Squid 3.5 - icap parsing error

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid 3.5 - icap parsing error

VON EUW Andreas

Hi all,

 

I'm trying to integrate a Squid Cache version 3.5.20 for x86_64-redhat-linux-gnu with a Symantec Protection Engine 8.1 to do virus scaning in a reverse proxy setup.

I do send all POST requests to our virus scan engine. But icap integration does not work as expected. Squid does send a OPTIONS request to the icap server.

We get a valid answer from Symantec Protection Engine. But squid fails afterwards with a parsing exception:

 

2020/08/26 10:04:54.590| 58,3| HttpMsg.cc(173) parse: HttpMsg::parse: failed to find end of headers (eof: 0) in 'ICAP/1.0 200 OK

Date: Wed Aug 26 08:04:54 2020 GMT

Methods: REQMOD

Service: Symantec Protection Engine/8.1.0.29

Service-ID: SYMCSCANREQ-AV

ISTag: "0FF01DDE4872272B6F445AED8643888C"

X-Definition-Info: 20200825.022

Max-Connections: 32

X-Allow-Out: X-Outer-Container-Is-Mime, X-Infection-Found, X-Definition-Info, X-AV-License

X-Allow-Out: X-Violations-Found

X-Allow-Out: X-SYMANTEC-URL-Definition-Info, X-CAIC-URL-Definition-Info, X-SYMANTEC-URLReputation-Definition-Info, X-URL-License, X-URL-Reputation-License

Allow: 204

Options-TTL: 3600

Preview: 4

Transfer-Preview: *

X-AV-License: 1

X-URL-License: 1

X-URL-Reputation-License: 1

'

 

Does somebody has an idea what's going wrong here? Is this a known squid/icap bug?

 

Attached: log, config and tcpdumps from icap server 1 and 2 (squid does connect thru a loadbalancer to the icap server)

 

IPs in the tcpdump:

Squid has IP 10.64.7.145

ICAP Server has IP: 10.140.28.144

 

Relevant Time in squid.log: 2020/08/26 10:04:54 (= 2020/08/26 08:04:54 icap server time)

 

Thanks and kind regards,

 Andy

 

 

Andreas von Euw


Java Dev Support

AXA Group Operations

 

[hidden email]

 

Ce message est confidentiel; Son contenu ne represente en aucun cas
un engagement de la part de AXA sous reserve de tout accord conclu
par ecrit entre vous et AXA. Toute publication, utilisation ou
diffusion, meme partielle, doit etre autorisee prealablement. Si
vous n'etes pas destinataire de ce message, merci d'en avertir
immediatement l'expediteur.

This message is confidential; its contents do not constitute a
commitment by AXA except where provided for in a written agreement
between you and AXA. Any unauthorised disclosure, use or dissemi-
nation, either whole or partial, is prohibited. If you are not the
intended recipient of the message, please notify the sender imme-
diately.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

squid-icap.conf (538 bytes) Download Attachment
dump.rar (2K) Download Attachment
squid.log.rar (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.5 - icap parsing error

Amos Jeffries
Administrator
On 29/08/20 8:29 am, VON EUW Andreas wrote:

> Hi all,
>
>  
>
> I'm trying to integrate a Squid Cache version 3.5.20 for
> x86_64-redhat-linux-gnu with a Symantec Protection Engine 8.1 to do
> virus scaning in a reverse proxy setup.
>
> I do send all POST requests to our virus scan engine. But icap
> integration does not work as expected. Squid does send a OPTIONS request
> to the icap server.
>
> We get a valid answer from Symantec Protection Engine. But squid fails
> afterwards with a parsing exception:
>
>  
>
> 2020/08/26 10:04:54.590| 58,3| HttpMsg.cc(173) parse: HttpMsg::parse:
> failed to find end of headers (eof: 0) in 'ICAP/1.0 200 OK
...
>
> X-URL-Reputation-License: 1
> '
>

Message headers are supposed to be ended by an empty line. As this log
entry says "failed to find end of headers" and you can see from the
buffer content displayed, there is no empty line. Which would look like:

> X-URL-Reputation-License: 1
>
> '

So Squid is waiting for the rest of the headers to arrive from the server.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.5 - icap parsing error

Alex Rousskov
On 8/29/20 6:04 PM, Amos Jeffries wrote:
> On 29/08/20 8:29 am, VON EUW Andreas wrote:
>> Squid does send a OPTIONS request to the icap server.
>>
>> We get a valid answer from Symantec Protection Engine.

As Amos correctly pointed out, the answer Squid gets is syntactically
invalid. The packet captures you have attached (thank you!) confirm that
the ICAP server forgets to send an empty line after the first 650 bytes
of the ICAP response header.


>> But squid fails afterwards with a parsing exception:

More accurately, the exception is thrown later than the not-yet-failing
log lines you quoted. Here is the exception line:

  2020/08/26 10:04:54.593| 93,3| ...
Adaptation::Icap::Xaction::noteCommRead threw exception: parsed || !error

  
> So Squid is waiting for the rest of the headers to arrive from the server.

Yes, and (3ms later) Squid reads the EOF on the ICAP connection and
(correctly) throws the above exception.

Hopefully, you get get a fixed version of the ICAP server from Symantec.


Cheers,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Squid 3.5 - icap parsing error

VON EUW Andreas
> Message headers are supposed to be ended by an empty line.
> As this log entry says "failed to find end of headers" and you can see from the buffer content displayed,
> there is no empty line.

Thank you for pointing out this. I'll try to get a fix from Symantec.

Cheers, Andy


Ce message est confidentiel; Son contenu ne represente en aucun cas
un engagement de la part de AXA  sous reserve de tout accord conclu
par ecrit  entre vous et  AXA.  Toute publication,  utilisation  ou
diffusion,  meme partielle,  doit etre autorisee prealablement.  Si
vous  n'etes pas  destinataire  de ce message,  merci  d'en avertir
immediatement l'expediteur.

This message is  confidential;  its  contents  do not  constitute a
commitment by AXA  except where provided for in a written agreement
between you and AXA.  Any unauthorised disclosure,  use or dissemi-
nation, either whole or partial,  is prohibited. If you are not the
intended recipient of the message,  please notify  the sender imme-
diately.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users