[squid-users] Squid 3.5.25 does not recognise ICAP 408 status code

Arunabha Saha arunabha.saha at gmail.com
Wed Oct 31 17:20:00 UTC 2018


>As with any timeout, it is impossible to say in general which side of
>the connection is at fault. This case has at least three sides: It could
>be the HTTP agent, Squid, and/or the ICAP service. Did one of them stall
>the transaction? Or was the ICAP service just too impatient? See option
>#4 below.
I've tried to track this down.   There are some  persistent sockets used by
SaaS apps for APIs (otservice api from google sites) and sometimes the HTTP
response takes a long time to trickle in.  I have seen upto 25 seconds for
the response body to trickle in after the response header.   I don't know
yet if this is due to network delays but given that it happens only for
this particular uri I'm theorizing that this is how it works.    I can
whitelist the one i am aware of that is causing this issue but again the
concern is what about others that might throw this exception.    The
timeout at 10 seconds is somewhat aggressive so moving that up should help
but some code changes in either squid or icap as suggested look necessary.

>Please note that ICAP is a protocol, not a product/software name. It
>probably does not matter what ICAP service you are using though.

Correct.  I was referring to the c-icap implementation.

On Wed, Oct 31, 2018 at 5:00 AM <squid-users-request at lists.squid-cache.org>
wrote:

> Send squid-users mailing list submissions to
>         squid-users at lists.squid-cache.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.squid-cache.org/listinfo/squid-users
> or, via email, send a message with subject or body 'help' to
>         squid-users-request at lists.squid-cache.org
>
> You can reach the person managing the list at
>         squid-users-owner at lists.squid-cache.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of squid-users digest..."
>
>
> Today's Topics:
>
>    1.
> On 10/30/18 6:45 PM, Arunabha Saha wrote:
>
> > Squid 3.5.25 does not seem to recognise the 408 request timeout error
> > code from ICAP.
>
> Squid effectively recognizes ICAP 408 response as an ICAP transaction
> error response and blames the ICAP service for that error. That
> (minimal) support can be improved, of course. See options #1 and #3 below.
>
>
>

