Regression after upgrading 3.5.27 -> 4.1

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Regression after upgrading 3.5.27 -> 4.1

Andrea Venturoli
Hello.

I'm maintaining several installations on FreeBSD and I've been notified
a specific web application is not working anymore after the upgrade.



Accessing this app with FireFox and Squid 3.5.27, it works correctly.

Doing the same after the upgrade to 4.1 lets the user arrive up to a
point and then get a "Loading" message which will never go away.



Using FireFox network debugger, I see a couple of 400 error and in fact,
if I try to open those URL I get:

> Invalid Request error was encountered while trying to process the request:
>
> Some possible problems are:
>
>     Missing or unknown request method.
>
>     Missing HTTP Identifier (HTTP/1.0).
>
>     Request is too large.
>
>     Content-Length missing for POST or PUT requests.
>
>     Illegal character in hostname; underscores are not allowed.
>
>     HTTP/1.1 "Expect:" feature is being asked from an HTTP/1.0 software.



The above error is not quite informative (too broad) and there's nothing
useful in the logs.

Here are those two URL (which unfortunately I have to partially obfuscate):

> http://xxxxxxxxxxx.xxxxxxxxxxx.xx/rest?method=navi_path.add&opera=I029&tipo=0&descr=XXXXXXXXX%20-%20Xxxxxxx%20xxxxxxxxxxx%20xxx%2030/12/2014%20-%20XXXX&xxxxx_xxxx=0&params={idDoc:%27C0002019%27,clasDoc:%27XXXXXX%27,nomeDoc:%27XXXXXXXXX%20-%20Xxxxxxx%20xxxxxxxxxxx%20xxx%2030/12/2014%20-%20XXXX%27,_X_TRACK_ID:%xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx%27}&_ts=1532264445584&_dc=1532264445584

> http://xxxxxxxxxxx.xxxxxxxxxxx.xx/php/ajax/openDocumentREST.php?core=xxxxxxxXXXX&query={%22field%22:%22id%22,%22mode%22:%22EQUAL%22,%22value%22:%xxxxxxxxxx_XXXXXXXXX%22}&nomeTab=&arts=&toHighlight=&XXXXXXXX=I029

(the x and X are always alphanumeric characters).




I'm seeking help on how to better diagnose this: how can I find what
Squid 4 does not like in those URLs?

None of the above causes seems to apply, IMVHO.

Has some default changed from 3.5 to 4.1 which might trigger this problem?



  bye & Thanks
        av.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Regression after upgrading 3.5.27 -> 4.1

Amos Jeffries
Administrator
On 23/07/18 01:29, Andrea Venturoli wrote:

> Hello.
>
> I'm maintaining several installations on FreeBSD and I've been notified
> a specific web application is not working anymore after the upgrade.
>
>
>
> Accessing this app with FireFox and Squid 3.5.27, it works correctly.
>
> Doing the same after the upgrade to 4.1 lets the user arrive up to a
> point and then get a "Loading" message which will never go away.
>
>
>
> Using FireFox network debugger, I see a couple of 400 error and in fact,
> if I try to open those URL I get:
>
>> Invalid Request error was encountered while trying to process the
>> request:
>>
>> Some possible problems are:
>>
>>     Missing or unknown request method.
>>
>>     Missing HTTP Identifier (HTTP/1.0).
>>
>>     Request is too large.
>>
>>     Content-Length missing for POST or PUT requests.
>>
>>     Illegal character in hostname; underscores are not allowed.
>>
>>     HTTP/1.1 "Expect:" feature is being asked from an HTTP/1.0 software.
>
>
>
> The above error is not quite informative (too broad)

There are a lot of things that can be wrong about requests sent. One of
them did. That list is not comprehensive either, just the things which
can be easily checked by users/admin without access to the proxy.

FYI: The template delivered has inline javascript for hiding the
messages that are irrelevant to this particular request. If you open the
URL in the browser (not debugging) it should reduce down to the ones
which are relevant.

You could also look at the debugger info abut the request message sent
and compare those values yourself.


