Re: ICAP: 403 Forbidden from Alex Rousskov on 2006-11-03 (squid-dev)

From: Alex Rousskov <rousskov@dont-contact.us>
Date: Fri, 03 Nov 2006 08:36:40 -0700

On Fri, 2006-11-03 at 08:32 -0500, Jeremy Hall wrote:

> I'm currently running 2.6-branch and am considering upgrading to 3, but
> I need to know how mature the code is. I would be updating for icap--I
> know an icap patch exists for 2.6 and I have it working with two
> anomolies:
>
> 1: the entire file is pulled before the content filter responds to the
> user rather than a deferred scan taking place

Can you describe the above in more detail? Some content filters do want
to see the whole message before they can make a decision. I am not sure
what you mean by a "deferred scan"; a monitoring (i.e., read-only) ICAP
service that does not block any messages? What exactly is your ICAP
server doing and what exactly do you want Squid to do?

> 2: if the icap server returns a 403 squid just hangs up the connection
> and doesn't send anything back to the browser at all. This produces
> page cannot be displayed errors. I have looked at the icap code a bit
> but was wondering if you had some pointers on where I might look to
> determine why the traffic is not rendering properly.

I cannot help with Squid2. With Squid3, there are several possible
scenarios. Please pick the one(s) relevant to you:

If an ICAP 403 "Forbidden" response is received from an optional REQMOD
service, Squid seems to be able to recover and proceed with the request
in simple cases. I bet Squid will fail to recover if request has a
[large] body.

If an ICAP 403 "Forbidden" response is received from a RESPMOD service,
Squid will return an "ICAP error" message to the client, even if the
service is optional. ICAP RESPMOD bypass only works for connection
establishment errors, I think.

If an ICAP 200 "OK" response is received with an HTTP 403 "Forbidden"
response inside, everything should work as expected in both REQMOD and
RESPMOD. If it does not, please let me know or submit a bug report.

Please note that all of the above scenarios only apply to an ICAP
service that is either yet unprobed for options or is already considered
"up". A service is first probed when the first ICAP request needs to be
made to that service. Thus, if your ICAP server returns ICAP 403
"Forbidden" for ICAP OPTIONS requests, and the service is optional
(bypass=0), the service will be marked as "down" and will not be used
for HTTP message adaptation.

HTH,

Alex.
Received on Fri Nov 03 2006 - 08:37:42 MST

This archive was generated by hypermail pre-2.1.9 : Wed Nov 29 2006 - 12:00:05 MST