid. Both the chrome extension and the Desktop client are installed on the machine. I tried replicating that, but I couldn’t even connect the client. What should I be looking for in cache.log? Thanks again! Sam On Dec 21, 2016, at 6:59 PM, Sameh Onaissi <sameh.onai...@solcv.com<mailto:sameh.onai...@solcv.com>> wrote: On Dec 21, 2016, at 6:51 PM, Alex Rousskov <rouss...@measurement-factory.com<mailto:rouss...@measurement-factory.com>> wrote: On 12/21/2016 10:14 AM, Sameh Onaissi wrote: One user is somehow, able to access you tube through squid! 1482339083.228 0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html What makes you think this user was able to access youtube? AFAICT, Squid responded with an error (TAG_NONE/503) and did not contact the origin server (HIER_NONE/-). I did notice the 503, which made it more confusing to me. The reason I investigated the issue was because I saw youtube working on the client’s PC with a blue shield-like icon along with some words on top of the youtube page (was not close enough to see the exact logo/words). The video was working fine, but that blue shield extension seems to be the reason behind “fooling” squid. In any case, I applied the ACL’s to the squid.conf as Eliezer recommended, now I’ll wait till the user comes back in tomorrow to see if it worked. I understand that you want Squid to redirect users instead of responding with an error. This 503 response could be due to Squid being unable to bump the user connection for some reason. Successful bumping is required to redirect users. You may see more details inside that error response itself. Others on the list may be able to help you to get to that response in Squid logs or packet captures. HTH, Alex.
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
