C-ICAP drop body content
Status: Beta
Brought to you by:
chtsanti
Menu
▾
▴
3 Attachments
#122 C-ICAP drop body content
Hi,
-
I am using c-icap to expose my clamav. However i noticed that the body content was dropped. and it returns an empty result back to my server. Please find the screenshot. Do let me know if this is a bug or expected behaviour.
-
My connection is closed but i can still receive output, currently there is no virus detected. This outcome seems to be weird, why would cicap send a http response to close the connection if there is no virus detected?
Thank you!
Tom
Discussion
Anonymous
I can not understand if there is really a problem here or not.
The most possible is that c-icap received about 3072 of body data and sent about 25 bytes back to proxy/client but then the proxy-to-c-icap connection is closed.
There are many reasons why this connection is closed. Maybe proxy-to-remote-server connection is closed for a reason and this is forces proxy to close proxy-to-c-icap connection too.
Hi Chtsanti,
Thank you for the reply. Below shows how the proxy configuration is routed.
Client request -> proxy request-> server response-> proxy reponse ->(It seems that c-icap already not received the correct data which is suppose to be about 6300bytes) c-icap .
I did with some other URL and it seems to receive the content-body which larger size and everything works just fine. It is only targeted at some URLs.
I am relatively inexperience with ICAP protocol, would just need some light on where i should look into :)
Yes the c-icap did not receive all of the body data and it sends only 25 bytes.
Can you reproduce this issue?
If yes then I would start from the followings:
1) Are there any messages in c-icap server.log file?
2) Enable c-icap debug. A debug level of 6 or 7 should include very usefull info.
3) wireshark dump of the proxy-to-server connection, to check which end initiated connection closure.
4) which is the proxy you are using? What are the proxy logs says anout? Is it possible to enable some debug on proxy side?
Also please report your c-icap and c-icap-modules versions you are using.
Hi Chtsanti,
Yes i am able to reproduce. This is consistent for some specific URLs only.
I have identified where the issue broke with your suggestion. It seems that when the package was transfered to c-icap from my proxy, it was unable to finish sending. Could this be due to some encoding/decoding from c-icap?
In replies to your above points
1) After i enable the debug level to 7, the content body is already 0.
2) Enabled, but apart from the logs showing the content body 0, there is not much information
3) I have identified that the content have been dropped halfway to the c-icap server, then the connection closes. I am able to curl successfully when i detached the anti-virus from my proxy. I will also attached additional screenshots for your reference.
4) I am currently using F5 proxy with version 13.
5) My icap version is 0.55, clamav is 0.101.2
Thank you!
If you set c-icap debug level to 7 should exist enough lines in c-icap server.log file. Not only a record which shows the content-body as 0.
I need the c-icap server.log to see if there is something strange.
To check this bug I need some debug info. For example c-icap server.log and if possible proxy-to-c-icap conversation from wireshark/tcpdump.
I understand that these files may include information you do not want to share in public. You can send it using my personal mail (christos at chtsanti.net). Also if you want a comercial services guaranty is also possible.
Hi Chtsanti, unfortunately i am not able to show the tcpdump information as my company policies forbid it. I have however able to share the server.logs, i have managed to identify the portion that is by the affected request, seems like there is some error encuntered. I have also shared the screenshot of where the message have been dropped(please find the attached).
I am trying to curl to https://quay.io/api/v1/plans/ -L if you require the destination.
Hi Chtsanti, just thinking aloud, could it be because of the preview length, c-icap breaks the content body bit by bit, however it just happened to hit some special character when appending the next batch to process then it caused an error that makes it unable to process. - Tom
The server.log shows that the other end (proxy server) closed the connection. So looks that there is something which does not like to the proxy.
You may try to disable ICAP-preview if you think that this is the problem. Just add the following parameter to your c-icap.conf file, where you are declaring virus_scan service parameters:
virus_scan.PreviewSize -
Hi Chtsanti,
I am not sure.. the logs shows "Error reading data (read return=1, errno=0)"
"Error reading data (read return=1, errno=0)"
'An Error occured. Parse error or the client closed the connection (res:-1, preview status:1)'
I do not think this is due to the proxy closing the connection. I trust you however the information i have gotten seems to be some things is not able to be processed in c-icap...
Is your development environment able to curl to the url while passing through c-icap?
In the server.log file you are posted I am seeing the following line:
There is a "read return=-1" which means read error, not a "return=1" which means I read one byte. Because of errno=0 this is probably means that the remote end closed the connection.
Did you try to disable preview?
Hi Chtsanti, please find the attached, it always occur when i use the json in the attached.
By the way, i tried to disable the preview, but it does not seems to actually disable, even with the config i am still seeing the logs that it is previewing the data. The logs always show 1024 preview
Fri Feb 7 11:27:22 2020, 21633/2627720960, Going to check request for access control restrictions
Fri Feb 7 11:27:22 2020, 21633/2627720960, Access control: ALLOW
Fri Feb 7 11:27:22 2020, 21633/2627720960, Request type: 4. Preview size:1024
Fri Feb 7 11:27:22 2020, 21633/2627720960, pool hits: 3 allocations: 1
Fri Feb 7 11:27:22 2020, 21633/2627720960, Allocating from objects pool object 6
Fri Feb 7 11:27:22 2020, 21633/2627720960, Requested service: virus_scan
Fri Feb 7 11:27:22 2020, 21633/2627720960, Read preview data if there are and process request
Fri Feb 7 11:27:22 2020, 21633/2627720960, OK; the preview data size is 1024
The client send preview in its request even if your c-icap did not advertise it in its OPTIONS response.
Hi Chtsanti,
Yes i tried disabling the preview, but i still get the same error.
It is very difficult to understand what is going on here without the full ICAP conversation. For example a tcpdump of a request.
Again, you can use my private mail if you do not want to send a such info to this public bug report.
Sorry but it is not possible to fix this issue without enough info.