<html><head></head><body><div class="ydp9067c3e2yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div></div>
<div dir="ltr" data-setdir="false">Sorry, due to organization policy not possible to upload the debug logs. Anything to look specifically in the debug logs?</div><div dir="ltr" data-setdir="false">Also please suggest if we can tweak the below sslbump configuration, to make the chunked transfer work seamless.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><i>http_port tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=<pem file> tls-key=<key file> cipher=... options=NO_TLSv1,... tls_dh=prime256v1:<dhparm.pem></i></div><div dir="ltr" data-setdir="false"><i><br></i></div><div dir="ltr" data-setdir="false"><i>ssl_bump stare all</i><br></div><div><br></div><div dir="ltr" data-setdir="false">PS: Any documentations/video available to understand the bump/stare/peek/splice better? Not understanding much from the squid-cache.org contents.</div><div dir="ltr" data-setdir="false"><br></div>
</div><div id="ydpcd2b9743yahoo_quoted_6158286644" class="ydpcd2b9743yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Friday, January 12, 2024 at 02:10:40 PM EST, Alex Rousskov <rousskov@measurement-factory.com> wrote:
</div>
<div><br></div>
<div>On 2024-01-12 09:21, Arun Kumar wrote:<br></div><div><div dir="ltr">> On Wednesday, January 10, 2024 at 11:09:48 AM EST, Alex Rousskov wrote:<br clear="none">> <br clear="none">> <br clear="none">> On 2024-01-10 09:21, Arun Kumar wrote:<br clear="none">> >> i) Retry seems to fetch one chunk of the response and not the complete.<br clear="none">> >> ii) Enabling sslbump and turning ICAP off, not helping.<br clear="none">> >> iii) gcc version is 7.3.1 (Red Hat 7.3.1-17)<br clear="none">> <br clear="none">> >GCC v7 has insufficient C++17 support. I recommend installing GCC v9 or<br clear="none">> better and then trying with Squid v6.6 or newer.<br clear="none">> <br clear="none">> Arun: Compiled Squid 6.6 with gcc 11.4 and still seeing the same issue.<br clear="none"><br clear="none">Glad you were able to upgrade to Squid v6.6!<br clear="none"><br clear="none"><br clear="none">> > FWIW, if the problem persists in Squid v6, sharing debugging logs would<br clear="none">> be the next recommended step.<br clear="none">> <br clear="none">> Arun: /debug_options ALL,6 /giving too much log. Any particular option <br clear="none">> we can use to debug this issue?<br clear="none"><br clear="none"><br clear="none">Please share[^1] a pointer to compressed ALL,9 cache.log collected while <br clear="none">reproducing the problem with Squid v6.6:<br clear="none"><br clear="none"><a shape="rect" href="https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction" rel="nofollow" target="_blank">https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction</a><br clear="none"><br clear="none">Debugging logs are for developers. Developers can deal with large <br clear="none">volumes of debugging information. You can use services like DropBox to <br clear="none">share large compressed logs. Said that, the better you can isolate the <br clear="none">problem/traffic, the higher are the chances that a developer will (have <br clear="none">the time to) find the answer to your question in the noisy log.<br clear="none"><br clear="none">[^1]: Please feel free to share privately if needed, especially if you <br clear="none">are using sensitive configuration or transactions.<br clear="none"><br clear="none">Alex.<br clear="none"><br clear="none"><br clear="none">> > Also want to point out that, squid connects to another non-squid proxy<br clear="none">> > to reach internet.<br clear="none">> > cache_peer <proxy_url> parent <port> 0 no-query default<br clear="none">> ><br clear="none">> > On Tuesday, January 9, 2024 at 02:18:14 PM EST, Alex Rousskov wrote:<br clear="none">> ><br clear="none">> ><br clear="none">> > On 2024-01-09 11:51, Zhang, Jinshu wrote:<br clear="none">> ><br clear="none">> > > Client got below response headers and body. Masked few details.