> and there's nothing
> useful in the logs.
>
> Here are those two URL (which unfortunately I have to partially obfuscate):
>
>> http://xxxxxxxxxxx.xxxxxxxxxxx.xx/rest?method=navi_path.add&opera=I029&tipo=0&descr=XXXXXXXXX%20-%20Xxxxxxx%20xxxxxxxxxxx%20xxx%2030/12/2014%20-%20XXXX&xxxxx_xxxx=0&params={idDoc:%27C0002019%27,clasDoc:%27XXXXXX%27,nomeDoc:%27XXXXXXXXX%20-%20Xxxxxxx%20xxxxxxxxxxx%20xxx%2030/12/2014%20-%20XXXX%27,_X_TRACK_ID:%xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx%27}&_ts=1532264445584&_dc=1532264445584
>>
>
>> http://xxxxxxxxxxx.xxxxxxxxxxx.xx/php/ajax/openDocumentREST.php?core=xxxxxxxXXXX&query={%22field%22:%22id%22,%22mode%22:%22EQUAL%22,%22value%22:%xxxxxxxxxx_XXXXXXXXX%22}&nomeTab=&arts=&toHighlight=&XXXXXXXX=I029
>>
>
> (the x and X are always alphanumeric characters).
>

That is not very helpful info. If anyone here is going to use it we need
the actual full URL to run tests on ourselves.


>
> I'm seeking help on how to better diagnose this: how can I find what
> Squid 4 does not like in those URLs?
>

see above for initial things to check on.

For more details in cache.log configure:

 debug_options ALL,1 11,4 25,5, 33,5


This is best done on a test proxy where you don't have a flood of other
traffic happening in parallel.


> None of the above causes seems to apply, IMVHO.
>
> Has some default changed from 3.5 to 4.1 which might trigger this problem?
>

There is increased HTTP compliance, checking and handling. The things
which are configurable are all listed in the release notes AFAIK.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Regression after upgrading 3.5.27 -> 4.1

Andrea Venturoli
On 7/23/18 2:59 AM, Amos Jeffries wrote:

> FYI: The template delivered has inline javascript for hiding the
> messages that are irrelevant to this particular request.

Sorry, I'm not sure I understand: template = squid's error page?



> If you open the
> URL in the browser (not debugging) it should reduce down to the ones
> which are relevant.

That's what I've done (and what I reported came after I did this).



> You could also look at the debugger info abut the request message sent
> and compare those values yourself.

Again, please forgive me... maybe I'm too ignorant about web
applications, but I'm not understanding what you suggest I should do.



  bye & Thanks
        av.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Regression after upgrading 3.5.27 -> 4.1

Andrea Venturoli
In reply to this post by Andrea Venturoli
On 7/22/18 3:29 PM, Andrea Venturoli wrote:

>> http://xxxxxxxxxxx.xxxxxxxxxxx.xx/rest?method=navi_path.add&opera=I029&tipo=0&descr=XXXXXXXXX%20-%20Xxxxxxx%20xxxxxxxxxxx%20xxx%2030/12/2014%20-%20XXXX&xxxxx_xxxx=0&params={idDoc:%27C0002019%27,clasDoc:%27XXXXXX%27,nomeDoc:%27XXXXXXXXX%20-%20Xxxxxxx%20xxxxxxxxxxx%20xxx%2030/12/2014%20-%20XXXX%27,_X_TRACK_ID:%xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx%27}&_ts=1532264445584&_dc=1532264445584

Upon furhter investigations, I see the problems are the curly braces.
If I encode them (changing { to %7B and } to %7D), the request is
successful.

While I was not able to determine if that URL is valid (seems not
according to old RFC1738, but maybe yes, according to newer RFCs), I
have no control on that side.
All my users see is that this won't work with Squid, but will work without.



Was disallowing curly brackets a choice or is it a bug?
Perhaps there's some option to tweak?

  bye & Thanks
        av.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Regression after upgrading 3.5.27 -> 4.1

Alex Rousskov
On 07/25/2018 01:12 AM, Andrea Venturoli wrote:
> On 7/22/18 3:29 PM, Andrea Venturoli wrote:
>
>>> http://xxxxxxxxxxx.xxxxxxxxxxx.xx/rest?method=navi_path.add&opera=I029&tipo=0&descr=XXXXXXXXX%20-%20Xxxxxxx%20xxxxxxxxxxx%20xxx%2030/12/2014%20-%20XXXX&xxxxx_xxxx=0&params={idDoc:%27C0002019%27,clasDoc:%27XXXXXX%27,nomeDoc:%27XXXXXXXXX%20-%20Xxxxxxx%20xxxxxxxxxxx%20xxx%2030/12/2014%20-%20XXXX%27,_X_TRACK_ID:%xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx%27}&_ts=1532264445584&_dc=1532264445584
>
>
> Upon furhter investigations, I see the problems are the curly braces.

> Was disallowing curly brackets a choice or is it a bug?

If your relaxed_header_parser is on, and Squid rejects URLs because they
have curly braces in the path, then this is a Squid bug.

