Hello Markus, This is Oliver. I just did some more troubleshooting and I found the error message in the debug logfile: kid1| 23,3| url.cc(471) urlParse: urlParse: Split URL 'http://:0' into proto='http', host='', port='0', path='/' kid1| 23,3| url.cc(492) urlParse: urlParse: Invalid port '0' kid1| 24,8| SBuf.cc(124) ~SBuf: SBuf20027193 destructed kid1| 24,8| SBuf.cc(124) ~SBuf: SBuf20027192 destructed kid1| 24,9| MemBlob.cc(83) ~MemBlob: destructed, this=0x55cc75a777f0 id=blob4598186 capacity=40 size=10 kid1| 55,7| HttpHeader.cc(480) clean: cleaning hdr: 0x55cc6735df38 owner: 2 kid1| 24,8| SBuf.cc(79) SBuf: SBuf20027202 created kid1| 24,7| SBuf.cc(139) assign: assigning SBuf20027188 from SBuf20027202 kid1| 24,8| SBuf.cc(124) ~SBuf: SBuf20027202 destructed kid1| 58,3| HttpMsg.cc(184) parse: HttpMsg::parse: cannot parse isolated headers in 'POST http://:0 HTTP/1.1 kid1| 0,3| TextException.cc(87) Throw: ModXact.cc:1083: exception: parsed || !error kid1| 93,3| ../../../src/base/AsyncJobCalls.h(177) dial: Adaptation::Icap::Xaction::noteCommRead threw exception: parsed || !error kid1| 45,9| cbdata.cc(492) cbdataReferenceValid: 0x55cc6d560d98 kid1| 11,5| HttpRequest.cc(466) detailError: current error details: 35/396407275 kid1| 93,3| Xaction.cc(512) setOutcome: Warning: reseting outcome: from ICAP_MOD to ICAP_ERR_OTHER kid1| 93,4| ServiceRep.cc(80) noteFailure: failure 1 out of 10 allowed in 0sec [up,fail1]
So somehow everything after http:// is broken on this post request. Best regards, Oliver On Fri, 28 Aug 2020, Markus Koschany wrote: > Hello Kevin, > > Am 28.08.20 um 11:53 schrieb SerNet Support Kevin Ivory: > [...] > > is there any way to extract only the data you need? > > > > All cases in my debug log (46 GB) seem to be of a POST > > that is logged in access.log as > > 2020-08-27 11:29:24 1243 172.16.100.3 TAG_NONE/500 3640 POST > > http://srv1.first-businesspost.com/viper? - HIER_NONE/- text/html > > The debug cache.log does contain SenderID= and Secret= > [...] > >>> The cache.log shows > >>> 2020/08/18 07:24:04 kid1| suspending ICAP service for too many failures > >>> 2020/08/18 07:24:04 kid1| essential ICAP service is suspended: > >>> icap://127.0.0.1:1344/service_scanner-reqmod [down,susp,fail11] > > In order to debug the problem I need to understand how the failing ICAP > service is related to your POST messages with internal server error 500. > With debug_options ALL,9 there should be a line with error: or Error: > before the ICAP service is suspended or something else that causes the > ICAP service to fail. > > Some internet search also suggests that TAG_NONE/500 errors could be > completely unrelated to ICAP and indicate different issues like firewall > problems etc. > > I would clone the customer's squid configuration and try to reproduce > the bug on your debug vm or try to find out what all those 500 errors > have in common. > > Just to make sure that we are looking in the right direction, when you > unapply CVE-2019-12523.patch now, is everything working normal again? > I'm asking because there was another bug in CVE-2019-12529.patch that > prevented in some cases the authentication of clients when the kerberos > option was turned on. Rebuilding the squid package without those patches > may help to narrow down the problem. > > Regards, > > Markus