<br clear="none">> ><br clear="none">> > Thank you.<br clear="none">> ><br clear="none">> ><br clear="none">> > > Retry seems to fetch data remaining.<br clear="none">> ><br clear="none">> > I would expect a successful retry to fetch the entire response, not just<br clear="none">> > the remaining bytes, but perhaps that is what you meant. Thank you for<br clear="none">> > sharing this info.<br clear="none">> ><br clear="none">> ><br clear="none">> > > Want to point out that removing sslbump everything is working fine,<br clear="none">> > > but we wanted to keep it for ICAP scanning.<br clear="none">> ><br clear="none">> > What if you keep SslBump enabled but disable any ICAP analysis<br clear="none">> > ("icap_enable off")? This test may tell us if the problem is between<br clear="none">> > Squid and the origin server or Squid and the ICAP service...<br clear="none">> ><br clear="none">> ><br clear="none">> > > We tried compiling 6.x in Amazon linux, using latest gcc, but facing<br clear="none">> > similar error -<br clear="none">> > <br clear="none">> <a shape="rect" href="https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html" rel="nofollow" target="_blank">https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html</a> <<a shape="rect" href="https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html" rel="nofollow" target="_blank">https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html</a>> <[squid-users] compile error in squid v6.1 <<a shape="rect" href="https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html" rel="nofollow" target="_blank">https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html</a>>><br clear="none">> ><br clear="none">> > What is the "latest gcc" version in your environment? I suspect it is<br clear="none">> > not the latest GCC version available to folks running Amazon Linux, but<br clear="none">> > you may need to install some packages to get a more recent GCC version.<br clear="none">> > Unfortunately, I cannot give specific instructions for Amazon Linux<br clear="none">> > right now.<br clear="none">> ><br clear="none">> ><br clear="none">> > HTH,<br clear="none">> ><br clear="none">> > Alex.<br clear="none">> ><br clear="none">> ><br clear="none">> > > HTTP/1.1 200 OK<br clear="none">> > > Date: Tue, 09 Jan 2024 15:41:33 GMT<br clear="none">> > > Server: Apache/mod_perl/2.0.10 Perl<br clear="none">> > > Content-Type: application/download<br clear="none">> > > X-Cache: MISS from ip-x-y-z<br clear="none">> > > Transfer-Encoding: chunked<br clear="none">> > > Via: xxx (ICAP)<br clear="none">> > > Connection: keep-alive<br clear="none">> > ><br clear="none">> > > 1000<br clear="none">> > > File-Id: xyz.zip<br clear="none">> > > Local-Path: x/y/z.txt<br clear="none">> > > Content-Size: 2967<br clear="none">> > > < binary content ><br clear="none">> > ><br clear="none">> > ><br clear="none">> > > Access log(1st attempt):<br clear="none">> > > 1704814893.695 138 x.y.0.2 NONE_NONE/200 0 CONNECT a.b.com:443 -<br clear="none">> > FIRSTUP_PARENT/10.x.y.z -<br clear="none">> > > 1704814900.491 6779 172.17.0.2 TCP_MISS/200 138996535 POST<br clear="none">> > <a shape="rect" href="https://a.b.com/xyz" rel="nofollow" target="_blank">https://a.b.com/xyz</a> <<a shape="rect" href="https://a.b.com/xyz" rel="nofollow" target="_blank">https://a.b.com/xyz</a>> <<a shape="rect" href="https://a.b.com/xyz" rel="nofollow" target="_blank">https://a.b.com/xyz</a> <br clear="none">> <<a shape="rect" href="https://a.b.com/xyz" rel="nofollow" target="_blank">https://a.b.com/xyz</a>>> - FIRSTUP_PARENT/10.x.y.z<br clear="none">> > application/download<br clear="none">> > ><br clear="none">> > > Retry after 5 mins:<br clear="none">> > > 1704815201.530 189 x.y.0.2 NONE_NONE/200 0 CONNECT a.b.com:443 -<br clear="none">> > FIRSTUP_PARENT/10.x.y.z -<br clear="none">> > > 1704815208.438 6896 x.y.0.2 TCP_MISS/200 138967930 POST<br clear="none">> > <a shape="rect" href="https://a.b.com/xyz" rel="nofollow" target="_blank">https://a.b.com/xyz</a> <<a