>As with any timeout, it is impossible to say in general which side of
>the connection is at fault. This case has at least three sides: It could>be the HTTP agent, Squid, and/or the ICAP service. Did one of them stall
>the transaction? Or was the ICAP service just too impatient? See option
>#4 below.
I've tried to track this down. There are some persistent sockets used by SaaS apps for APIs (otservice api from google sites) and sometimes the HTTP response takes a long time to trickle in. I have seen upto 25 seconds for the response body to trickle in after the response header. I don't know yet if this is due to network delays but given that it happens only for this particular uri I'm theorizing that this is how it works. I can whitelist the one i am aware of that is causing this issue but again the concern is what about others that might throw this exception. The timeout at 10 seconds is somewhat aggressive so moving that up should help but some code changes in either squid or icap as suggested look necessary.
>Please note that ICAP is a protocol, not a product/software name. It
>probably does not matter what ICAP service you are using though.Correct. I was referring to the c-icap implementation.
--
On Wed, Oct 31, 2018 at 5:00 AM <squid-users-request@xxxxxxxxxxxxxxxxxxxxx> wrote:
Send squid-users mailing list submissions to
squid-users@xxxxxxxxxxxxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
squid-users-request@xxxxxxxxxxxxxxxxxxxxx
You can reach the person managing the list at
squid-users-owner@xxxxxxxxxxxxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."
Today's Topics:
1.
On 10/30/18 6:45 PM, Arunabha Saha wrote:
> Squid 3.5.25 does not seem to recognise the 408 request timeout error
> code from ICAP.
Squid effectively recognizes ICAP 408 response as an ICAP transaction
error response and blames the ICAP service for that error. That
(minimal) support can be improved, of course. See options #1 and #3 below.
Needless to say, treating all ICAP service timeouts as if nothing bad
happened would break some existing Squid deployments (while possibly
fixing yours). A proper general solution (option #3 below) would most
likely require making Squid behavior configurable.
> The more troublesome issue for me is the exception it generates and then
> declares ICAP down after a certain number of such exceptions.
>
> I don't want to disable the failure limit entirely given that we can
> often have genuine failures that squid needs to detect.
>
> What i'd like to see is squid should not throw an exception in this
> case.
The "exception" is a minor low-level/technical detail. What you really
want to see is Squid blaming itself (rather than the ICAP service) for
the problem. Squid indeed lacks that kind of functionality, but it can
be added if really needed. See options #1 and #3 below.
> The timeout is somewhat aggressive but works with an earlier
> version of ICAP (0.1.x). The one i'm testing is 0.5.3.
Please note that ICAP is a protocol, not a product/software name. It
probably does not matter what ICAP service you are using though.
> Any suggestions?
I can suggest a few options, in no particular order:
1. Modify your Squid to treat 408 differently.
2. Modify your ICAP service to stop sending ICAP 408 responses to Squid.
3. Add proper ICAP timeout support feature to Squid.
4. Investigate why your ICAP service times out. If you are lucky, you
may be able to fix or work around the problem by adjusting Squid
and/or your ICAP service configuration.
For option #1, Adaptation::Icap::ModXact::parseIcapHead() may be a good
starting point.
For options #1 and #3, see also
https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F
In most cases, option #4 is the best first step but YMMV.
HTH,
Alex.
------------------------------
Message: 2
Date: Tue, 30 Oct 2018 23:59:18 -0500 (CDT)
From: Sid <SIDDH05@xxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Squid 4.3: SSL Bump fails to send client
certificate
Message-ID: <1540961958277-0.post@xxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii
Thank you Alex for the reply.
Alex: 1. Servers never send SNI. Clients usually send SNI. Squid should
forward SNI it received from the client to the server, provided the client
actually sent SNI. Did your client send SNI?
Sid: I can see in Client Hello IP Address being sent by Client; so there is
no SNI from client itself.
Alex: 2. Bugs notwithstanding, the implied order of events is not what
actually happens: Squid, as configured, does _not_ forward anything from the
server certificate to the client. Squid, as configured, generates a
certificate based on client-supplied information (not server-supplied
information). After sending that generated certificate to the client, Squid
establishes a TLS connection with the server.
Sid: Thank you for explanation.
Alex: For an accurate picture, in addition to Squid-server and server-Squid
traffic, look at what Squid has received from the client and what Squid sent
to the client, all in actual order.
Sid: I took wireshark on Squid server (centOS 7); I took 2 wiresharks
between Client & Squid and then between Squid & Server. I can see client
being sent fake cert generated by Squid & client responds with "Client key
Exchange", "Change cipher spec", "Encrypted Handshake Message". But I can't
see actual client certificate sent to Squid. Is there a way to decypt in
Wireshark. In Wireshark between Squid & Server I can see Squid responding
with "61 Alert (Level: Fatal, Description: Internal Error)".
Alex: Is your Squid configured to trust those internal CAs? If not, Squid
would not be able to validate the server certificate.
Sid: I have added those chained certificates as following in squid.conf
tls_outgoing_options cafile=/usr/local/squid/etc/UCAppsCA.pem
sslproxy_foreign_intermediate_certs /usr/local/squid/etc/UCAppsCA.pem
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
------------------------------
Message: 3
Date: Wed, 31 Oct 2018 05:27:20 -0500 (CDT)
From: uppsalanet <fredrik@xxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: redirect based on url (302)
Message-ID: <1540981640859-0.post@xxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii
Hi Amos,
Is there a git that I can use to push stuff up?
I think you need to split the string in an other way, look into this
example:
#!/usr/bin/perl
use strict;
use warnings;
$|=1;
while (<>) {
my $string = $_;
print "Received '\$_' = ".$_."\n";
$string =~ m/^(\d+)\s(.*)$/;
print "After regexp '\$string' = ".$string."\n";
print "After regexp '\$1' = ".$1."\n";
print "After regexp '\$2' = ".$2."\n";
### Original split from sorce ###
### This doesn't split anything looks like elements of an array?
#my ($cid, $uid) = ($1, $2);
### Split the string ###
### Those two split based on one or more spaces
#my ($cid, $uid) = split(/\s+/ ,$_);
my ($cid, $uid) = split;
$cid =~ s/%(..)/pack("H*", $1)/ge;
$uid =~ s/%(..)/pack("H*", $1)/ge;
print "After split \$cid = ".$cid."\n";
print "After split \$uid = ".$uid."\n";
}
Output from above with intake value '*130.238.000.00 muse.jhu.edu -*':
Received '$_' = 130.238.000.00 muse.jhu.edu -
After regexp '$string' = 130.238.000.00 muse.jhu.edu -
/Use of uninitialized value $1 in concatenation (.) or string at
./sed_test_reg.pl line 13, <> line 1.
After regexp '$1' =
Use of uninitialized value $2 in concatenation (.) or string at
./sed_test_reg.pl line 14, <> line 1.
After regexp '$2' = /
*After split $cid = 130.238.000.00
After split $uid = muse.jhu.edu*
Cheers
Fredrik
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
------------------------------
Subject: Digest Footer
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
------------------------------
End of squid-users Digest, Vol 50, Issue 75
*******************************************
regards,
Arun
Arun
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
