Re: [squid-users] Squid, ICAP and logs

On Tue, 2008-01-22 at 09:50 +0100, Bourdaraud Vincent (NSN - FR/St-Ouen)
wrote:

> Yes, this hack is working.

Glad to hear that.

> By the way, logging ICAP response headers would be far cleaner, yes,
> since hacks tend to stop working with new versions ;) Our server is able
> to add information within ICAP header (it is its default behavior).
>
> Do you think it would be difficult to add this feature to squid?

A clean implementation should add an "<icapFirst", "<icapLast", or
"<icapAll" format specification to the logformat option, similar to the
existing "<h" specification. While Squid3 currently supports only one
ICAP service invocation per HTTP message, that is likely to change and
so there could be multiple ICAP responses to get the header from. A
capable developer should be able to add support for one of those options
in under 8 hours.

You can find capable Squid developers at
http://www.squid-cache.org/Support/services.dyn but keep in mind that
the list has not been managed yet and has many irrelevant entries.

HTH,

Alex.

> On Mon, 2008-01-21 at 10:35 -0700, ext Alex Rousskov wrote:
> > On Thu, 2008-01-17 at 17:01 +0100, Bourdaraud Vincent (NSN - FR/St-Ouen)
> > wrote:
> >
> > > I'm new to squid. It looks overall pretty good, by I found a show
> > > stopper for our project :(
> > >
> > > We use squid 3.0 STABLE1 compiled with --enable-icap-client and
> > > configured to delegate all HTTP request to our ICAP server. We need
> > > squid to add some information processed by our ICAP server within its
> > > HTTP transaction logs (basically, this information is a user unique ID).
> > > This information is very sensitive and must not be forwarded to
> > > origin-servers.
> > >
> > > I've read FAQ, docs and played with squid and found no solution since
> > > squid is not able to ICAP header and not able to log HTTP headers before
> > > they are removed with header_access rules
> > >
> > > Do you guys have some idea?
> >
> > One hack you could try is to add "Connection: X-FOO" HTTP header in hope
> > that Squid will log and then remove it before forwarding. I have not
> > tried that and do not know whether hop-by-hop headers are removed late
> > enough for this ugly hack to work.
> >
> > If logging and then removing HTTP headers is not possible, then I think
> > we should add a feature to log ICAP response headers. Can your server
> > return the needed information in the ICAP response header instead of the
> > HTTP message header?
> >
> > Thank you,
> >
> > Alex.
> >
> >
Received on Tue Jan 22 2008 - 08:14:23 MST