Search squid archive

Re: squid ssl-bump with icap returns 503

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Would it be possible to dump some icap traffic so we would be able to understand what might cause this issue if at all?

Eliezer

בתאריך יום ה׳, 4 במרץ 2021, 12:36, מאת Niels Hofmans ‏<hello@xxxxxxxxxxx>:
Hi guys,

I’m asking here but since I’m not too comfortable with a mailing list, it’s also on serverfault.comhttps://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately

I have an odd issue that squid will return a HTTP 503 when I try to do ICAP for an ssl-bumped HTTPS website. HTTP website works fine.
Any ideas?

Config:

visible_hostname proxy
forwarded_for delete
via off
httpd_suppress_version_string on
logfile_rotate 0
cache_log stdio:/dev/stdout
access_log stdio:/dev/stdout
cache_store_log stdio:/dev/stdout
dns_v4_first on
cache_dir ufs /cache 100 16 256
pid_filename /cache/squid.pid
mime_table /usr/share/squid/mime.conf
http_port 0.0.0.0:3128
https_port 0.0.0.0:3129 \
    generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
    tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key
ssl_bump peek all
ssl_bump bump all
quick_abort_min 0
quick_abort_max 0
quick_abort_pct 95
pinger_enable off
icap_enable on
icap_service_failure_limit -1
icap_service service_req reqmod_precache bypass=0 icap://10.10.0.119:1344/
icap_preview_enable on
adaptation_access service_req allow all
cache_mem 512 mb
dns_nameservers 1.1.1.1 1.0.0.1
cache_effective_user proxy
sslcrtd_program /usr/lib/squid/security_file_certgen -s /cache/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
sslproxy_cert_error allow all
http_access allow all

Log line HTTPS when it doesn’t work:
1614853306.542     40 172.17.0.1 NONE/503 0 CONNECT //ironpeak.be:443 - HIER_NONE/- -

< HTTP/1.1 503 Service Unavailable
< Server: squid
< Mime-Version: 1.0
< Date: Thu, 04 Mar 2021 10:36:05 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 1849
< X-Squid-Error: ERR_DNS_FAIL 0


Log line HTTP when it does work:
  -1 1614851916 text/plain 60/60 GET http://ironpeak.be/blog/big-sur-t2rminator/
1614853320.743 SWAPOUT 00 00000002 F7A390D89822E9BA831C47E1B4CDD0A8  301 1614853320        -1 1614853320 text/plain 60/60 GET http://ironpeak.be/blog/big-sur-t2rminator/
1614853320.748    302 172.17.0.1 TCP_REFRESH_MODIFIED/301 1647 GET http://ironpeak.be/blog/big-sur-t2rminator/ - HIER_DIRECT/104.21.60.47 text/plain

Example CLI command used:
ALL_PROXY="https://127.0.0.1:3129" curl -vvv --proxy-insecure http://ironpeak.be/

Command used to start squid:
exec /usr/sbin/squid -f /etc/squid/squid.conf --foreground -YCd 1
Package info:
Package: squid-openssl
Version: 4.13-5

Many thanks!
Regards,
Niels Hofmans

SITE   https://ironpeak.be
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux