[squid-users] squid ssl-bump with icap returns 503
Niels Hofmans
hello at ironpeak.be
Thu Mar 4 11:21:09 UTC 2021
Hi,
I think I may have found an issue: it only seems to ICAP the CONNECT request, whereas it will not pass any subsequent requests in that CONNECT tunnel to ICAP?
So my original implementation did not check for the HTTP method in ICAP, so it returned the wrong CONNECT hostname:
OPTIONS icap://10.10.0.119:1344/ ICAP/1.0
Host: 10.10.0.119:1344
Allow: 206
ICAP/1.0 200 OK
Allow: 200,204
Connection: close
Date: Thu, 04 Mar 2021 11:11:45 GMT
Encapsulated: null-body=0
Methods: REQMOD,REQRESP
Preview: 0
Transfer-Preview: *
CONNECT ironpeak.be:443 HTTP/1.1
User-Agent: curl/7.64.1
Host: ironpeak.be:443
REQMOD icap://10.10.0.119:1344/ ICAP/1.0
Host: 10.10.0.119:1344
Date: Thu, 04 Mar 2021 11:11:23 GMT
Encapsulated: req-hdr=0, null-body=84
Preview: 0
Allow: 204
ICAP/1.0 200 OK
Connection: close
Date: Thu, 04 Mar 2021 11:11:23 GMT
Encapsulated: req-hdr=0, null-body=111
CONNECT //ironpeak.be:443/blog/big-sur-t2rminator/ HTTP/1.1 <<<< here is my bug
Host: ironpeak.be:443
User-Agent: curl/7.64.1
But now, it does not pass any HTTP request in the CONNECT tunnel to ICAP:
CONNECT ironpeak.be:443 HTTP/1.1
User-Agent: curl/7.64.1
Host: ironpeak.be:443
REQMOD icap://10.10.0.119:1344/ ICAP/1.0
Host: 10.10.0.119:1344
Date: Thu, 04 Mar 2021 11:19:00 GMT
Encapsulated: req-hdr=0, null-body=84
Preview: 0
Allow: 204
ICAP/1.0 204 No Modifications
Connection: close
Date: Thu, 04 Mar 2021 11:19:00 GMT
Encapsulated: null-body=0
..TLS ciphertext.. <<<<. No more ICAP requests
Any idea on how I pass -every- sslbumped request to ICAP?
Thank you.
Regards,
Niels Hofmans
SITE https://ironpeak.be
On 4 Mar 2021, at 12:01, NgTech LTD <ngtech1ltd at gmail.com> wrote:
Would it be possible to dump some icap traffic so we would be able to understand what might cause this issue if at all?
Eliezer
בתאריך יום ה׳, 4 במרץ 2021, 12:36, מאת Niels Hofmans <hello at ironpeak.be <mailto:hello at ironpeak.be>>:
Hi guys,
I’m asking here but since I’m not too comfortable with a mailing list, it’s also on serverfault.com <http://serverfault.com/>: https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately <https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately>
I have an odd issue that squid will return a HTTP 503 when I try to do ICAP for an ssl-bumped HTTPS website. HTTP website works fine.
Any ideas?
Config:
visible_hostname proxy
forwarded_for delete
via off
httpd_suppress_version_string on
logfile_rotate 0
cache_log stdio:/dev/stdout
access_log stdio:/dev/stdout
cache_store_log stdio:/dev/stdout
dns_v4_first on
cache_dir ufs /cache 100 16 256
pid_filename /cache/squid.pid
mime_table /usr/share/squid/mime.conf
http_port 0.0.0.0:3128 <http://0.0.0.0:3128/>
https_port 0.0.0.0:3129 <http://0.0.0.0:3129/> \
generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key
ssl_bump peek all
ssl_bump bump all
quick_abort_min 0
quick_abort_max 0
quick_abort_pct 95
pinger_enable off
icap_enable on
icap_service_failure_limit -1
icap_service service_req reqmod_precache bypass=0 icap://10.10.0.119:1344/ <>
icap_preview_enable on
adaptation_access service_req allow all
cache_mem 512 mb
dns_nameservers 1.1.1.1 1.0.0.1
cache_effective_user proxy
sslcrtd_program /usr/lib/squid/security_file_certgen -s /cache/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
sslproxy_cert_error allow all
http_access allow all
Log line HTTPS when it doesn’t work:
1614853306.542 40 172.17.0.1 NONE/503 0 CONNECT //ironpeak.be:443 <http://ironpeak.be:443/> - HIER_NONE/- -
< HTTP/1.1 503 Service Unavailable
< Server: squid
< Mime-Version: 1.0
< Date: Thu, 04 Mar 2021 10:36:05 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 1849
< X-Squid-Error: ERR_DNS_FAIL 0
Log line HTTP when it does work:
-1 1614851916 text/plain 60/60 GET http://ironpeak.be/blog/big-sur-t2rminator/ <http://ironpeak.be/blog/big-sur-t2rminator/>
1614853320.743 SWAPOUT 00 00000002 F7A390D89822E9BA831C47E1B4CDD0A8 301 1614853320 -1 1614853320 text/plain 60/60 GET http://ironpeak.be/blog/big-sur-t2rminator/ <http://ironpeak.be/blog/big-sur-t2rminator/>
1614853320.748 302 172.17.0.1 TCP_REFRESH_MODIFIED/301 1647 GET http://ironpeak.be/blog/big-sur-t2rminator/ <http://ironpeak.be/blog/big-sur-t2rminator/> - HIER_DIRECT/104.21.60.47 <http://104.21.60.47/> text/plain
Example CLI command used:
ALL_PROXY="https://127.0.0.1:3129 <https://127.0.0.1:3129/>" curl -vvv --proxy-insecure http://ironpeak.be/ <http://ironpeak.be/>
Command used to start squid:
exec /usr/sbin/squid -f /etc/squid/squid.conf --foreground -YCd 1
Package info:
Package: squid-openssl
Version: 4.13-5
Many thanks!
Regards,
Niels Hofmans
SITE https://ironpeak.be <https://ironpeak.be/>
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users <http://lists.squid-cache.org/listinfo/squid-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210304/c3efc9e7/attachment-0001.htm>
More information about the squid-users
mailing list