[squid-users] ICAP and 403 Encapsulated answers (SSL denied domains)
Alex Rousskov
rousskov at measurement-factory.com
Tue Jan 22 17:33:29 UTC 2019
On 1/22/19 1:22 AM, FredB wrote:
> Here a short tcpdump trace
> https://nas.traceroot.fr:8081/owncloud/index.php/s/egrcXnU3lxiU0mi
>
> 1 - I'm surfing to the website https://www.toto.fr
Yes (tcp.stream eq 30).
> 2 - I receive a 403 (blank page)
> HTTP/1.1 403 Forbidden
> Server: e2guardian
> Date: Mon, 21 Jan 2019 10:06:54 GMT
> X-Cache: MISS from proxyorion_test
> X-Cache-Lookup: NONE from proxyorion_test:3128
> Transfer-Encoding: chunked
> Via: 1.1 proxyorion_test (squid/4.5)
> Connection: keep-alive
>
> 0
Agreed. Frame 99 contains a well-formed HTTP 403 response with an empty
body. IIRC, popular browsers refuse to display 403 responses to CONNECT
requests. There is also nothing to display in your specific case because
the 403 response body is empty, but that is irrelevant.
> 3 - I refresh the page, and I wait a long time before timeout
The trace you posted does not seem to show this part AFAICT. Perhaps
your "refresh" was not forceful enough for the browser to open a new
connection. I do not know whether that part is important.
> A real issue is filtering ADS
Please note that it is your responsibility to reproduce the
real/relevant problem. Your current test case may be sufficient -- I do
not know -- but if it is _not_ sufficient, we may not be able to tell
that it is insufficient or irrelevant, and will chase ghosts.
In summary, the trace you posted does not seem to indicate a Squid
problem. That does not mean there is no problem. It only means this use
case does not seem to expose that problem from Squid point of view.
If you believe that the browser is waiting for Squid to send something
after those HTTP 403 response bytes, then it sounds like there is a
browser bug -- Squid sent a full/complete response AFAICT. You may be
able to learn more about browser needs by debugging the browser.
As a workaround, you can try disabling client-to-Squid persistent
connections (client_persistent_connections off) or changing your ICAP
service to produce a response with a non-empty 403 body.
HTH,
Alex.
More information about the squid-users
mailing list