[squid-users] chunked transfer over sslbump

Arun Kumar s_p_arun at yahoo.com
Fri Jan 12 14:21:06 UTC 2024


 On Wednesday, January 10, 2024 at 11:09:48 AM EST, Alex Rousskov <rousskov at measurement-factory.com> wrote:
 
 
 On 2024-01-10 09:21, Arun Kumar wrote:
>> i) Retry seems to fetch one chunk of the response and not the complete.
>> ii) Enabling sslbump and turning ICAP off, not helping.
>> iii)  gcc version is 7.3.1 (Red Hat 7.3.1-17)

>GCC v7 has insufficient C++17 support. I recommend installing GCC v9 or 
better and then trying with Squid v6.6 or newer.

Arun: Compiled Squid 6.6 with gcc 11.4 and still seeing the same issue.
> FWIW, if the problem persists in Squid v6, sharing debugging logs would 
be the next recommended step.

Arun: debug_options ALL,6 giving too much log. Any particular option we can use to debug this issue?

>HTH,

>Alex.


> Also want to point out that, squid connects to another non-squid proxy 
> to reach internet.
> /cache_peer <proxy_url> parent <port> 0 no-query default/
> 
> On Tuesday, January 9, 2024 at 02:18:14 PM EST, Alex Rousskov wrote:
> 
> 
> On 2024-01-09 11:51, Zhang, Jinshu wrote:
> 
>  > Client got below response headers and body. Masked few details.
> 
> Thank you.
> 
> 
>  > Retry seems to fetch data remaining.
> 
> I would expect a successful retry to fetch the entire response, not just
> the remaining bytes, but perhaps that is what you meant. Thank you for
> sharing this info.
> 
> 
>  > Want to point out that removing sslbump everything is working fine,
>  > but we wanted to keep it for ICAP scanning.
> 
> What if you keep SslBump enabled but disable any ICAP analysis
> ("icap_enable off")? This test may tell us if the problem is between
> Squid and the origin server or Squid and the ICAP service...
> 
> 
>  > We tried compiling 6.x in Amazon linux, using latest gcc, but facing 
> similar error - 
> https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html <[squid-users] compile error in squid v6.1>
> 
> What is the "latest gcc" version in your environment? I suspect it is
> not the latest GCC version available to folks running Amazon Linux, but
> you may need to install some packages to get a more recent GCC version.
> Unfortunately, I cannot give specific instructions for Amazon Linux
> right now.
> 
> 
> HTH,
> 
> Alex.
> 
> 
>  > HTTP/1.1 200 OK
>  > Date: Tue, 09 Jan 2024 15:41:33 GMT
>  > Server: Apache/mod_perl/2.0.10 Perl
>  > Content-Type: application/download
>  > X-Cache: MISS from ip-x-y-z
>  > Transfer-Encoding: chunked
>  > Via: xxx (ICAP)
>  > Connection: keep-alive
>  >
>  > 1000
>  > File-Id: xyz.zip
>  > Local-Path: x/y/z.txt
>  > Content-Size: 2967
>  > < binary content >
>  >
>  >
>  > Access log(1st attempt):
>  > 1704814893.695    138 x.y.0.2 NONE_NONE/200 0 CONNECT a.b.com:443 - 
> FIRSTUP_PARENT/10.x.y.z -
>  > 1704814900.491  6779 172.17.0.2 TCP_MISS/200 138996535 POST 
> https://a.b.com/xyz <https://a.b.com/xyz> - FIRSTUP_PARENT/10.x.y.z 
> application/download
>  >
>  > Retry after 5 mins:
>  > 1704815201.530    189 x.y.0.2 NONE_NONE/200 0 CONNECT a.b.com:443 - 
> FIRSTUP_PARENT/10.x.y.z -
>  > 1704815208.438  6896 x.y.0.2 TCP_MISS/200 138967930 POST 
> https://a.b.com/xyz <https://a.b.com/xyz> - FIRSTUP_PARENT/10.x.y.z 
> application/download
>  >
>  > Jinshu Zhang
>  >
>  >
>  > Fannie Mae Confidential
>  > -----Original Message-----
>  > From: squid-users <squid-users-bounces at lists.squid-cache.org 
> <mailto:squid-users-bounces at lists.squid-cache.org>> On Behalf Of Alex 
> Rousskov
>  > Sent: Tuesday, January 9, 2024 9:53 AM
>  > To: squid-users at lists.squid-cache.org 
> <mailto:squid-users at lists.squid-cache.org>
>  > Subject: [EXTERNAL] Re: [squid-users] chunked transfer over sslbump
>  >
>  >
>  > On 2024-01-09 09:13, Arun Kumar wrote:
>  >
>  >> I have compiled/installed squid v5.8 in Amazon Linux and configured it
>  >> with sslbump option. Squid is used as proxy to get response from https
>  >> site. When the https site sends chunked response, it appears that the
>  >> first response comes but it get stuck and doesn't receive the full
>  >> response. Appreciate any help.
>  >    There were some recent chunking-related changes in Squid, but none 
> of them is likely to be responsible for the problems you are describing 
> unless the origin server response is very special/unusual.
>  >
>  > Does the client in this test get the HTTP response header? Some HTTP 
> response body bytes?
>  >
>  > To triage the problem, I recommend sharing the corresponding 
> access.log records (at least). Seeing debugging of the problematic 
> transaction may be very useful (but avoid using production security keys 
> and other sensitive information in such tests):
>  > 
> https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction <Sending Bug Reports to the Squid Team>
>  >
>  > Please note that Squid v5 is not officially supported and has more 
> known security vulnerabilities than Squid v6. You should be using Squid v6.
>  >
>  >
>  > HTH,
>  >
>  > Alex.
>  >
>  > _______________________________________________
>  > squid-users mailing list
>  > squid-users at lists.squid-cache.org 
> <mailto:squid-users at lists.squid-cache.org>
>  > https://lists.squid-cache.org/listinfo/squid-users 
> <https://lists.squid-cache.org/listinfo/squid-users>
>  >
>  > _______________________________________________
>  > squid-users mailing list
>  > squid-users at lists.squid-cache.org 
> <mailto:squid-users at lists.squid-cache.org>
>  > https://lists.squid-cache.org/listinfo/squid-users 
> <https://lists.squid-cache.org/listinfo/squid-users>
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
> https://lists.squid-cache.org/listinfo/squid-users 
> <squid-users Info Page>



| 
| 
|  | 
squid-users Info Page


 |

 |

 |





| 
| 
|  | 
Sending Bug Reports to the Squid Team

Squid Web Cache documentation
 |

 |

 |





| 
| 
|  | 
[squid-users] compile error in squid v6.1


 |

 |

 |



  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240112/65d55764/attachment-0001.htm>


More information about the squid-users mailing list