<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi guys,<div class=""><br class=""></div><div class="">I’m asking here but since I’m not too comfortable with a mailing list, it’s also on <a href="http://serverfault.com" class="">serverfault.com</a>: <a href="https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately" class="">https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately</a></div><div class=""><br class=""></div><div class="">I have an odd issue that squid will return a HTTP 503 when I try to do ICAP for an ssl-bumped HTTPS website. HTTP website works fine.</div><div class="">Any ideas?</div><div class=""><br class=""></div><div class="">Config:</div><div class=""><br class=""></div><div class=""><div class="">visible_hostname proxy</div><div class="">forwarded_for delete</div><div class="">via off</div><div class="">httpd_suppress_version_string on</div><div class="">logfile_rotate 0</div><div class="">cache_log stdio:/dev/stdout</div><div class="">access_log stdio:/dev/stdout</div><div class="">cache_store_log stdio:/dev/stdout</div><div class="">dns_v4_first on</div><div class="">cache_dir ufs /cache 100 16 256</div><div class="">pid_filename /cache/squid.pid</div><div class="">mime_table /usr/share/squid/mime.conf</div><div class="">http_port 0.0.0.0:3128</div><div class="">https_port 0.0.0.0:3129 \</div><div class="">    generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \</div><div class="">    tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key</div><div class="">ssl_bump peek all</div><div class="">ssl_bump bump all</div><div class="">quick_abort_min 0</div><div class="">quick_abort_max 0</div><div class="">quick_abort_pct 95</div><div class="">pinger_enable off</div><div class="">icap_enable on</div><div class="">icap_service_failure_limit -1</div><div class="">icap_service service_req reqmod_precache bypass=0 <a href="icap://10.10.0.119:1344/" class="">icap://10.10.0.119:1344/</a></div><div class="">icap_preview_enable on</div><div class="">adaptation_access service_req allow all</div><div class="">cache_mem 512 mb</div><div class="">dns_nameservers 1.1.1.1 1.0.0.1</div><div class="">cache_effective_user proxy</div><div class="">sslcrtd_program /usr/lib/squid/security_file_certgen -s /cache/ssl_db -M 4MB</div><div class="">sslcrtd_children 8 startup=1 idle=1</div><div class="">sslproxy_cert_error allow all</div><div class="">http_access allow all</div></div><div class=""><br class=""></div><div class="">Log line HTTPS when it doesn’t work:</div><div class=""><div class="">1614853306.542     40 172.17.0.1 NONE/503 0 CONNECT //<a href="http://ironpeak.be:443" class="">ironpeak.be:443</a> - HIER_NONE/- -</div><div class=""><br class=""></div><div class=""><div class="">< HTTP/1.1 503 Service Unavailable</div><div class="">< Server: squid</div><div class="">< Mime-Version: 1.0</div><div class="">< Date: Thu, 04 Mar 2021 10:36:05 GMT</div><div class="">< Content-Type: text/html;charset=utf-8</div><div class="">< Content-Length: 1849</div><div class="">< X-Squid-Error: ERR_DNS_FAIL 0</div></div><div class=""><br class=""></div><div class=""><br class=""></div></div><div class="">Log line HTTP when it does work:</div><div class=""><div class="">  -1 1614851916 text/plain 60/60 GET <a href="http://ironpeak.be/blog/big-sur-t2rminator/" class="">http://ironpeak.be/blog/big-sur-t2rminator/</a></div><div class="">1614853320.743 SWAPOUT 00 00000002 F7A390D89822E9BA831C47E1B4CDD0A8  301 1614853320        -1 1614853320 text/plain 60/60 GET <a href="http://ironpeak.be/blog/big-sur-t2rminator/" class="">http://ironpeak.be/blog/big-sur-t2rminator/</a></div><div class="">1614853320.748    302 172.17.0.1 TCP_REFRESH_MODIFIED/301 1647 GET <a href="http://ironpeak.be/blog/big-sur-t2rminator/" class="">http://ironpeak.be/blog/big-sur-t2rminator/</a> - HIER_DIRECT/104.21.60.47 text/plain</div></div><div class=""><br class=""></div><div class="">Example CLI command used:</div><div class="">ALL_PROXY="<a href="https://127.0.0.1:3129" class="">https://127.0.0.1:3129</a>" curl -vvv --proxy-insecure <a href="http://ironpeak.be/" class="">http://ironpeak.be/</a></div><div class=""><br class=""></div><div class="">Command used to start squid:</div><div class=""><pre style="background-color: rgb(255, 255, 255); color: rgb(82, 91, 107); font-family: "JetBrains Mono", monospace;" class=""><span style="color: rgb(105, 159, 66);" class="">exec /usr/sbin/squid -f /etc/squid/squid.conf --foreground -YCd 1</span></pre><div class="">Package info:</div></div><div class=""><div class="">Package: squid-openssl</div><div class="">Version: 4.13-5</div></div><div class=""><br class=""></div><div class="">Many thanks!</div><div class=""><div class="">
<meta charset="UTF-8" class=""><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;">Regards,<br class="Apple-interchange-newline">Niels Hofmans<br class=""><br class="">SITE   <a href="https://ironpeak.be" class="">https://ironpeak.be</a><br class=""></div></div></div></body></html>