[squid-users] Squid 3.1 ICAP Issue with REQMOD 302
Hi, I have recently moved from Squid 3.0 to Squid 3.1. I am trying to integrate it with an ICAP server. I am having a problem where Squid 3.1 is rejecting some responses from the ICAP server which Squid 3.0 accepted. The response in question is a REQMOD response where the ICAP server is returning a HTTP 302 response rather than modifying the original HTTP request. Here is the ICAP request and response: ICAP Request from Squid: REQMOD icap://10.1.1.25:1344/reqmod ICAP/1.0\r\n Host: 10.1.1.25:1344\r\n Date: Mon, 12 Apr 2010 14:25:39 GMT\r\n Encapsulated: req-hdr=0, null-body=398\r\n Allow: 204\r\n \r\n GET http://c.proxy.com/www.test.com/ HTTP/1.1\r\n Host: c.proxy.com\r\n User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Accept-Language: en-gb,en;q=0.5\r\n Accept-Encoding: gzip,deflate\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n Pragma: no-cache\r\n Cache-Control: no-cache\r\n \r\n Response from ICAP Server: ICAP/1.0 200 OK\r\n Date: Mon, 12 Apr 2010 14:25:15 GMT\r\n Connection: keep-alive\r\n ISTag: "ReqModService"\r\n Encapsulated: res-hdr=0,null-body=160\r\n \r\n HTTP/1.x 302 Found\r\n content-type: text/html\r\n location: https://localhost:8443/mib/authentication\r\n \r\n \r\n Squid displays an ICAP error in the browser and states that an illegal response was received from the ICAP server. Any ideas what might be wrong? Although the ICAP server worked correctly with Squid 3.0 I am open to the possibility that the issue is with the ICAP response and that the old Squid was simply more tolerant than v3.1. Thanks in advance, Niall Niall Ó Cuilinn Product Development ChangingWorlds - A Unit of Amdocs Interactive t: +353 1 4401268 | niall.ocuil...@changingworlds.com AMDOCS > CUSTOMER EXPERIENCE SYSTEMS INNOVATION This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp
Re: [squid-users] Squid 3.1 ICAP Issue with REQMOD 302
Niall O'Cuilinn wrote: Hi, I have recently moved from Squid 3.0 to Squid 3.1. I am trying to integrate it with an ICAP server. I am having a problem where Squid 3.1 is rejecting some responses from the ICAP server which Squid 3.0 accepted. The response in question is a REQMOD response where the ICAP server is returning a HTTP 302 response rather than modifying the original HTTP request. Hi Niall, I believe the Encapsulated header in the ICAP server response is wrong. The "null-body=160" should be the size of the encapsulated Http headers, if I am not wrong should be "null-body=102". Regards, Christos Here is the ICAP request and response: ICAP Request from Squid: REQMOD icap://10.1.1.25:1344/reqmod ICAP/1.0\r\n Host: 10.1.1.25:1344\r\n Date: Mon, 12 Apr 2010 14:25:39 GMT\r\n Encapsulated: req-hdr=0, null-body=398\r\n Allow: 204\r\n \r\n GET http://c.proxy.com/www.test.com/ HTTP/1.1\r\n Host: c.proxy.com\r\n User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Accept-Language: en-gb,en;q=0.5\r\n Accept-Encoding: gzip,deflate\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n Pragma: no-cache\r\n Cache-Control: no-cache\r\n \r\n Response from ICAP Server: ICAP/1.0 200 OK\r\n Date: Mon, 12 Apr 2010 14:25:15 GMT\r\n Connection: keep-alive\r\n ISTag: "ReqModService"\r\n Encapsulated: res-hdr=0,null-body=160\r\n \r\n HTTP/1.x 302 Found\r\n content-type: text/html\r\n location: https://localhost:8443/mib/authentication\r\n \r\n \r\n Squid displays an ICAP error in the browser and states that an illegal response was received from the ICAP server. Any ideas what might be wrong? Although the ICAP server worked correctly with Squid 3.0 I am open to the possibility that the issue is with the ICAP response and that the old Squid was simply more tolerant than v3.1. Thanks in advance, Niall Niall Ó Cuilinn Product Development ChangingWorlds - A Unit of Amdocs Interactive t: +353 1 4401268 | niall.ocuil...@changingworlds.com AMDOCS > CUSTOMER EXPERIENCE SYSTEMS INNOVATION This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp
RE: [squid-users] Squid 3.1 ICAP Issue with REQMOD 302
Hi Christos Thanks for the reply. Sorry that was my mistake, I removed some sensitive info from the location header URL but forgot to modify the null-body value. It should have read "null-body=100" (I removed 60 chars/bytes). You might be right and it might still be out by two. I will have a look. Have you Squid 3.1 working with ICAP? I am wondering if there are any known issues with ICAP support in v3.1? Thanks Niall Christos Tsantilas wrote: >Niall O'Cuilinn wrote: >> Hi, >> >> I have recently moved from Squid 3.0 to Squid 3.1. I am trying to integrate >> it with an ICAP server. >> >> I am having a problem where Squid 3.1 is rejecting some responses from the >> ICAP server which Squid 3.0 accepted. >> >> The response in question is a REQMOD response where the ICAP server is >> returning a HTTP 302 response rather than modifying the original HTTP >> request. > >Hi Niall, > I believe the Encapsulated header in the ICAP server response is wrong. >The "null-body=160" should be the size of the encapsulated Http headers, >if I am