[squid-users] chunked transfer over sslbump

Alex Rousskov rousskov at measurement-factory.com
Fri Feb 2 15:40:52 UTC 2024 

On 2024-01-19 09:08, Arun Kumar wrote:
> Sorry, due to organization policy not possible to upload the debug logs.

I really doubt your organization prohibits sharing information with 
trusted parties. It is up to you whether to make me (or any other Squid 
developer who is willing to help you) such a party.


> Anything to look specifically in the debug logs?

Yes, of course, but I, personally, do not have enough free time to help 
you navigate debugging logs via email. That is why I am suggesting 
sharing those logs with me (while making that sharing comply with any 
organizational policies you need to comply with, of course). This is the 
best I can offer. If that is not good enough, I hope that others can 
offer more/different help.


Good luck,

Alex.


> Also please suggest if we can tweak the below sslbump configuration, to 
> make the chunked transfer work seamless.
> 
> /http_port tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on 
> dynamic_cert_mem_cache_size=20MB tls-cert=<pem file> tls-key=<key file> 
> cipher=... options=NO_TLSv1,... tls_dh=prime256v1:<dhparm.pem>/
> /
> /
> /ssl_bump stare all/
> 
> PS: Any documentations/video available to understand the 
> bump/stare/peek/splice better? Not understanding much from the 
> squid-cache.org contents.
> 
> On Friday, January 12, 2024 at 02:10:40 PM EST, Alex Rousskov 
> <rousskov at measurement-factory.com> wrote:
> 
> On 2024-01-12 09:21, Arun Kumar wrote:
>  > On Wednesday, January 10, 2024 at 11:09:48 AM EST, Alex Rousskov wrote:
>  >
>  >
>  > On 2024-01-10 09:21, Arun Kumar wrote:
>  >  >> i) Retry seems to fetch one chunk of the response and not the 
> complete.
>  >  >> ii) Enabling sslbump and turning ICAP off, not helping.
>  >  >> iii)  gcc version is 7.3.1 (Red Hat 7.3.1-17)
>  >
>  >  >GCC v7 has insufficient C++17 support. I recommend installing GCC v9 or
>  > better and then trying with Squid v6.6 or newer.
>  >
>  > Arun: Compiled Squid 6.6 with gcc 11.4 and still seeing the same issue.
> 
> Glad you were able to upgrade to Squid v6.6!
> 
> 
>  >  > FWIW, if the problem persists in Squid v6, sharing debugging logs 
> would
>  > be the next recommended step.
>  >
>  > Arun: /debug_options ALL,6 /giving too much log. Any particular option
>  > we can use to debug this issue?
> 
> 
> Please share[^1] a pointer to compressed ALL,9 cache.log collected while
> reproducing the problem with Squid v6.6:
> 
> https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction>
> 
> Debugging logs are for developers. Developers can deal with large
> volumes of debugging information. You can use services like DropBox to
> share large compressed logs. Said that, the better you can isolate the
> problem/traffic, the higher are the chances that a developer will (have
> the time to) find the answer to your question in the noisy log.
> 
> [^1]: Please feel free to share privately if needed, especially if you
> are using sensitive configuration or transactions.
> 
> Alex.
> 
> 
>  >  > Also want to point out that, squid connects to another non-squid proxy
>  >  > to reach internet.
>  >  > cache_peer <proxy_url> parent <port> 0 no-query default
>  >  >
>  >  > On Tuesday, January 9, 2024 at 02:18:14 PM EST, Alex Rousskov wrote:
>  >  >
>  >  >
>  >  > On 2024-01-09 11:51, Zhang, Jinshu wrote:
>  >  >
>  >  >  > Client got below response headers and body. Masked few details.
>  >  >
>  >  > Thank you.
>  >  >
>  >  >
>  >  >  > Retry seems to fetch data remaining.
>  >  >
>  >  > I would expect a successful retry to fetch the entire response, 
> not just
>  >  > the remaining bytes, but perhaps that is what you meant. Thank you for
>  >  > sharing this info.
>  >  >
>  >  >
>  >  >  > Want to point out that removing sslbump everything is working fine,
>  >  >  > but we wanted to keep it for ICAP scanning.
>  >  >
>  >  > What if you keep SslBump enabled but disable any ICAP analysis
>  >  > ("icap_enable off")? This test may tell us if the problem is between
>  >  > Squid and the origin server or Squid and the ICAP service...
>  >  >
>  >  >
>  >  >  > We tried compiling 6.x in Amazon linux, using latest gcc, but 
> facing
>  >  > similar error -
>  >  >
>  > 
