I had forgotten to negate ICP, but I've inserted it now. I made a workaround for this ICAP problem but I must have another ICAP server just for filtering theses no authentication sites and unfortunately it isn't a good solution. Any Idea? []'s Thiago Cruz On 10/8/07, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > > Of course not, here is it: > > Thank you. Everything look normal to me. > What do you do to "negate ICP for some ACL"? > > Amos > > > +++++++++++++++++++++++++++++++++++ > > http_port 8080 > > icp_port 0 > > hierarchy_stoplist cgi-bin ? > > acl QUERY urlpath_regex cgi-bin \? > > cache deny QUERY > > refresh_pattern ^ftp: 1440 20% 10080 > > refresh_pattern ^gopher: 1440 0% 1440 > > refresh_pattern . 0 20% 4320 > > visible_hostname cacheteste.hm > > cache_log /var/log/squid/cache.log > > cache_store_log none > > debug_options ALL,1 > > > > memory_replacement_policy lru > > logformat squidmime_extended %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %ul > > %Sh/%<A %mt > > > > cache_access_log /var/log/squid/access.log squidmime_extended > > > > auth_param ntlm program /usr/bin/ntlm_auth > > --helper-protocol=squid-2.5-ntlmssp > > auth_param ntlm children 80 > > > > auth_param basic program /usr/bin/ntlm_auth > > --helper-protocol=squid-2.5-basic > > auth_param basic children 3 > > auth_param basic realm HM > > auth_param basic credentialsttl 2 hours > > > > external_acl_type NTGroup children=80 ttl=3600 negative_ttl=300 %LOGIN > > /usr/lib/squid/wbinfo_group.pl > > > > acl PURGE method PURGE > > > > acl all src 0.0.0.0/0.0.0.0 > > acl manager proto cache_object > > acl localhost src 127.0.0.1/255.255.255.255 > > acl squid-stat src 172.17.6.126/255.255.255.255 > > acl to_localhost dst 127.0.0.0/8 > > acl SSL_ports port 443 > > acl Safe_ports port 80 > > acl Safe_ports port 21 > > acl Safe_ports port 443 > > acl Safe_ports port 70 > > acl Safe_ports port 210 > > acl Safe_ports port 1025-65535 > > acl Safe_ports port 280 > > acl Safe_ports port 488 > > acl Safe_ports port 591 > > acl Safe_ports port 777 > > acl CONNECT method CONNECT > > acl INTRANET dstdomain .hm .hm.com.br > > acl USERS_ALLOW external NTGroup @HM_USUARIOS > > acl sites_no_authentication url_regex "/etc/squid/sites_no_authentication" > > acl JAVA-SUN browser -i java > > > > http_access allow PURGE localhost > > http_access deny PURGE > > > > http_access allow manager localhost > > http_access deny manager > > http_access deny !Safe_ports > > deny_info BC_Safe_ports Safe_ports > > > > http_access deny CONNECT !SSL_ports > > deny_info BC_not_SSL_ports SSL_ports > > > > http_access allow sites_no_authentication > > http_access allow JAVA-SUN > > http_access deny TERMO > > deny_info BC_TERMO TERMO > > http_access allow INTRANET > > http_access allow all USERS_ALLOW > > http_access deny all > > deny_info BC_ACESSO_NEGADO all > > > > always_direct allow sites_no_authentication > > always_direct allow JAVA-SUN > > always_direct allow INTRANET > > always_direct allow CONNECT > > > > never_direct allow all > > > > cache_effective_user squid > > cache_effective_group squid > > > > err_html_text mailto:ti.inf@xxxxxxxxx > > > > coredump_dir /usr/local/squid/var/cache > > forwarded_for on > > > > icap_enable on > > icap_preview_enable on > > icap_send_client_ip on > > icap_send_client_username on > > icap_client_username_header X-Authenticated-User > > icap_client_username_encode on > > icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod > > icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod > > > > icap_class filtro_url service_1 service_2 > > > > icap_access filtro_url deny sites_no_authentication > > icap_access filtro_url allow USERS_ALLOW > > > > icap_access filtro_url deny all > > > > cache_peer 172.17.205.106 parent 8088 7 no-query no-delay no-digest > > default > > +++++++++++++++++++++++++++++++++++ > > > > Although I have one server only for tests, the debug mode is too big. > > But if it's necessary should I post it here? > > > > Thanks > > Thiago Cruz > > > > On 10/8/07, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > >> Thiago Cruz wrote: > >> > Hello H. Nordstrom, > >> > > >> > I had already read that but unfortunately it didn't work. For some > >> > reason when I negate ICAP for some ACL it bypass cache_peer too. > >> > >> Most weird. Would you mind posting the related config both negated and > >> non-negated for comparison? > >> > >> > >> > Debug > >> > all 9 could help us? > >> > >> Possibly. It will generate a LOT of data for even moderate server load. > >> I'd suggest starting at 5-6 to peek where the problems might be, then > >> raise a particular section. > >> > >> Amos > >> > >> > >> > > >> > On 10/6/07, Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx> wrote: > >> >> On fre, 2007-10-05 at 19:05 -0300, Thiago Cruz wrote: > >> >>> I solved the problem which squid wasn't sending respmod using Squid3 > >> >>> RC1, but I have another problem, when I don't want to use ICAP (acl > >> >>> sites_no_authentication), the squid bypass the cache peer too. Is > >> >>> there some way to force it to use cache_peer? > >> >> Squid FAQ How do I configure Squid forward all requests to another > >> >> proxy? > >> >> > >> > <url:http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-c050a0a0382c01fbfb9da7e9c18d58bafd4eb027> > >> >> > >> >> Regards > >> >> Henrik > >> >> > >> > >> > > > > >