>
> Needless to say, treating all ICAP service timeouts as if nothing bad
> happened would break some existing Squid deployments (while possibly
> fixing yours). A proper general solution (option #3 below) would most
> likely require making Squid behavior configurable.
>
>
> > The more troublesome issue for me is the exception it generates and then
> > declares ICAP down after a certain number of such exceptions.
> >
> > I don't want to disable the failure limit entirely given that we can
> > often have genuine failures that squid needs to detect.
> >
> > What i'd like to see is squid should not throw an exception in this
> > case.
>
> The "exception" is a minor low-level/technical detail. What you really
> want to see is Squid blaming itself (rather than the ICAP service) for
> the problem. Squid indeed lacks that kind of functionality, but it can
> be added if really needed. See options #1 and #3 below.
>
>
> > The timeout is somewhat aggressive but works with an earlier
> > version of ICAP (0.1.x).  The one i'm testing is 0.5.3.
>
> Please note that ICAP is a protocol, not a product/software name. It
> probably does not matter what ICAP service you are using though.
>
>
> > Any suggestions?
>
> I can suggest a few options, in no particular order:
>
> 1. Modify your Squid to treat 408 differently.
> 2. Modify your ICAP service to stop sending ICAP 408 responses to Squid.
> 3. Add proper ICAP timeout support feature to Squid.
> 4. Investigate why your ICAP service times out. If you are lucky, you
>    may be able to fix or work around the problem by adjusting Squid
>    and/or your ICAP service configuration.
>
> For option #1, Adaptation::Icap::ModXact::parseIcapHead() may be a good
> starting point.
>
> For options #1 and #3, see also
>
> https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F
>
> In most cases, option #4 is the best first step but YMMV.
>
>
> HTH,
>
> Alex.
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 30 Oct 2018 23:59:18 -0500 (CDT)
> From: Sid <SIDDH05 at gmail.com>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Squid 4.3: SSL Bump fails to send client
>         certificate
> Message-ID: <1540961958277-0.post at n4.nabble.com>
> Content-Type: text/plain; charset=us-ascii
>
> Thank you Alex for the reply.
>
> Alex: 1. Servers never send SNI. Clients usually send SNI. Squid should
> forward SNI it received from the client to the server, provided the client
> actually sent SNI. Did your client send SNI?
>
> Sid: I can see in Client Hello IP Address being sent by Client; so there is
> no SNI from client itself.
>
> Alex: 2. Bugs notwithstanding, the implied order of events is not what
> actually happens: Squid, as configured, does _not_ forward anything from
> the
> server certificate to the client. Squid, as configured, generates a
> certificate based on client-supplied information (not server-supplied
> information). After sending that generated certificate to the client, Squid
> establishes a TLS connection with the server.
>
> Sid: Thank you for explanation.
>
> Alex: For an accurate picture, in addition to Squid-server and server-Squid
> traffic, look at what Squid has received from the client and what Squid
> sent
> to the client, all in actual order.
>
> Sid: I took wireshark on Squid server (centOS 7); I took 2 wiresharks
> between Client & Squid and then between Squid & Server. I can see client
> being sent fake cert generated by Squid & client responds with "Client key
> Exchange", "Change cipher spec", "Encrypted Handshake Message". But I can't
> see actual client certificate sent to Squid. Is there a way to decypt in
> Wireshark. In Wireshark between Squid & Server I can see Squid responding
> with "61 Alert (Level: Fatal, Description: Internal Error)".
>
> Alex: Is your Squid configured to trust those internal CAs? If not, Squid
> would not be able to validate the server certificate.
>
> Sid: I have added those chained certificates as following in squid.conf
> tls_outgoing_options cafile=/usr/local/squid/etc/UCAppsCA.pem
> sslproxy_foreign_intermediate_certs /usr/local/squid/etc/UCAppsCA.pem
>
>
>
>
> --
> Sent from:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 31 Oct 2018 05:27:20 -0500 (CDT)
> From: uppsalanet <fredrik at pipemore.se>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] redirect based on url (302)
> Message-ID: <1540981640859-0.post at n4.nabble.com>
> Content-Type: text/plain; charset=us-ascii
>
> Hi Amos,
> Is there a git that I can use to push stuff up?
>
> I think you need to split the string in an other way, look into this
> example:
> #!/usr/bin/perl
> use strict;
> use warnings;
>
> $|=1;
> while (<>) {
>      my $string = $_;
>      print "Received '\$_' = ".$_."\n";
>
>      $string =~ m/^(\d+)\s(.*)$/;
>      print "After regexp '\$string' = ".$string."\n";
>      print "After regexp '\$1' = ".$1."\n";
>      print "After regexp '\$2' = ".$2."\n";
>
>      ### Original split from sorce ###
>      ### This doesn't split anything looks like elements of an array?
>      #my ($cid, $uid) = ($1, $2);
>
>      ### Split the string ###
>      ### Those two split based on one or more spaces
>      #my ($cid, $uid) = split(/\s+/ ,$_);
>      my ($cid, $uid) = split;
>      $cid =~ s/%(..)/pack("H*", $1)/ge;
>      $uid =~ s/%(..)/pack("H*", $1)/ge;
>      print "After split \$cid = ".$cid."\n";
>      print "After split \$uid = ".$uid."\n";
> }
>
> Output from above with intake value '*130.238.000.00 muse.jhu.edu -*':
> Received '$_' = 130.238.000.00 muse.jhu.edu -
> After regexp '$string' = 130.238.000.00 muse.jhu.edu -
> /Use of uninitialized value $1 in concatenation (.) or string at
> ./sed_test_reg.pl line 13, <> line 1.
> After regexp '$1' =
> Use of uninitialized value $2 in concatenation (.) or string at
> ./sed_test_reg.pl line 14, <> line 1.
> After regexp '$2' = /
> *After split $cid = 130.238.000.00
> After split $uid = muse.jhu.edu*
>
> Cheers
> Fredrik
>
>
>
> --
> Sent from:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> ------------------------------
>
> End of squid-users Digest, Vol 50, Issue 75
> *******************************************
>


-- 
regards,
Arun
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20181031/4f86ec84/attachment-0001.html>


More information about the squid-users mailing list