Search squid archive

Re: squid ssl-bump with icap returns 503

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I think I may have found an issue: it only seems to ICAP the CONNECT request, whereas it will not pass any subsequent requests in that CONNECT tunnel to ICAP?

So my original implementation did not check for the HTTP method in ICAP, so it returned the wrong CONNECT hostname:

OPTIONS icap://10.10.0.119:1344/ ICAP/1.0
Host: 10.10.0.119:1344
Allow: 206

ICAP/1.0 200 OK
Allow: 200,204
Connection: close
Date: Thu, 04 Mar 2021 11:11:45 GMT
Encapsulated: null-body=0
Methods: REQMOD,REQRESP
Preview: 0
Transfer-Preview: *

CONNECT ironpeak.be:443 HTTP/1.1
User-Agent: curl/7.64.1

REQMOD icap://10.10.0.119:1344/ ICAP/1.0
Host: 10.10.0.119:1344
Date: Thu, 04 Mar 2021 11:11:23 GMT
Encapsulated: req-hdr=0, null-body=84
Preview: 0
Allow: 204

ICAP/1.0 200 OK
Connection: close
Date: Thu, 04 Mar 2021 11:11:23 GMT
Encapsulated: req-hdr=0, null-body=111

CONNECT //ironpeak.be:443/blog/big-sur-t2rminator/ HTTP/1.1  <<<< here is my bug
User-Agent: curl/7.64.1

But now, it does not pass any HTTP request in the CONNECT tunnel to ICAP:

CONNECT ironpeak.be:443 HTTP/1.1
User-Agent: curl/7.64.1

REQMOD icap://10.10.0.119:1344/ ICAP/1.0
Host: 10.10.0.119:1344
Date: Thu, 04 Mar 2021 11:19:00 GMT
Encapsulated: req-hdr=0, null-body=84
Preview: 0
Allow: 204

ICAP/1.0 204 No Modifications
Connection: close
Date: Thu, 04 Mar 2021 11:19:00 GMT
Encapsulated: null-body=0

..TLS ciphertext..    <<<<. No more ICAP requests


Any idea on how I pass -every- sslbumped request to ICAP?
Thank you.

Regards,
Niels Hofmans
SITE   https://ironpeak.be

On 4 Mar 2021, at 12:01, NgTech LTD <ngtech1ltd@xxxxxxxxx> wrote:

Would it be possible to dump some icap traffic so we would be able to understand what might cause this issue if at all?

Eliezer

בתאריך יום ה׳, 4 במרץ 2021, 12:36, מאת Niels Hofmans ‏<hello@xxxxxxxxxxx>:
Hi guys,

I’m asking here but since I’m not too comfortable with a mailing list, it’s also on serverfault.comhttps://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately

I have an odd issue that squid will return a HTTP 503 when I try to do ICAP for an ssl-bumped HTTPS website. HTTP website works fine.
Any ideas?

Config:

visible_hostname proxy
forwarded_for delete
via off
httpd_suppress_version_string on
logfile_rotate 0
cache_log stdio:/dev/stdout
access_log stdio:/dev/stdout
cache_store_log stdio:/dev/stdout
dns_v4_first on
cache_dir ufs /cache 100 16 256
pid_filename /cache/squid.pid
mime_table /usr/share/squid/mime.conf
http_port 0.0.0.0:3128
https_port 0.0.0.0:3129 \
    generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
    tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key
ssl_bump peek all
ssl_bump bump all
quick_abort_min 0
quick_abort_max 0
quick_abort_pct 95
pinger_enable off
icap_enable on
icap_service_failure_limit -1
icap_service service_req reqmod_precache bypass=0 icap://10.10.0.119:1344/
icap_preview_enable on
adaptation_access service_req allow all
cache_mem 512 mb
dns_nameservers 1.1.1.1 1.0.0.1
cache_effective_user proxy
sslcrtd_program /usr/lib/squid/security_file_certgen -s /cache/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
sslproxy_cert_error allow all
http_access allow all

Log line HTTPS when it doesn’t work:
1614853306.542     40 172.17.0.1 NONE/503 0 CONNECT //ironpeak.be:443 - HIER_NONE/- -

< HTTP/1.1 503 Service Unavailable
< Server: squid
< Mime-Version: 1.0
< Date: Thu, 04 Mar 2021 10:36:05 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 1849
< X-Squid-Error: ERR_DNS_FAIL 0


Log line HTTP when it does work:
  -1 1614851916 text/plain 60/60 GET http://ironpeak.be/blog/big-sur-t2rminator/
1614853320.743 SWAPOUT 00 00000002 F7A390D89822E9BA831C47E1B4CDD0A8  301 1614853320        -1 1614853320 text/plain 60/60 GET http://ironpeak.be/blog/big-sur-t2rminator/
1614853320.748    302 172.17.0.1 TCP_REFRESH_MODIFIED/301 1647 GET http://ironpeak.be/blog/big-sur-t2rminator/ - HIER_DIRECT/104.21.60.47 text/plain

Example CLI command used:
ALL_PROXY="https://127.0.0.1:3129" curl -vvv --proxy-insecure http://ironpeak.be/

Command used to start squid:
exec /usr/sbin/squid -f /etc/squid/squid.conf --foreground -YCd 1
Package info:
Package: squid-openssl
Version: 4.13-5

Many thanks!
Regards,
Niels Hofmans

SITE   https://ironpeak.be
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux