<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office"><head><!--[if gte mso 9]><xml><o:OfficeDocumentSettings><o:AllowPNG/><o:PixelsPerInch>96</o:PixelsPerInch></o:OfficeDocumentSettings></xml><![endif]--></head><body>
Appreciate if you can provide any insights.<br><br><br><div class="yahoo-signature"><a href="https://mail.onelink.me/107872968?pid=nativeplacement&c=Global_Acquisition_YMktg_315_Internal_EmailSignature&af_sub1=Acquisition&af_sub2=Global_YMktg&af_sub3=&af_sub4=100000604&af_sub5=EmailSignature__Static_">Sent from Yahoo Mail for iPhone</a><br></div><br><p class="yahoo-quoted-begin" style="font-size: 15px; color: #715FFA; padding-top: 15px; margin-top: 0">On Friday, January 19, 2024, 9:08 AM, Arun Kumar <s_p_arun@yahoo.com> wrote:</p><blockquote class="iosymail"><div id="yiv1524351995"><div><div style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;" class="yiv1524351995ydp9067c3e2yahoo-style-wrap"><div></div>
<div dir="ltr">Sorry, due to organization policy not possible to upload the debug logs. Anything to look specifically in the debug logs?</div><div dir="ltr">Also please suggest if we can tweak the below sslbump configuration, to make the chunked transfer work seamless.</div><div dir="ltr"><br clear="none"></div><div dir="ltr"><i>http_port tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=<pem file> tls-key=<key file> cipher=... options=NO_TLSv1,... tls_dh=prime256v1:<dhparm.pem></i></div><div dir="ltr"><i><br clear="none"></i></div><div dir="ltr"><i>ssl_bump stare all</i><br clear="none"></div><div><br clear="none"></div><div dir="ltr">PS: Any documentations/video available to understand the bump/stare/peek/splice better? Not understanding much from the squid-cache.org contents.</div><div dir="ltr"><br clear="none"></div>
</div><div id="yiv1524351995ydpcd2b9743yahoo_quoted_6158286644" class="yiv1524351995ydpcd2b9743yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div id="yiv1524351995yqt28021" class="yiv1524351995yqt4311937308"><div>
On Friday, January 12, 2024 at 02:10:40 PM EST, Alex Rousskov <rousskov@measurement-factory.com> wrote:
</div>
<div><br clear="none"></div>
<div>On 2024-01-12 09:21, Arun Kumar wrote:<br clear="none"></div><div><div dir="ltr">> On Wednesday, January 10, 2024 at 11:09:48 AM EST, Alex Rousskov wrote:<br clear="none">> <br clear="none">> <br clear="none">> On 2024-01-10 09:21, Arun Kumar wrote:<br clear="none">> >> i) Retry seems to fetch one chunk of the response and not the complete.<br clear="none">> >> ii) Enabling sslbump and turning ICAP off, not helping.<br clear="none">> >> iii) gcc version is 7.3.1 (Red Hat 7.3.1-17)<br clear="none">> <br clear="none">> >GCC v7 has insufficient C++17 support. I recommend installing GCC v9 or<br clear="none">> better and then trying with Squid v6.6 or newer.<br clear="none">> <br clear="none">> Arun: Compiled Squid 6.6 with gcc 11.4 and still seeing the same issue.<br clear="none"><br clear="none">Glad you were able to upgrade to Squid v6.6!<br clear="none"><br clear="none"><br clear="none">> > FWIW, if the problem persists in Squid v6, sharing debugging logs would<br clear="none">> be the next recommended step.<br clear="none">> <br clear="none">> Arun: /debug_options ALL,6 /giving too much log. Any particular option <br clear="none">> we can use to debug this issue?<br clear="none"><br clear="none"><br clear="none">Please share[^1] a pointer to compressed ALL,9 cache.log collected while <br clear="none">reproducing the problem with Squid v6.6:<br clear="none"><br clear="none"><a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction">https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction</a><br clear="none"><br clear="none">Debugging logs are for developers. Developers can deal with large <br clear="none">volumes of debugging information. You can use services like DropBox to <br clear="none">share large compressed logs. Said that, the better you can isolate the <br clear="none">problem/traffic, the higher are the chances that a developer will (have <br clear="none">the time to) find the answer to your question in the noisy log.<br clear="none"><br clear="none">[^1]: Please feel free to share privately if needed, especially if you <br clear="none">are using sensitive configuration or transactions.<br clear="none"><br clear="none">Alex.<br clear="none"><br clear="none"><br clear="none">> > Also want to point out that, squid connects to another non-squid proxy<br clear="none">> > to reach internet.<br clear="none">> > cache_peer <proxy_url> parent <port> 0 no-query default<br clear="none">> ><br clear="none">> > On Tuesday, January 9, 2024 at 02:18:14 PM EST, Alex Rousskov wrote:<br clear="none">> ><br clear="none">> ><br clear="none">> > On 2024-01-09 11:51, Zhang, Jinshu wrote:<br clear="none">> ><br clear="none">> > > Client got below response headers and body. Masked few details.<br clear="none">> ><br clear="none">> > Thank you.<br clear="none">> ><br clear="none">> ><br clear="none">> > > Retry seems to fetch data remaining.<br clear="none">> ><br clear="none">> > I would expect a successful retry to fetch the entire response, not just<br clear="none">> > the remaining bytes, but perhaps that is what you meant. Thank you for<br clear="none">> > sharing this info.