[squid-users] ICAP and 403 Encapsulated answers (SSL denied domains)
FredB
numsys at free.fr
Tue Jan 22 08:22:58 UTC 2019
Hello Alex
>> But unfortunately Squid adds a "Connection: keep-alive" header
> It is not clear _why_ you consider that header "unfortunate" and the
> connection "wasted". That header may or may not be wrong, and the
> connection may or may not be reusable, depending on many factors (that
> you have not shared).
>
Your are right, it's not clear for me too, the only thing I'm seeing
it's that a keep-alive is not present in my answer from ICAP but well
added in header to client, after that if there is a refresh the browser
waits for the page a long time
But perhaps this is not related to my issue
>
> work. Otherwise, a packet capture (in pcap format) is probably the
> easiest sharing method.
>
Here a short tcpdump trace
https://nas.traceroot.fr:8081/owncloud/index.php/s/egrcXnU3lxiU0mi
1 - I'm surfing to the website https://www.toto.fr
2 - I receive a 403 (blank page)
3 - I refresh the page, and I wait a long time before timeout
A real issue is filtering ADS, surf to www.aaa.com and block www.bbb.com
(ads), there are multiple links to bbb in aaa, in this case www.aaa.com
never appears completely (or after a long time) the browser freeze and
still waiting bbb (the name appears in bottom: waiting for bbb)
>
> Yes, by ICAP design, an ICAP service does not have direct control over
> HTTP connections maintained by the host application (e.g., Squid).
Yes it's what I saw and read in the rfc
Thank you
Fred
More information about the squid-users
mailing list