James Tan wrote:
Hi Amos,
the PoC is for a project involving malware inspection, a personal
project. I tried to chain 2 Squids as part of solution.
The AV perform the check on the wire before actually allowing Parent
Squid to get hold of it.
I.e. Client --> ... ... -> Parent Squid --> AV (inspects HTTP, it it
is 'infected', do a "TCP Disconnect" as seen on Sysinternals Procmon)
--> Website
*There was no "TCP Disconnect" for 'clean' pages.
From what I observe when the client is directly connected to the
Parent Squid, I got the following message in Parent.
I am OK with this message in Parent, but how can I let the Child also
know that and display similar message when Parent got it instead of
hung?
I suspect you have something like the half_closed_clients setting turned
on or that the child Squid is stuck in a period of re-tries looping to
find a source which will supply the requested information.
FWIW; you are better off using a Squid-3 as the parent with AV
capabilities plugged in directly via the ICAP interface.
Most AV software these days seems to have some form of ICAP server you
can plug Squid into.
This will let either the AV or the parent Squid supply the client with
an nice explanation page about what and why the request was aborted.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.3
