Edge Caching Proxy Questions and Answers

Provide feedback on the IBM HTTP Server forum on IBM developerWorks (yes, the IHS forum).

Caching Proxy MustGather

Enabling MustGather

Configuring IBM Caching Proxy to write trace can be done with the TraceModule and TraceLog config directives. Note that the command line arguments -debug and -mtv must also be specified when starting IBM Caching Proxy.

It is also necessary to redirect stdout and stderr to a file so that configuration details are also collected. This can be done using a redirect:

ibmproxy -mtv -debug 2>&1 > /opt/ibm/edge/cp/server_root/logs/ibmproxy.log

To trace all modules, the "all" argument can be specified for TraceModule:

TraceLog /path/to/trace/file
TraceModule All

Setting TraceModule all is generally too verbose, and only relevant modules should be enabled. For example, the list of modules typically used to debug a caching problem is:

TraceLog /path/to/trace/file
TraceModule htcaio
TraceModule htcbio
TraceModule htccompact
TraceModule htcfs
TraceModule htcfsck
TraceModule htcfsops
TraceModule htcgc
TraceModule htcgceval
TraceModule htchash
TraceModule htcheap
TraceModule htchio
TraceModule htcio
TraceModule htciter
TraceModule htclock
TraceModule htclsort
TraceModule htcwhdr
TraceModule htcwrtr

List of Traceable Modules

aaauthbagbasecfgdll
cgiconfigcontentdirbrwdll
dnserrorfileioformatftp
gcothergopherhashheaphtcaio
htcbiohtccompacthtcfshtcfsckhtcfsops
htcgchtcgcevalhtchashhtcheaphtchio
htciohtciterhtclockhtclsorthtcwhdr
htcwrtrhttpicapiifjavelinbase
javelinpicslexlistlogmempool
netmonitornlsoruperfmonpics
proxyproxycacheproxychainproxyinitworkqueue
rcacfgrcaclntrcacommrcahashrcalatency
rcaooprcaservrchunkrequestselftest
snmpsocketsocksssissl
stackstatusstringlibsyscalltcp
timetimerthreadpooluserurl
varyworkthreadworkthread-callbackconnection-poolrtsp
persistresscmjavelinproxygroup
rcagroupgcgroup   

PAC-LDAP MustGather

Additional MustGather should be provided in order to troubleshoot the PAC-LDAP authorization module: PacErr_Client.log and PacErr_Server.log. To increase the detail of the trace, two enviornment variables should be set prior to starting the IBM Caching Proxy:

PAC_DEBUG_LEVEL=64
LDAP_DEBUG=65535
LDAP_DEBUG_FILE=/opt/ibm/edge/cp/server_root/logs/ldapclient_trace.log

export PAC_DEBUG_LEVEL
export LDAP_DEBUG
export LDAP_DEBUG_FILE

Error messages

"Error encounted while loading DLL or function"

On Linux, you're likely missing the 32-bit compat-libstdc++-33 operating system package.

SSL questions

What are the default SSL/TLS protocols?

The SSL/TLS protocols enabled by default change several times in Caching Proxy 8.5.5. The changes are summarized in the following table and are described in more detail after the table.

Caching Proxy 8.5.5 Default Protocols

Versions (inclusive)Protocols Enabled by Default
8.5.5.0 - 8.5.5.3SSLv3, TLSv1.1
8.5.5.4SSLv3
8.5.5.5 - 8.5.5.11None
8.5.5.12 - TLSv1.0, TLSv1.1

Detailed changes to Default Protocols

Caching Proxy 9.0 Default Protocols

Versions (inclusive)Protocols Enabled by Default
9.0.0.0 - 9.0.0.4None
9.0.0.5 - TLSv1.0, TLSv1.1

How do I setup TLSv12 / TLSv1.2 / TLS 1.2?

This is a basic configuration you can append to the sample ibmproxy.conf:


# Basic SSL config
SSLEnable ON
KeyRing .../key.kdb
KeyRingStash .../key.sth
# Must be present to cache requests that show up over SSL
SSLCaching ON

# Before PI75968 only:
# V3CipherSpecs Must be specified. Can be "".
V3CipherSpecs "352F0A"
TLSV1Enable ON
# end pre-PI75968

# After PI75968, opt in to TLSV1.2
TLSVersion ALL

# Use PI74512 defaults prior to PI74512:
TLSV11CipherSpecs 2F350A 
TLSV12CipherSpecs 9C9D3C3D2F350A

For more details, consult this technote: http://www-01.ibm.com/support/docview.wss?uid=swg21693751

Does Caching Proxy support DHE/ECDHE ciphers?

DHE/ECDHE ciphers are not a feature of Caching Proxy, and we do not anticipate they'll ever become a supported configuration. Caching Proxy has been stabilized for many years.

What ciphers are supported in Caching Proxy?

No other cipers, such as those including ECDHE or ECDSA, are supported.

How do I redirect clients from HTTP to HTTPS?

The Redirect directive can be used to redirect clients from HTTP to HTTPS. Since this mapping rule should be applied first, the Redirect directive should be above other mapping rules (e.g. Pass directives).

HTTP to HTTPS Redirect Example

# Redirect HTTP to HTTPS
Redirect /* https://server-name/* server-name:80

LDAP questions

LDAP: error occurred during SSL initialization, looking for credentials in: pac_keyfile.kdb

This error can happen for a variety of reasons. The obvious reason for this error is that the pac_keyfile.kdb is not found in the expected path, which is cp-root/server_root/pac/creds/pac_keyfile.kdb.

The error can also happen if the IBM Tivoli LDAP library can't load the GSKit library. A potential cause of this is if LDAP library wants to load GSK 7 but the system has GSK 8. In such a case, this error can be resolved by setting the GSKIT_CLIENT_VERSION environment variable to the GSK version desired (for example: GSKIT_CLIENT_VERSION=8).

To diagnose any other issues, the LDAP client traces should be collected and reviewed. Please see the PAC-LDAP MustGather section for information on how to collect the LDAP client traces.

Start / stop questions

Cannot open pid file for writing

The PidFile directive ships commented out by default, but points to a directory that is not writable by the nobody/nogroup user Caching Proxy changes to before writing out its pid file. Changing the PidFile to point to the server_root/logs/ directory instead is a writable alternative.

cpwizard doesn't work

Some causes on Windows for cpwizard to fail:

Miscellaneous directive related questions

Somethings off about LimitRequestFied/LimitRequestFiedSize...

LimitRequestFiedSize and LimitRequestField don't seem to work properly. The former seems to trigger arbitrarily once you reach a certain size, and the latter cannot be raised.