> https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html <https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html> <https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html <https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html>> <[squid-users] compile error in squid v6.1 <https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html <https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html>>>
>  >  >
>  >  > What is the "latest gcc" version in your environment? I suspect it is
>  >  > not the latest GCC version available to folks running Amazon 
> Linux, but
>  >  > you may need to install some packages to get a more recent GCC 
> version.
>  >  > Unfortunately, I cannot give specific instructions for Amazon Linux
>  >  > right now.
>  >  >
>  >  >
>  >  > HTH,
>  >  >
>  >  > Alex.
>  >  >
>  >  >
>  >  >  > HTTP/1.1 200 OK
>  >  >  > Date: Tue, 09 Jan 2024 15:41:33 GMT
>  >  >  > Server: Apache/mod_perl/2.0.10 Perl
>  >  >  > Content-Type: application/download
>  >  >  > X-Cache: MISS from ip-x-y-z
>  >  >  > Transfer-Encoding: chunked
>  >  >  > Via: xxx (ICAP)
>  >  >  > Connection: keep-alive
>  >  >  >
>  >  >  > 1000
>  >  >  > File-Id: xyz.zip
>  >  >  > Local-Path: x/y/z.txt
>  >  >  > Content-Size: 2967
>  >  >  > < binary content >
>  >  >  >
>  >  >  >
>  >  >  > Access log(1st attempt):
>  >  >  > 1704814893.695    138 x.y.0.2 NONE_NONE/200 0 CONNECT a.b.com:443 -
>  >  > FIRSTUP_PARENT/10.x.y.z -
>  >  >  > 1704814900.491  6779 172.17.0.2 TCP_MISS/200 138996535 POST
>  >  > https://a.b.com/xyz <https://a.b.com/xyz> <https://a.b.com/xyz 
> <https://a.b.com/xyz>> <https://a.b.com/xyz <https://a.b.com/xyz>
>  > <https://a.b.com/xyz <https://a.b.com/xyz>>> - FIRSTUP_PARENT/10.x.y.z
>  >  > application/download
>  >  >  >
>  >  >  > Retry after 5 mins:
>  >  >  > 1704815201.530    189 x.y.0.2 NONE_NONE/200 0 CONNECT a.b.com:443 -
>  >  > FIRSTUP_PARENT/10.x.y.z -
>  >  >  > 1704815208.438  6896 x.y.0.2 TCP_MISS/200 138967930 POST
>  >  > https://a.b.com/xyz <https://a.b.com/xyz> <https://a.b.com/xyz 
> <https://a.b.com/xyz>> <https://a.b.com/xyz <https://a.b.com/xyz>
>  > <https://a.b.com/xyz <https://a.b.com/xyz>>> - FIRSTUP_PARENT/10.x.y.z
>  >  > application/download
>  >  >  >
>  >  >  > Jinshu Zhang
>  >  >  >
>  >  >  >
>  >  >  > Fannie Mae Confidential
>  >  >  > -----Original Message-----
>  >  >  > From: squid-users <squid-users-bounces at lists.squid-cache.org 
> <mailto:squid-users-bounces at lists.squid-cache.org>
>  > <mailto:squid-users-bounces at lists.squid-cache.org>
>  >  > <mailto:squid-users-bounces at lists.squid-cache.org>> On Behalf Of Alex
>  >  > Rousskov
>  >  >  > Sent: Tuesday, January 9, 2024 9:53 AM
>  >  >  > To: squid-users at lists.squid-cache.org 
> <mailto:squid-users at lists.squid-cache.org>
>  > <mailto:squid-users at lists.squid-cache.org>
>  >  > <mailto:squid-users at lists.squid-cache.org>
>  >  >  > Subject: [EXTERNAL] Re: [squid-users] chunked transfer over sslbump
>  >  >  >
>  >  >  >
>  >  >  > On 2024-01-09 09:13, Arun Kumar wrote:
>  >  >  >
>  >  >  >> I have compiled/installed squid v5.8 in Amazon Linux and
>  > configured it
>  >  >  >> with sslbump option. Squid is used as proxy to get response from
>  > https
>  >  >  >> site. When the https site sends chunked response, it appears 
> that the
>  >  >  >> first response comes but it get stuck and doesn't receive the full
>  >  >  >> response. Appreciate any help.
>  >  >  >    There were some recent chunking-related changes in Squid, 
> but none
>  >  > of them is likely to be responsible for the problems you are 
> describing
>  >  > unless the origin server response is very special/unusual.
>  >  >  >
>  >  >  > Does the client in this test get the HTTP response header? Some 
> HTTP
>  >  > response body bytes?
>  >  >  >
>  >  >  > To triage the problem, I recommend sharing the corresponding
>  >  > access.log records (at least). Seeing debugging of the problematic
>  >  > transaction may be very useful (but avoid using production 
> security keys
>  >  > and other sensitive information in such tests):
>  >  >  >
>  >  >
>  > 
> https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction> <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction>> <Sending Bug Reports to the Squid Team <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction>>>
>  >  >  >
>  >  >  > Please note that Squid v5 is not officially supported and has more
>  >  > known security vulnerabilities than Squid v6. You should be using
>  > Squid v6.
>  >  >  >
>  >  >  >
>  >  >  > HTH,
>  >  >  >
>  >  >  > Alex.
>  >  >  >
>

More information about the squid-users mailing list