<br clear="none">> ><br clear="none">> ><br clear="none">> > > Want to point out that removing sslbump everything is working fine,<br clear="none">> > > but we wanted to keep it for ICAP scanning.<br clear="none">> ><br clear="none">> > What if you keep SslBump enabled but disable any ICAP analysis<br clear="none">> > ("icap_enable off")? This test may tell us if the problem is between<br clear="none">> > Squid and the origin server or Squid and the ICAP service...<br clear="none">> ><br clear="none">> ><br clear="none">> > > We tried compiling 6.x in Amazon linux, using latest gcc, but facing<br clear="none">> > similar error -<br clear="none">> > <br clear="none">> <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html">https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html</a> <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html">https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html</a>> <[squid-users] compile error in squid v6.1 <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html">https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html</a>>><br clear="none">> ><br clear="none">> > What is the "latest gcc" version in your environment? I suspect it is<br clear="none">> > not the latest GCC version available to folks running Amazon Linux, but<br clear="none">> > you may need to install some packages to get a more recent GCC version.<br clear="none">> > Unfortunately, I cannot give specific instructions for Amazon Linux<br clear="none">> > right now.<br clear="none">> ><br clear="none">> ><br clear="none">> > HTH,<br clear="none">> ><br clear="none">> > Alex.<br clear="none">> ><br clear="none">> ><br clear="none">> > > HTTP/1.1 200 OK<br clear="none">> > > Date: Tue, 09 Jan 2024 15:41:33 GMT<br clear="none">> > > Server: Apache/mod_perl/2.0.10 Perl<br clear="none">> > > Content-Type: application/download<br clear="none">> > > X-Cache: MISS from ip-x-y-z<br clear="none">> > > Transfer-Encoding: chunked<br clear="none">> > > Via: xxx (ICAP)<br clear="none">> > > Connection: keep-alive<br clear="none">> > ><br clear="none">> > > 1000<br clear="none">> > > File-Id: xyz.zip<br clear="none">> > > Local-Path: x/y/z.txt<br clear="none">> > > Content-Size: 2967<br clear="none">> > > < binary content ><br clear="none">> > ><br clear="none">> > ><br clear="none">> > > Access log(1st attempt):<br clear="none">> > > 1704814893.695 138 x.y.0.2 NONE_NONE/200 0 CONNECT a.b.com:443 -<br clear="none">> > FIRSTUP_PARENT/10.x.y.z -<br clear="none">> > > 1704814900.491 6779 172.17.0.2 TCP_MISS/200 138996535 POST<br clear="none">> > <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://a.b.com/xyz">https://a.b.com/xyz</a> <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://a.b.com/xyz">https://a.b.com/xyz</a>> <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://a.b.com/xyz">https://a.b.com/xyz</a> <br clear="none">> <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://a.b.com/xyz">https://a.b.com/xyz</a>>> - FIRSTUP_PARENT/10.x.y.z<br clear="none">> > application/download<br clear="none">> > ><br clear="none">> > > Retry after 5 mins:<br clear="none">> > > 1704815201.530 189 x.y.0.2 NONE_NONE/200 0 CONNECT a.b.com:443 -<br clear="none">> > FIRSTUP_PARENT/10.x.y.z -<br clear="none">> > > 1704815208.438 6896 x.y.0.2 TCP_MISS/200 138967930 POST<br clear="none">> > <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://a.b.com/xyz">https://a.b.com/xyz</a> <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://a.b.com/xyz">https://a.b.com/xyz</a>> <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://a.b.com/xyz">https://a.b.com/xyz</a> <br clear="none">> <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://a.b.com/xyz">https://a.b.com/xyz</a>>> - FIRSTUP_PARENT/10.x.y.z<br clear="none">> > application/download<br clear="none">> > ><br clear="none">> > > Jinshu Zhang<br clear="none">> > ><br clear="none">> > ><br clear="none">> > > Fannie Mae Confidential<br clear="none">> > > -----Original Message-----<br clear="none">> > > From: squid-users <<a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:squid-users-bounces@lists.squid-cache.org" target="_blank" href="mailto:squid-users-bounces@lists.squid-cache.org">squid-users-bounces@lists.squid-cache.org</a> <br clear="none">> <mailto:squid-users-bounces@lists.squid-cache.org><br clear="none">> > <mailto:squid-users-bounces@lists.squid-cache.org>> On Behalf Of Alex<br clear="none">> > Rousskov<br clear="none">> > > Sent: Tuesday, January 9, 2024 9:53 AM<br clear="none">> > > To: <a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" target="_blank" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a> <br clear="none">> <mailto:squid-users@lists.squid-cache.org><br clear="none">> > <mailto:squid-users@lists.squid-cache.org><br clear="none">> > > Subject: [EXTERNAL] Re: [squid-users] chunked transfer over sslbump<br clear="none">> > ><br clear="none">> > ><br clear="none">> > > On 2024-01-09 09:13, Arun Kumar wrote:<br clear="none">> > ><br clear="none">> > >> I have compiled/installed squid v5.8 in Amazon Linux and <br clear="none">> configured it<br clear="none">> > >> with sslbump option. Squid is used as proxy to get response from <br clear="none">> https<br clear="none">> > >> site. When the https site sends chunked response, it appears that the<br clear="none">> > >> first response comes but it get stuck and doesn't receive the full<br clear="none">> > >> response. Appreciate any help.