<div dir="auto">Would it be possible to dump some icap traffic so we would be able to understand what might cause this issue if at all?<div dir="auto"><br></div><div dir="auto">Eliezer</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">בתאריך יום ה׳, 4 במרץ 2021, 12:36, מאת Niels Hofmans ‏<<a href="mailto:hello@ironpeak.be">hello@ironpeak.be</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space">Hi guys,<div><br></div><div>I’m asking here but since I’m not too comfortable with a mailing list, it’s also on <a href="http://serverfault.com" target="_blank" rel="noreferrer">serverfault.com</a>: <a href="https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately" target="_blank" rel="noreferrer">https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately</a></div><div><br></div><div>I have an odd issue that squid will return a HTTP 503 when I try to do ICAP for an ssl-bumped HTTPS website. HTTP website works fine.</div><div>Any ideas?</div><div><br></div><div>Config:</div><div><br></div><div><div>visible_hostname proxy</div><div>forwarded_for delete</div><div>via off</div><div>httpd_suppress_version_string on</div><div>logfile_rotate 0</div><div>cache_log stdio:/dev/stdout</div><div>access_log stdio:/dev/stdout</div><div>cache_store_log stdio:/dev/stdout</div><div>dns_v4_first on</div><div>cache_dir ufs /cache 100 16 256</div><div>pid_filename /cache/squid.pid</div><div>mime_table /usr/share/squid/mime.conf</div><div>http_port <a href="http://0.0.0.0:3128" target="_blank" rel="noreferrer">0.0.0.0:3128</a></div><div>https_port <a href="http://0.0.0.0:3129" target="_blank" rel="noreferrer">0.0.0.0:3129</a> \</div><div>    generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \</div><div>    tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key</div><div>ssl_bump peek all</div><div>ssl_bump bump all</div><div>quick_abort_min 0</div><div>quick_abort_max 0</div><div>quick_abort_pct 95</div><div>pinger_enable off</div><div>icap_enable on</div><div>icap_service_failure_limit -1</div><div>icap_service service_req reqmod_precache bypass=0 <a rel="noreferrer">icap://10.10.0.119:1344/</a></div><div>icap_preview_enable on</div><div>adaptation_access service_req allow all</div><div>cache_mem 512 mb</div><div>dns_nameservers 1.1.1.1 1.0.0.1</div><div>cache_effective_user proxy</div><div>sslcrtd_program /usr/lib/squid/security_file_certgen -s /cache/ssl_db -M 4MB</div><div>sslcrtd_children 8 startup=1 idle=1</div><div>sslproxy_cert_error allow all</div><div>http_access allow all</div></div><div><br></div><div>Log line HTTPS when it doesn’t work:</div><div><div>1614853306.542     40 172.17.0.1 NONE/503 0 CONNECT //<a href="http://ironpeak.be:443" target="_blank" rel="noreferrer">ironpeak.be:443</a> - HIER_NONE/- -</div><div><br></div><div><div>< HTTP/1.1 503 Service Unavailable</div><div>< Server: squid</div><div>< Mime-Version: 1.0</div><div>< Date: Thu, 04 Mar 2021 10:36:05 GMT</div><div>< Content-Type: text/html;charset=utf-8</div><div>< Content-Length: 1849</div><div>< X-Squid-Error: ERR_DNS_FAIL 0</div></div><div><br></div><div><br></div></div><div>Log line HTTP when it does work:</div><div><div>  -1 1614851916 text/plain 60/60 GET <a href="http://ironpeak.be/blog/big-sur-t2rminator/" target="_blank" rel="noreferrer">http://ironpeak.be/blog/big-sur-t2rminator/</a></div><div>1614853320.743 SWAPOUT 00 00000002 F7A390D89822E9BA831C47E1B4CDD0A8  301 1614853320        -1 1614853320 text/plain 60/60 GET <a href="http://ironpeak.be/blog/big-sur-t2rminator/" target="_blank" rel="noreferrer">http://ironpeak.be/blog/big-sur-t2rminator/</a></div><div>1614853320.748    302 172.17.0.1 TCP_REFRESH_MODIFIED/301 1647 GET <a href="http://ironpeak.be/blog/big-sur-t2rminator/" target="_blank" rel="noreferrer">http://ironpeak.be/blog/big-sur-t2rminator/</a> - HIER_DIRECT/<a href="http://104.21.60.47" target="_blank" rel="noreferrer">104.21.60.47</a> text/plain</div></div><div><br></div><div>Example CLI command used:</div><div>ALL_PROXY="<a href="https://127.0.0.1:3129" target="_blank" rel="noreferrer">https://127.0.0.1:3129</a>" curl -vvv --proxy-insecure <a href="http://ironpeak.be/" target="_blank" rel="noreferrer">http://ironpeak.be/</a></div><div><br></div><div>Command used to start squid:</div><div><pre style="background-color:rgb(255,255,255);color:rgb(82,91,107);font-family:"JetBrains Mono",monospace"><span style="color:rgb(105,159,66)">exec /usr/sbin/squid -f /etc/squid/squid.conf --foreground -YCd 1</span></pre><div>Package info:</div></div><div><div>Package: squid-openssl</div><div>Version: 4.13-5</div></div><div><br></div><div>Many thanks!</div><div><div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">Regards,<br>Niels Hofmans<br><br>SITE   <a href="https://ironpeak.be" target="_blank" rel="noreferrer">https://ironpeak.be</a><br></div></div></div></div>_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank" rel="noreferrer">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>