shape="rect" href="https://a.b.com/xyz" rel="nofollow" target="_blank">https://a.b.com/xyz</a>> <<a shape="rect" href="https://a.b.com/xyz" rel="nofollow" target="_blank">https://a.b.com/xyz</a> <br clear="none">> <<a shape="rect" href="https://a.b.com/xyz" rel="nofollow" target="_blank">https://a.b.com/xyz</a>>> - FIRSTUP_PARENT/10.x.y.z<br clear="none">> > application/download<br clear="none">> > ><br clear="none">> > > Jinshu Zhang<br clear="none">> > ><br clear="none">> > ><br clear="none">> > > Fannie Mae Confidential<br clear="none">> > > -----Original Message-----<br clear="none">> > > From: squid-users <<a shape="rect" href="mailto:squid-users-bounces@lists.squid-cache.org" rel="nofollow" target="_blank">squid-users-bounces@lists.squid-cache.org</a> <br clear="none">> <mailto:squid-users-bounces@lists.squid-cache.org><br clear="none">> > <mailto:squid-users-bounces@lists.squid-cache.org>> On Behalf Of Alex<br clear="none">> > Rousskov<br clear="none">> > > Sent: Tuesday, January 9, 2024 9:53 AM<br clear="none">> > > To: <a shape="rect" href="mailto:squid-users@lists.squid-cache.org" rel="nofollow" target="_blank">squid-users@lists.squid-cache.org</a> <br clear="none">> <mailto:squid-users@lists.squid-cache.org><br clear="none">> > <mailto:squid-users@lists.squid-cache.org><br clear="none">> > > Subject: [EXTERNAL] Re: [squid-users] chunked transfer over sslbump<br clear="none">> > ><br clear="none">> > ><br clear="none">> > > On 2024-01-09 09:13, Arun Kumar wrote:<br clear="none">> > ><br clear="none">> > >> I have compiled/installed squid v5.8 in Amazon Linux and <br clear="none">> configured it<br clear="none">> > >> with sslbump option. Squid is used as proxy to get response from <br clear="none">> https<br clear="none">> > >> site. When the https site sends chunked response, it appears that the<br clear="none">> > >> first response comes but it get stuck and doesn't receive the full<br clear="none">> > >> response. Appreciate any help.<br clear="none">> > > There were some recent chunking-related changes in Squid, but none<br clear="none">> > of them is likely to be responsible for the problems you are describing<br clear="none">> > unless the origin server response is very special/unusual.<br clear="none">> > ><br clear="none">> > > Does the client in this test get the HTTP response header? Some HTTP<br clear="none">> > response body bytes?<br clear="none">> > ><br clear="none">> > > To triage the problem, I recommend sharing the corresponding<br clear="none">> > access.log records (at least). Seeing debugging of the problematic<br clear="none">> > transaction may be very useful (but avoid using production security keys<br clear="none">> > and other sensitive information in such tests):<br clear="none">> > ><br clear="none">> > <br clear="none">> <a shape="rect" href="https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction" rel="nofollow" target="_blank">https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction</a> <<a shape="rect" href="https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction" rel="nofollow" target="_blank">https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction</a>> <Sending Bug Reports to the Squid Team <<a shape="rect" href="https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction" rel="nofollow" target="_blank">https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction</a>>><br clear="none">> > ><br clear="none">> > > Please note that Squid v5 is not officially supported and has more<br clear="none">> > known security vulnerabilities than Squid v6. You should be using <br clear="none">> Squid v6.<br clear="none">> > ><br clear="none">> > ><br clear="none">> > > HTH,<br clear="none">> > ><br clear="none">> > > Alex.