We are using transparent proxy, Squid (Squid Cache: Version 3.5.28 Service Name: squid). Issue seems somehow similar to Squid SSL Bump TAG_NONE / HEIR_NONE but my access log is slightly different.
Where we have an EC2 instance running Java8 and application that talks to GCP via the internet. This application seems to be able to successfully consume from other sources but unable to publish to Google PubSub account. Publishing via curl seems to be fine.
Here is what we see in the access log,
{"event":"2019-08-28 10:14:53 +1000.140 106 10.x.x.x TAG_NONE/200 0 CONNECT 172.217.167.106:443 - ORIGINAL_DST/172.217.167.106 - peek pubsub.googleapis.com","source_name":"/var/log/squid/access.log"}
Please note that, other java based application is publishing to GCP without any issue using the same proxy node and i can see TCP_TUNNEL/200 in that case.
Any idea what does the above access log actually mean ?
Squid config is below,
#
# FILE MANAGED BY PUPPET - Module squid
# Adapted from the RedHat recommended minimum configuration.
#
visible_hostname devproxy-hostname.local
acl to_linklocal dst 169.254.0.0/16 fe80::/10
# Source networks that are allowed to use this proxy
acl localnet src 10.x.x.x/16
# Destination ports that are allowed to be proxied (not CONNECT method)
acl allow_proxy_port port 22
acl allow_proxy_port port 25
acl allow_proxy_port port 443
acl allow_proxy_port port 465
acl allow_proxy_port port 80
# Destination ports that are allowed to be proxied via the CONNECT method
acl allow_connect_port port 22
acl allow_connect_port port 25
acl allow_connect_port port 443
acl allow_connect_port port 465
acl CONNECT method CONNECT
# DON'T SEND AN ERROR MESSAGE BACK FROM SQUID WHEN THE SSL CERTIFICATE
# IS NOT VALID
sslproxy_flags DONT_VERIFY_PEER
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access allow manager
# Deny requests to certain unsafe ports
http_access deny !allow_proxy_port
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !allow_connect_port
# Deny access to localhost & link-local addresses
http_access deny to_localhost
http_access deny to_linklocal
acl explicit_http myportname 3128
acl transparent_http myportname 3129
acl transparent_https myportname 3130
# Allow access from clients within the IP ranges defined in localnet
# and the localhost itself for the explicit proxy
http_access allow localnet explicit_http
http_access allow localhost explicit_http
# Allow access from clients within the IP ranges defined in localnet
# and the localhost itself for the transparent proxy
http_access allow localnet transparent_http
http_access allow localhost transparent_http
# No whitelist here as its taken care during the peak and splice below
http_access allow localnet transparent_https
http_access allow localhost transparent_https
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
https_port 3130 ssl-bump intercept cert=/etc/squid/squid.crt key=/etc/squid/squid.key generate-host-certificates=on
# Disable any caching
cache deny all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
# Double peek required to get around an issue with https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
# as the DNS is looked up again and has a possibility that the IP has changed
ssl_bump peek step1 all
ssl_bump peek step2 all
ssl_bump splice step3 all
# Disable via and x-forwarded-for headers
via off
forwarded_for delete
max_filedescriptors 2048
workers 1
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Change epoch time to human readable time format - Squid 3.5
# Example: 1447998880.602 to 2015-11-20 16:57:40 +1100.107
logformat squid %{%Y-%m-%d %H:%M:%S %z}tl.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %ssl::bump_mode %ssl::>sni
access_log /var/log/squid/access.log squid
logfile_rotate 0```
Thanks
