Hi there,
I'm trying to setup a security enforcing Squid using a Debian Etch
system. I considered several methods, but in the end I think that using
ICAP is structurally the best option (although there obviously are
solutions using DansGuardian).
I set up the combo Squid3 and c-icap and it works for most. However, I
get a couple of "ICAP protocol errors" during downloads.
Trying to download the current samba-vscan tarball is one candidate. If
I check the file using the icap-client nothing strange shows up:
$ /usr/local/c-icap/bin/icap-client -f
/home/mgr/package-ports/samba-vscan/samba-vscan-0.3.6c-beta4.tar.gz -s
"srv_clamav?allow204=on&force=on&sizelimit=on&mode=simple"
ICAP server:localhost, ip:127.0.0.1, port:1344
No modification needed (Allow 204 responce)
Even more strange are AVIRA updates for the Win-Boxes. I can download
all files using the browser, but the updater fails. I could not find any
sound indication in the logs.
As a work around I currently put in squid.conf
acl avira dstdom_regex -i dl[0-9]\.avgate\.net
icap_access class_antivirus deny avira
Since this works this should definitely be an issue of the ICAP
sub-system. Strange though that the files can be accessed via a browser.
Can anybody give me a hint on how to do better diagnosis on the problem?
My Squid is the Debian Etch Squid3, but with ICAP enabled, i.e. built
from the Debian source package with modified rules file:
$ squid3 -v
Squid Cache: Version 3.0.PRE5
configure options: '--build=i486-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3'
'--disable-maintainer-mode' '--disable-dependency-tracking' '--srcdir=.'
'--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
'--mandir=/usr/share/man' '--with-cppunit-basedir=/usr'
'--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,coss'
'--enable-diskio=AIO,Blocking,DiskDaemon,DiskThreads'
'--enable-removal-policies=lru,heap' '--enable-poll'
'--enable-digest-pools' '--enable-snmp' '--enable-htcp'
'--enable-select' '--enable-carp' '--enable-icap-client'
'--enable-large-files' '--enable-underscores'
'--enable-auth=basic,digest,ntlm'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,getpwnam,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=SMB'
'--enable-digest-auth-helpers=ldap,password'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--with-filedescriptors=4096' '--enable-epoll'
'--enable-linux-netfilter' 'CC=cc' 'CFLAGS=-g -Wall -O2' 'CPPFLAGS='
'CXXFLAGS=-g -Wall -O2' 'CXX=g++' 'LDFLAGS=' 'build_alias=i486-linux-gnu'
c-icap has been built from the current download files
c-icap_180407.tar.gz, without any adaptions. It is prefixed to
/usr/local/c-icap.
Configuration of both c-icap and squid largely follows the examples on
the c-icap site.
Thanks for your help,
- lars.
--
Dr. Lars Hanke
µAC - Microsystem Accessory Consult
>> realize the possible <<