N.B. relaxed_header_parser is on by default.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Regression after upgrading 3.5.27 -> 4.1

Andrea Venturoli
On 7/25/18 4:54 PM, Alex Rousskov wrote:

> On 07/25/2018 01:12 AM, Andrea Venturoli wrote:
>> On 7/22/18 3:29 PM, Andrea Venturoli wrote:
>>
>>>> http://xxxxxxxxxxx.xxxxxxxxxxx.xx/rest?method=navi_path.add&opera=I029&tipo=0&descr=XXXXXXXXX%20-%20Xxxxxxx%20xxxxxxxxxxx%20xxx%2030/12/2014%20-%20XXXX&xxxxx_xxxx=0&params={idDoc:%27C0002019%27,clasDoc:%27XXXXXX%27,nomeDoc:%27XXXXXXXXX%20-%20Xxxxxxx%20xxxxxxxxxxx%20xxx%2030/12/2014%20-%20XXXX%27,_X_TRACK_ID:%xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx%27}&_ts=1532264445584&_dc=1532264445584
>>
>>
>> Upon furhter investigations, I see the problems are the curly braces.
>
>> Was disallowing curly brackets a choice or is it a bug?
>
> If your relaxed_header_parser is on, and Squid rejects URLs because they
> have curly braces in the path, then this is a Squid bug.
>
> N.B. relaxed_header_parser is on by default.

I have no such option in my squid.conf, so it should be on.
I added it just to be sure the default wasn't off for some reason, but
it did not change.

So, should I file a bug on https://bugs.squid-cache.org?

  bye & Thanks
        av.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Regression after upgrading 3.5.27 -> 4.1

Amos Jeffries
Administrator
On 26/07/18 03:55, Andrea Venturoli wrote:

> On 7/25/18 4:54 PM, Alex Rousskov wrote:
>> On 07/25/2018 01:12 AM, Andrea Venturoli wrote:
>>> On 7/22/18 3:29 PM, Andrea Venturoli wrote:
>>>
>>>>> http://xxxxxxxxxxx.xxxxxxxxxxx.xx/rest?method=navi_path.add&opera=I029&tipo=0&descr=XXXXXXXXX%20-%20Xxxxxxx%20xxxxxxxxxxx%20xxx%2030/12/2014%20-%20XXXX&xxxxx_xxxx=0&params={idDoc:%27C0002019%27,clasDoc:%27XXXXXX%27,nomeDoc:%27XXXXXXXXX%20-%20Xxxxxxx%20xxxxxxxxxxx%20xxx%2030/12/2014%20-%20XXXX%27,_X_TRACK_ID:%xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx%27}&_ts=1532264445584&_dc=1532264445584
>>>>>
>>>
>>>
>>> Upon furhter investigations, I see the problems are the curly braces.
>>
>>> Was disallowing curly brackets a choice or is it a bug?
>>
>> If your relaxed_header_parser is on, and Squid rejects URLs because they
>> have curly braces in the path, then this is a Squid bug.
>>
>> N.B. relaxed_header_parser is on by default.
>
> I have no such option in my squid.conf, so it should be on.
> I added it just to be sure the default wasn't off for some reason, but
> it did not change.
>
> So, should I file a bug on https://bugs.squid-cache.org?
>

What is your "squid -v" output?

If --disable-http-violations is used then relaxed parser will not
include those "must never be transmitted in un-escaped form" (RFC 2396)
characters.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Regression after upgrading 3.5.27 -> 4.1

Andrea Venturoli
On 7/25/18 6:46 PM, Amos Jeffries wrote:

> What is your "squid -v" output?
>
> If --disable-http-violations is used then relaxed parser will not
> include those "must never be transmitted in un-escaped form" (RFC 2396)
> characters.

It's there!!!

Thanks for pointing me in the correct direction.
I'm off recompiling... will let you know if this solves.

  bye & Thanks
        av.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Regression after upgrading 3.5.27 -> 4.1

Andrea Venturoli
On 7/25/18 7:07 PM, Andrea Venturoli wrote:

> On 7/25/18 6:46 PM, Amos Jeffries wrote:
>
>> What is your "squid -v" output?
>>
>> If --disable-http-violations is used then relaxed parser will not
>> include those "must never be transmitted in un-escaped form" (RFC 2396)
>> characters.
>
> It's there!!!
>
> Thanks for pointing me in the correct direction.
> I'm off recompiling... will let you know if this solves.

I can confirm removing this flag solved my problem.

Thanks to all.

  bye
        av.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users