<br clear="none">> > > There were some recent chunking-related changes in Squid, but none<br clear="none">> > of them is likely to be responsible for the problems you are describing<br clear="none">> > unless the origin server response is very special/unusual.<br clear="none">> > ><br clear="none">> > > Does the client in this test get the HTTP response header? Some HTTP<br clear="none">> > response body bytes?<br clear="none">> > ><br clear="none">> > > To triage the problem, I recommend sharing the corresponding<br clear="none">> > access.log records (at least). Seeing debugging of the problematic<br clear="none">> > transaction may be very useful (but avoid using production security keys<br clear="none">> > and other sensitive information in such tests):<br clear="none">> > ><br clear="none">> > <br clear="none">> <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction">https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction</a> <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction">https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction</a>> <Sending Bug Reports to the Squid Team <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction">https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction</a>>><br clear="none">> > ><br clear="none">> > > Please note that Squid v5 is not officially supported and has more<br clear="none">> > known security vulnerabilities than Squid v6. You should be using <br clear="none">> Squid v6.<br clear="none">> > ><br clear="none">> > ><br clear="none">> > > HTH,<br clear="none">> > ><br clear="none">> > > Alex.<br clear="none">> > ><br clear="none">> > > _______________________________________________<br clear="none">> > > squid-users mailing list<br clear="none">> > > <a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" target="_blank" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a> <br clear="none">> <mailto:squid-users@lists.squid-cache.org><br clear="none">> > <mailto:squid-users@lists.squid-cache.org><br clear="none">> > > <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</a> <br clear="none">> <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</a>><br clear="none">> > <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</a> <br clear="none">> <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</a>>><br clear="none">> > ><br clear="none">> > > _______________________________________________<br clear="none">> > > squid-users mailing list<br clear="none">> > > <a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" target="_blank" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a> <br clear="none">> <mailto:squid-users@lists.squid-cache.org><br clear="none">> > <mailto:squid-users@lists.squid-cache.org><br clear="none">> > > <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</a> <br clear="none">> <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</a>><br clear="none">> > <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</a> <br clear="none">> <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</a>>><br clear="none">> ><br clear="none">> > _______________________________________________<br clear="none">> > squid-users mailing list<br clear="none">> > <a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" target="_blank" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a> <br clear="none">> <mailto:squid-users@lists.squid-cache.org> <br clear="none">> <mailto:squid-users@lists.squid-cache.org><br clear="none">> <br clear="none">> > <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</a> <br clear="none">> <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</a>><br clear="none">> > <squid-users Info Page <br clear="none">> <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</a>>><br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> squid-users Info Page<br clear="none">> <br clear="none">> <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</a>><br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> Sending Bug Reports to the Squid Team<br clear="none">> <br clear="none">> Squid Web Cache documentation<br clear="none">> <br clear="none">> <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction">https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction</a>><br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> [squid-users] compile error in squid v6.1<div id="yiv1524351995ydpcd2b9743yqtfd28412" class="yiv1524351995ydpcd2b9743yqt3041230280"><br clear="none">> <br clear="none">> <<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html">https://lists.squid-cache.org/pipermail/squid-users/2023-July/026016.html</a>><br clear="none">> <br clear="none">> <br clear="none"><br clear="none"></div></div></div></div>
</div>
</div></div></div><blockquote></blockquote></blockquote>
</body></html>