Join Log in
Score:0
avatar Server

c-icap-server reports unexpected timeout

ws flag
symcbean

I have configured c-icap-server and squidclamav to provide a network based malware scanning service for my applications. However it only appears to work when I can sent the entirety of the content in the preview and explicitly set an EOF.

I am monitoring the traffic with:

ncat -lkv 127.0.0.1 4040 -c 'tee /dev/stderr | ncat -v 127.0.0.1 1344 | tee /dev/stderr'

With my client using a normal chunked encoding....

Ncat: Version 7.80 ( https://nmap.org/ncat )
OPTIONS icap://127.0.0.1/squidclamav ICAP/1.0
Host: 127.0.0.1
User-Agent: colin-529fd716d560d2cd0b920629638f3161
Encapsulated: null-body=0

Ncat: Connected to 127.0.0.1:1344.
ICAP/1.0 200 OK
Methods: RESPMOD, REQMOD
Service: C-ICAP/0.5.3 server - SquidClamav/Antivirus service
ISTag: CI0001-1-squidclamav-10
Transfer-Preview: *
Options-TTL: 3600
Date: Wed, 01 Dec 2021 14:47:20 GMT
Preview: 1024
Allow: 204
X-Include: X-Client-IP, X-Server-IP, X-Authenticated-User, X-Authenticated-Groups
Encapsulated: null-body=0

RESPMOD icap://127.0.0.1/squidclamav ICAP/1.0
Host: 127.0.0.1
User-Agent: colin-529fd716d560d2cd0b920629638f3161
Allow: 204
Preview: 69
Encapsulated: res-hdr=0, res-body=126

HTTP/1.0 200 OK
Date: Wed, 01 Dec 2021 14:47:20 +0000
Last-Modified: Wed, 01 Dec 2021 14:47:20 +0000
Content-Length: 69

45
(REDACTED)

0;

ICAP/1.0 408 Request timeout
Server: C-ICAP/0.5.3
Connection: close
ISTag: CI0001-1-squidclamav-10

Ncat: 446 bytes sent, 458 bytes received in 0.02 seconds.

However with an explicit icap EOF in the preview...

...
Content-Length: 69

45
(redacted)

0; ieof

ICAP/1.0 200 OK
Server: C-ICAP/0.5.3
Connection: keep-alive
ISTag: CI0001-1-squidclamav-10
X-Virus-ID: Eicar-Signature
X-Infection-Found: Type=0; Resolution=2; Threat=Eicar-Signature;
Encapsulated: res-hdr=0, res-body=418

HTTP/1.0 307 Temporary Redirect
Location: http://proxy.domain.dom/cgi-bin/clwarn.cgi?url=(null)&source=(null)&user=(null)&virus=stream: Eicar-Signature FOUND
Server: C-ICAP
Connection: close
Content-Type: text/html
Content-Language: en
X-Virus-ID: Eicar-Signature
X-Infection-Found: Type=0; Resolution=2; Threat=Eicar-Signature;
Via: ICAP/1.0 dev-i01-pg-av.bip (C-ICAP/0.5.3 SquidClamav/Antivirus service )

0

I have redacted the file content being sent to avoid this post causing alerts. All line endings are \r\n.

A timeout seems unlikely. I get the same behaviour (apart from the virus messages) with a non-infected file.

The socket connection is stil opened by the client when the server returns the 408 error.

58
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.