Hi,
The flow is the following:
ICAP transaction is sent to ICAP server with a PREVIEW header
ICAP server sends ICAP header 100 Continue
ICAP server sends ICAP header 200 OK to start data transfer
<data transfer begins>
ICAP server receives a chunk, checks if its the last chunk, if not then append to temp file and send it back to Squid; if it is the last chunk then analyze the temp file for virus.
<repeat for next data transfer>
If virus found then send encapsulated HTTP header 307 redirect.
If virus not found, send the last chunk to squid.
The part where we send 307 is the part that Squid doesn't like, I believe is because we are not sending the last chunk since the file is a virus.
On Tue, Nov 26, 2019 at 4:52 PM Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 11/26/19 2:52 PM, Felipe Arturo Polanco wrote:
> We are sending an encapsulated HTTP 307 redirect webpage header whenever
> a Virus is found and stop sending any other data after that
You must use ICAP status code 200 then. Make sure your encapsulated HTTP
307 body (if any) is properly sent to Squid.
> but squid
> complains about ICAP failure when we do that:
> Adaptation::Icap::Xaction::noteCommRead threw exception: corrupted chunk
> size
What chunk size did Squid not like? You should be able to tell by
looking at the packet capture of the failed transaction (or low-level
Squid debugging).
> We are not sending an ICAP header at this point because we already told
> Squid ICAP 200 OK header and begun a body transaction, we send some
> chunks back to the client for progress and hold the last part for scanning.
Are you sending HTTP 307 body chunks to Squid? How do you indicate that
no more chunks will be coming?
It sounds like you are trying to cram two HTTP messages (one with the
original HTTP response body prefix and one with a generated 307
redirect) into one ICAP response, which is impossible, but perhaps I
misunderstood your description. It would help if you post a sample (but
complete) ICAP response that Squid does not like.
> Ideally, we would like to just send our 307 to Squid and not having it
> count as a failure.
Yes, a 200 ICAP response with an embedded HTTP 307 response should work
just fine, but all its pieces should be properly formed (and there
should be no extras).
Alex.
> On Tue, Nov 26, 2019 at 3:44 PM Alex Rousskov wrote:
>
> On 11/26/19 10:15 AM, Felipe Arturo Polanco wrote:
>
> > While we can successfully scan our files and do content adaptation, we
> > have been struggling to find a way to close the ICAP transaction
> before
> > passing the whole body back to squid and at the same time avoid squid
> > marking one icap failure.
>
> Squid needs a valid ICAP response. The right ICAP response status code
> depends on what you want Squid to do after receiving that response. You
> have mentioned what you do _not_ want Squid to do (i.e. increase the
> failure count), but that still leaves a lot of options.
>
>
> > This is for an ICAP server that does Virus scanning and if virus
> found,
> > the body is not sent back.
>
> What do you want Squid to do when the ICAP service finds a virus? For
> example, what message do you want Squid to send to the next HTTP hop?
>
> Alex.
>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
