Why is Squid sending POST/GET to MetaDefender ICAP?
This article applies to all MetaDefender ICAP Server 5.4.0 and above releases deployed on Windows and Linux systems.
By default, Squid does not issue ICAP requests using REQMOD or RESPMOD unless these are explicitly configured. This can cause Squid to send plain HTTP methods (e.g., GET, POST) to the ICAP server, which expects ICAP-specific requests and responses. Additionally, when using Firefox with Squid, misconfigured SOCKS proxy settings can cause similar “400 Bad Request” errors.
Why this matters for MetaDefender ICAP Server
MetaDefender ICAP only processes traffic sent with ICAP methods. When improperly configured, Squid may simply pass traffic through without modification or in some cases (like Squid 5.x defaults), send plain HTTP methods (GET/POST) to the ICAP port. This is what leads to the “400 Bad Request” errors.
Legacy Squid 3.x Configuration:
icap_enable onicap_send_client_ip onicap_send_client_username onicap_preview_enable onicap_preview_size 1024icap_service service_req reqmod_precache 0 icap://<MetaDefender ICAP Server>:1344/reqmodicap_service service_resp respmod_precache 0 icap://<MetaDefender ICAP Server>:1344/respmodicap_class class_avreq service_reqicap_class class_avresp service_respicap_access class_avreq allow allicap_access class_avresp allow allSquid 5.x / 6.x / 7.x Configuration
icap_enable onicap_send_client_ip onicap_preview_enable onicap_preview_size 0icap_service metascan_req reqmod_precache bypass=0 icap://<MetaDefender ICAP Server>:1344/reqmodadaptation_access metascan_req allow allicap_service metascan_resp respmod_precache bypass=0 icap://<MetaDefender ICAP Server>:1344/respmodadaptation_access metascan_resp allow allFirefox SOCKS Proxy Settings Solution
When using Firefox through a Squid proxy connected to an ICAP server, misconfigured SOCKS proxy settings can cause “400 Bad Request” errors in the ICAP workflow. This happens because Firefox, when set to use a SOCKS proxy, may tunnel all traffic (including HTTP) over the SOCKS protocol instead of sending plain HTTP to Squid. Squid then receives traffic in an unexpected format, which prevents it from applying ICAP services properly and leads to protocol errors.
To avoid this, ensure that Firefox is configured to send HTTP/S traffic directly to Squid’s listening IP and port (e.g., HTTP Proxy: <squid-ip>, Port: 3128) without enabling SOCKS. If SOCKS is enabled but unnecessary, disable it by clearing the “SOCKS Host” field and unchecking “Proxy DNS when using SOCKS” in Firefox’s network settings. This ensures that Squid receives standard HTTP requests, allowing it to correctly pass them to the ICAP server using REQMOD or RESPMOD.
There is a known bug in Squid versions 5.5 through 6.11, where using RESPMOD fails for files larger than ~65KB. It’s recommended is to instead use Squid 4.13, 6.13, or 7.0.1
If Further Assistance is required, please proceed to log a support case or chatting with our support engineer.