not wrong should be "null-body=102". > >Regards, >Christos > > >> >> Here is the ICAP request and response: >> >> ICAP Request from Squid: >> >> REQMOD icap://10.1.1.25:1344/reqmod ICAP/1.0\r\n >> Host: 10.1.1.25:1344\r\n >> Date: Mon, 12 Apr 2010 14:25:39 GMT\r\n >> Encapsulated: req-hdr=0, null-body=398\r\n >> Allow: 204\r\n >> \r\n >> GET http://c.proxy.com/www.test.com/ HTTP/1.1\r\n >> Host: c.proxy.com\r\n >> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.3) >> Gecko/20100401 Firefox/3.6.3\r\n >> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n >> Accept-Language: en-gb,en;q=0.5\r\n >> Accept-Encoding: gzip,deflate\r\n >> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n >> Pragma: no-cache\r\n >> Cache-Control: no-cache\r\n >> \r\n >> >> Response from ICAP Server: >> >> ICAP/1.0 200 OK\r\n >> Date: Mon, 12 Apr 2010 14:25:15 GMT\r\n >> Connection: keep-alive\r\n >> ISTag: "ReqModService"\r\n >> Encapsulated: res-hdr=0,null-body=160\r\n >> \r\n >> HTTP/1.x 302 Found\r\n >> content-type: text/html\r\n >> location: https://localhost:8443/mib/authentication\r\n >> \r\n >> \r\n >> >> Squid displays an ICAP error in the browser and states that an illegal >> response was received from the ICAP server. >> >> Any ideas what might be wrong? Although the ICAP server worked correctly >> with Squid 3.0 I am open to the possibility that the issue is with the ICAP >> response and that the old Squid was simply more tolerant than v3.1. >> >> Thanks in advance, >> Niall >> >> Niall Ó Cuilinn >> Product Development >> ChangingWorlds - A Unit of Amdocs Interactive >> t: +353 1 4401268 | niall.ocuil...@changingworlds.com >> >> AMDOCS > CUSTOMER EXPERIENCE SYSTEMS INNOVATION >> >> >> This message and the information contained herein is proprietary and >> confidential and subject to the Amdocs policy statement, >> you may review at http://www.amdocs.com/email_disclaimer.asp >>
Re: [squid-users] Squid 3.1 ICAP Issue with REQMOD 302
Hi, Just resending the correct request and response: ICAP Request from Squid: REQMOD icap://10.1.1.25:1344/reqmod ICAP/1.0\r\n Host: 10.1.1.25:1344\r\n Date: Mon, 12 Apr 2010 14:25:39 GMT\r\n Encapsulated: req-hdr=0, null-body=398\r\n Allow: 204\r\n \r\n GET http://c.proxy.com/www.test.com/ HTTP/1.1\r\n Host: c.proxy.com\r\n User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Accept-Language: en-gb,en;q=0.5\r\n Accept-Encoding: gzip,deflate\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n Pragma: no-cache\r\n Cache-Control: no-cache\r\n \r\n Response from ICAP Server: ICAP/1.0 200 OK\r\n Date: Mon, 12 Apr 2010 14:25:15 GMT\r\n Connection: keep-alive\r\n ISTag: "ReqModService"\r\n Encapsulated: res-hdr=0,null-body=100\r\n \r\n HTTP/1.x 302 Found\r\n content-type: text/html\r\n location: https://localhost:8443/mib/authentication\r\n \r\n \r\n Niall Ó Cuilinn Product Development ChangingWorlds - A Unit of Amdocs Interactive t: +353 1 4401268 | niall.ocuil...@changingworlds.com AMDOCS > CUSTOMER EXPERIENCE SYSTEMS INNOVATION This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp
Re: [squid-users] Squid 3.1 ICAP Issue with REQMOD 302
Hi I had a look at the null-body values. They correctly match the length of the HTTP 302 response headers block. The extra two bytes is an extra line return. You can see that after the last header there are three '\r\n' line returns. I tried removing one of them but the result was the same. I also turned on more detailed debug logging and found this in the cache.log: -- 2010/04/14 17:03:05.494| HttpReply::sanityCheckStartLine: missing or invalid status number in 'HTTP/1.x 302 Found content-type: text/html location: https://localhost:8443/mib/authentication/checkCookie?backURL=http%3A%2F%2Fc.proxy.com%2Fwww.google.ie ' - I changed the ICAP Server to return 'HTTP/1.0' instead of 'HTTP/1.x' and now it is working. This worked using 'HTTP/1.x' on Squid 3.0. The version I'm using is Squid3.1.1 Thanks Niall This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp
Re: [squid-users] Squid 3.1 ICAP Issue with REQMOD 302
On Wed, 14 Apr 2010 18:10:04 +0100, "Niall O'Cuilinn" wrote: > Hi > > I had a look at the null-body values. They correctly match the length of > the HTTP 302 response headers block. The extra two bytes is an extra line > return. You can see that after the last header there are three '\r\n' line > returns. I tried removing one of them but the result was the same. > > I also turned on more detailed debug logging and found this in the > cache.log: > > -- > 2010/04/14 17:03:05.494| HttpReply::sanityCheckStartLine: missing or > invalid status number in 'HTTP/1.x 302 Found > content-type: text/html > location: > https://localhost:8443/mib/authentication/checkCookie?backURL=http%3A%2F%2Fc.proxy.com%2Fwww.google.ie > > ' > - > > I changed the ICAP Server to return 'HTTP/1.0' instead of 'HTTP/1.x' and > now it is working. > > This worked using 'HTTP/1.x' on Squid 3.0. The version I'm using is > Squid3.1.1 > > Thanks > Niall Looks like your previous version of 3.0 was vulnerable to CVE2009-2622. Squid-3.1.1 is fixed. Amos
