Post by Arunabha Saha
Squid 3.5.25 does not seem to recognise the 408 request timeout error
code from ICAP.

Post by Arunabha Saha
The more troublesome issue for me is the exception it generates and then
declares ICAP down after a certain number of such exceptions.    
I don't want to disable the failure limit entirely given that we can
often have genuine failures that squid needs to detect.   
What i'd like to see is squid should not throw an exception in this case.

Post by Arunabha Saha
The timeout is somewhat aggressive but works with an earlier
version of ICAP (0.1.x).  The one i'm testing is 0.5.3.

Post by Arunabha Saha
Any suggestions?

Post by Alex Rousskov
As with any timeout, it is impossible to say in general which side of
the connection is at fault. This case has at least three sides: It could
be the HTTP agent, Squid, and/or the ICAP service. Did one of them stall
the transaction? Or was the ICAP service just too impatient? See option
#4 below.

Post by Alex Rousskov
Please note that ICAP is a protocol, not a product/software name. It
probably does not matter what ICAP service you are using though.

Post by Alex Rousskov
Send squid-users mailing list submissions to
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
You can reach the person managing the list at
When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."
1.
Squid effectively recognizes ICAP 408 response as an ICAP transaction
error response and blames the ICAP service for that error. That
(minimal) support can be improved, of course. See options #1 and #3 below.
Needless to say, treating all ICAP service timeouts as if nothing bad
happened would break some existing Squid deployments (while possibly
fixing yours). A proper general solution (option #3 below) would most
likely require making Squid behavior configurable.
The "exception" is a minor low-level/technical detail. What you really
want to see is Squid blaming itself (rather than the ICAP service) for
the problem. Squid indeed lacks that kind of functionality, but it can
be added if really needed. See options #1 and #3 below.
Please note that ICAP is a protocol, not a product/software name. It
probably does not matter what ICAP service you are using though.
1. Modify your Squid to treat 408 differently.
2. Modify your ICAP service to stop sending ICAP 408 responses to Squid.
3. Add proper ICAP timeout support feature to Squid.
4. Investigate why your ICAP service times out. If you are lucky, you
may be able to fix or work around the problem by adjusting Squid
and/or your ICAP service configuration.
For option #1, Adaptation::Icap::ModXact::parseIcapHead() may be a good
starting point.
For options #1 and #3, see also
https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F
In most cases, option #4 is the best first step but YMMV.
HTH,
Alex.
------------------------------
Message: 2
Date: Tue, 30 Oct 2018 23:59:18 -0500 (CDT)
Subject: Re: [squid-users] Squid 4.3: SSL Bump fails to send client
certificate
Content-Type: text/plain; charset=us-ascii
Thank you Alex for the reply.
Alex: 1. Servers never send SNI. Clients usually send SNI. Squid should
forward SNI it received from the client to the server, provided the client
actually sent SNI. Did your client send SNI?
Sid: I can see in Client Hello IP Address being sent by Client; so there is
no SNI from client itself.
Alex: 2. Bugs notwithstanding, the implied order of events is not what
actually happens: Squid, as configured, does _not_ forward anything from
the
server certificate to the client. Squid, as configured, generates a
certificate based on client-supplied information (not server-supplied
information). After sending that generated certificate to the client, Squid
establishes a TLS connection with the server.
Sid: Thank you for explanation.
Alex: For an accurate picture, in addition to Squid-server and server-Squid
traffic, look at what Squid has received from the client and what Squid
sent
to the client, all in actual order.
Sid: I took wireshark on Squid server (centOS 7); I took 2 wiresharks
between Client & Squid and then between Squid & Server. I can see client
being sent fake cert generated by Squid & client responds with "Client key
Exchange", "Change cipher spec", "Encrypted Handshake Message". But I can't
see actual client certificate sent to Squid. Is there a way to decypt in
Wireshark. In Wireshark between Squid & Server I can see Squid responding
with "61 Alert (Level: Fatal, Description: Internal Error)".
Alex: Is your Squid configured to trust those internal CAs? If not, Squid
would not be able to validate the server certificate.
Sid: I have added those chained certificates as following in squid.conf
tls_outgoing_options cafile=/usr/local/squid/etc/UCAppsCA.pem
sslproxy_foreign_intermediate_certs /usr/local/squid/etc/UCAppsCA.pem
--
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
------------------------------
Message: 3
Date: Wed, 31 Oct 2018 05:27:20 -0500 (CDT)
Subject: Re: [squid-users] redirect based on url (302)
Content-Type: text/plain; charset=us-ascii
Hi Amos,
Is there a git that I can use to push stuff up?
I think you need to split the string in an other way, look into this
#!/usr/bin/perl
use strict;
use warnings;
$|=1;
while (<>) {
my $string = $_;
print "Received '\$_' = ".$_."\n";
$string =~ m/^(\d+)\s(.*)$/;
print "After regexp '\$string' = ".$string."\n";
print "After regexp '\$1' = ".$1."\n";
print "After regexp '\$2' = ".$2."\n";
### Original split from sorce ###
### This doesn't split anything looks like elements of an array?
#my ($cid, $uid) = ($1, $2);
### Split the string ###
### Those two split based on one or more spaces
#my ($cid, $uid) = split(/\s+/ ,$_);
my ($cid, $uid) = split;
$cid =~ s/%(..)/pack("H*", $1)/ge;
$uid =~ s/%(..)/pack("H*", $1)/ge;
print "After split \$cid = ".$cid."\n";
print "After split \$uid = ".$uid."\n";
}
Received '$_' = 130.238.000.00 muse.jhu.edu -
After regexp '$string' = 130.238.000.00 muse.jhu.edu -
/Use of uninitialized value $1 in concatenation (.) or string at
./sed_test_reg.pl line 13, <> line 1.
After regexp '$1' =
Use of uninitialized value $2 in concatenation (.) or string at
./sed_test_reg.pl line 14, <> line 1.
After regexp '$2' = /
*After split $cid = 130.238.000.00
After split $uid = muse.jhu.edu*
Cheers
Fredrik
--
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
------------------------------
Subject: Digest Footer
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
------------------------------
End of squid-users Digest, Vol 50, Issue 75
*******************************************