Re: [squid-users] Zero sized reply and other recent access problems

Hi again Hans,

At 08:52 a.m. 7/03/2005, H Matik wrote:
>On Saturday 05 March 2005 23:41, Reuben Farrelly wrote:
>
> > I think you've misunderstood something quite fundamental about how squid
> > works:
> >
>may be I did not used the exact expressions you like to see but like you
>wrote
>you did get it. Anyway, my intention like said in my mail was not to attack
>anybody.

I know, I just am asking you to be specific with the errors you are
reporting. None of the developers would complain in the slightest if you
could provide good evidence of a bug, believe me ;-)

> > * Strict HTTP header parsing - implemented in the most recent STABLE
> > releases of squid, you can turn this off via a squid.conf directive
> > anyway (but it is useful to have it set to log bad pages).
> >
>what do you mean? relaxed_header_parser? I think this is on by default, not
>off, turning it off it parse strict or am I wrong here?

Yes, it is on by default, in other words, (from the squid.conf)with this
default setting, "Squid accepts certain forms of non-compliant HTTP
messages where it is unambiguous what the sending application intended even
if the message is not correctly formatted."

This means that as long as you have relaxed_header_parser set to on or
warn, or simply not defined, the old behaviour will still be the same as
older squid.
Personally I recommend at least "warn", as it has allowed me to see some of
the broken sites and inform relevant people of their broken behaviour, but
I understand not everyone can be bothered..

> > * ECN on with Linux can cause 'zero sized reply' responses, although
> > usually you'll get a timeout. I have ECN on on my system and very few
> > sites fail because of this, but there are a small number. Read the
> > squid FAQ for information about how to turn this off if it is a problem.
> >
>
>FYI it does not happens only on Linux, again, the problem and a possible
>solution here is not the point, the point is that for the end-user the site
>opens using "the other ISP" so for him it is an ISP problem, he doesn't care
>if it is squid or the remote site, network congestion or other.

Yep, I understand.

>anyway, IMO the error message is obscure for the user, it starts saying
>
>the URL: (blank)

Do the users have "Show friendly HTTP error messages" ticked in their
Internet Explorer options? If they do, they will usually not see the squid
error which explains what the problem is and will see a generic message
"the page could not be displayed". Unfortunately, IE hides these useful
squid messages with it's own garbage, which is often more useless to the
end user than squid's messages.

If it's not that then you should either have something useful to look at in
the users browser, or else in your cache.log.

>the user obviously complains about that he typed correctly the URL and on the
>error msg it is blank, so this cause understanding problems between the
>support staff and the user
>
>Then it does not help to send reading FAQs because what I am speaking
>about is
>the user not the administrator. The user does not need to learn squid but
>what he gets should be understandable enough and most important he should get
>it when he gets it without squid.

Yes, of course.

>I mean that a site should be accessible behind squid when it opens normally
>with a Browser without squid. It is not interesting here if there is a wrong
>header or whatever.
>
>
> > * NTLM authentication, some uninformed site admins require or request
> >
>NO, I was not speaking about any authentication at all
>
>
> >
> > Can you give some examples of specific sites which you need to bypass
> > squid for that you cannot get to display using the items I mentioned above?
> >
>
>First some banking and other secure sites which need gre protocol for example
>but I was not speaking about this ones.

GRE should be unaffected. Squid does not process or handle GRE, only TCP/IP.

Are you using your squid as a firewall/router box, and not allowing GRE
through?

>Lots of Blogger sites are giving erros. Sure there is a lot of underline and
>whitespace problems but the latter ones often are not resolvable by squid
>settings. On the other side they open normally with MSIE

I haven't seen any before..

>At work I can check for more, one specific follows.
>
>Other errors are like this, even if this specific site now is working after
>contacting them. The site gave problem with squid > 2.5-S4 if I am not wrong
>here.
>
>GET / HTTP/1.1
>Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
>application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint,
>application/x-shockwave-flash, */*
>Accept-Language: pt-br
>Accept-Encoding: gzip, deflate
>User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
>Host: www.redecard.com.br
>Connection: Keep-Alive

That one is one of the more broken ones I have seen yet:

[root@tornado ~]# wget -S www.redecard.com.br
--00:38:38-- http://www.redecard.com.br/
            => `index.html.1'
Resolving www.redecard.com.br... 200.185.9.46
Connecting to www.redecard.com.br[200.185.9.46]:80... connected.
HTTP request sent, awaiting response...
  1 HTTP/1.1 200 OK
  2 Date: Mon, 07 Mar 2005 11:39:01 GMT
  3 X-Powered-By: ASP.NET
  4 Content Location: http://www.redecard.com.br
  5 Connection: keep-alive
  6 Connection: Keep-Alive
  7 Content-Length: 21032
  8 Content-Type: text/html
  9 Set-Cookie: ASPSESSIONIDSASTTSQD=OENGCMFDAGKKCPLCHHEGFLDL; path=/
10 Cache-control: private

Duplicate "Connection" headers on line 5 and 6, and whitespace on line 4
between "Content" and "Location". No wonder it does not work properly.

Can you give us some more broken ones?

Are you doing transparent proxying by any chance?

reuben
Received on Mon Mar 07 2005 - 04:54:52 MST