<br clear="none">> > ><br clear="none">> > > _______________________________________________<br clear="none">> > > squid-users mailing list<br clear="none">> > > <a shape="rect" href="mailto:squid-users@lists.squid-cache.org" rel="nofollow" target="_blank">squid-users@lists.squid-cache.org</a> <br clear="none">> <mailto:squid-users@lists.squid-cache.org><br clear="none">> > <mailto:squid-users@lists.squid-cache.org><br clear="none">> > > <a shape="rect" href="https://lists.squid-cache.org/listinfo/squid-users" rel="nofollow" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a> <br clear="none">> <<a shape="rect" href="https://lists.squid-cache.org/listinfo/squid-users" rel="nofollow" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>><br clear="none">> > <<a shape="rect" href="https://lists.squid-cache.org/listinfo/squid-users" rel="nofollow" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a> <br clear="none">> <<a shape="rect" href="https://lists.squid-cache.org/listinfo/squid-users" rel="nofollow" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>>><br clear="none">> > ><br clear="none">> > > _______________________________________________<br clear="none">> > > squid-users mailing list<br clear="none">> > > <a shape="rect" href="mailto:squid-users@lists.squid-cache.org" rel="nofollow" target="_blank">squid-users@lists.squid-cache.org</a> <br clear="none">> <mailto:squid-users@lists.squid-cache.org><br clear="none">> > <mailto:squid-users@lists.squid-cache.org><br clear="none">> > > <a shape="rect" href="https://lists.squid-cache.org/listinfo/squid-users" rel="nofollow" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a> <br clear="none">> <<a shape="rect" href="https://lists.squid-cache.org/listinfo/squid-users" rel="nofollow" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>><br clear="none">> > <<a shape="rect" href="https://lists.squid-cache.org/listinfo/squid-users" rel="nofollow" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a> <br clear="none">> <<a shape="rect" href="https://lists.squid-cache.org/listinfo/squid-users" rel="nofollow" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>>><br clear="none">> ><br clear="none">> > _______________________________________________<br clear="none">> > squid-users mailing list<br clear="none">> > <a shape="rect" href="mailto:squid-users@lists.squid-cache.org" rel="nofollow" target="_blank">squid-users@lists.squid-cache.org</a> <br clear="none">> <mailto:squid-users@lists.squid-cache.org> <br clear="none">> <mailto:squid-users@lists.squid-cache.org><br clear="none">> <br clear="none">> > <a shape="rect" href="https://lists.squid-cache.org/listinfo/squid-users" rel="nofollow" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a> <br clear="none">> <<a shape="rect" href="https://lists.squid-cache.org/listinfo/squid-users" rel="nofollow" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>><br clear="none">> > <squid-users Info Page <br clear="none">> <<a shape="rect" href="https://lists.squid-cache.org/listinfo/squid-users" rel="nofollow" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>>><br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> squid-users Info Page<br clear="none">> <br clear="none">> <<a shape="rect" href="https://lists.squid-cache.org/listinfo/squid-users" rel="nofollow" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>><br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> Sending Bug Reports to the Squid Team<br clear="none">> <br clear="none">> Squid Web Cache documentation<br clear="none">> <br clear="none">> <<a shape="rect" href="https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction" rel="nofollow" target="_blank">https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction</a>><br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> [squid-users] compile error in squid v6.1<div class="ydpcd2b9743yqt3041230280" id="ydpcd2b9743yqtfd28412"><br clear="none">> <br clear="none">> <<a shape="rect" href="https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html" rel="nofollow" target="_blank">https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html</a>><br clear="none">> <br clear="none">> <br clear="none"><br clear="none"></div></div></div>
</div>
</div></body></html>