[squid-users] Bad HTTP requests trigger ICAP suspension
Silamael
Silamael at coronamundi.de
Mon Dec 5 10:17:28 UTC 2016
Hi,
We are using the ICAP services of Squid for filtering HTTP-Requests. Now
we encountered the problem that a buggy? web application creates
requests with an URL with the hostname set to '.'.
These bad requests than cause the suspension of the whole ICAP service
which then causes the bypass of the URL filtering as the ICAP service
has bypass=yes configured.
This sounds somehow wrong to me, the ICAP service doesn't have a
problem, just the HTTP request being forwarded is borken. Therefor is no
need to suspend the ICAP service at a whole for 30 seconds.
Am I wrong or is this behavior intended?
This are the log messages:
2016/11/28 13:30:00 kid1| SECURITY ALERT: Missing hostname in URL
'http:///?_task=mail&_id=xxxxxxxxxxx&_action=display-attachment&_file=rcmfilexxxxxxxxxxxxxxxxxxxxx'.
see access.log for details.
2016/11/28 13:30:00.740 kid1| 0,3| src/base/TextException.cc(87) Throw:
src/adaptation/icap/ModXact.cc:970:exception:
adapted.header->parse(&httpBuf, true, &error)
2016/11/28 13:30:00.740 kid1| suspending ICAP service for too many failures
2016/11/28 13:30:00.740 kid1| optional ICAP service is suspended:
icap://XXX.XXX.XXX.XXX:1344/reqmod [down,susp,fail11]
Cheers,
Matthias
More information about the squid-users
mailing list