Amos, I removed the line, like you said, and works fine. It was my fault I forgot that line on my test, anyway thank you my friend. Now I can use ICAP for filtering web contents and via parent proxy scan for threats. Thank all, Thiago Cruz On 10/9/07, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > Thiago Cruz wrote: > > I had forgotten to negate ICP, but I've inserted it now. > > > > I made a workaround for this ICAP problem but I must have another ICAP > > server just for filtering theses no authentication sites and > > unfortunately it isn't a good solution. > > > > Any Idea? > > Sorry, I mis-spelled the quote. > You said earlier before I joined the thread that you "when I negate > ICAP for some ACL it bypass cache_peer too" (cut-n-paste this time :-) > > > I must be going blind. An idea just occurs to me: > > always_direct allow sites_no_authentication > means bypass any peers and go direct for 'sites_no_authentication' > > never_direct allow all > means NOTHING can go direct, use peer or fail. > > If this idea is right, then the always_direct is kicking all the peer > logics aside and forcing it to go direct before the never_direct gets > tested. > > Try this: > always_direct deny sites_no_authentication > > or remove the line and finish with: > always_direct deny all > > Amos > > > > > > []'s > > Thiago Cruz > > > > On 10/8/07, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > >>> Of course not, here is it: > >> Thank you. Everything look normal to me. > >> What do you do to "negate ICP for some ACL"? > >> > >> Amos > >> > >>> +++++++++++++++++++++++++++++++++++ > >>> http_port 8080 > >>> icp_port 0 > >>> hierarchy_stoplist cgi-bin ? > >>> acl QUERY urlpath_regex cgi-bin \? > >>> cache deny QUERY > >>> refresh_pattern ^ftp: 1440 20% 10080 > >>> refresh_pattern ^gopher: 1440 0% 1440 > >>> refresh_pattern . 0 20% 4320 > >>> visible_hostname cacheteste.hm > >>> cache_log /var/log/squid/cache.log > >>> cache_store_log none > >>> debug_options ALL,1 > >>> > >>> memory_replacement_policy lru > >>> logformat squidmime_extended %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %ul > >>> %Sh/%<A %mt > >>> > >>> cache_access_log /var/log/squid/access.log squidmime_extended > >>> > >>> auth_param ntlm program /usr/bin/ntlm_auth > >>> --helper-protocol=squid-2.5-ntlmssp > >>> auth_param ntlm children 80 > >>> > >>> auth_param basic program /usr/bin/ntlm_auth > >>> --helper-protocol=squid-2.5-basic > >>> auth_param basic children 3 > >>> auth_param basic realm HM > >>> auth_param basic credentialsttl 2 hours > >>> > >>> external_acl_type NTGroup children=80 ttl=3600 negative_ttl=300 %LOGIN > >>> /usr/lib/squid/wbinfo_group.pl > >>> > >>> acl PURGE method PURGE > >>> > >>> acl all src 0.0.0.0/0.0.0.0 > >>> acl manager proto cache_object > >>> acl localhost src 127.0.0.1/255.255.255.255 > >>> acl squid-stat src 172.17.6.126/255.255.255.255 > >>> acl to_localhost dst 127.0.0.0/8 > >>> acl SSL_ports port 443 > >>> acl Safe_ports port 80 > >>> acl Safe_ports port 21 > >>> acl Safe_ports port 443 > >>> acl Safe_ports port 70 > >>> acl Safe_ports port 210 > >>> acl Safe_ports port 1025-65535 > >>> acl Safe_ports port 280 > >>> acl Safe_ports port 488 > >>> acl Safe_ports port 591 > >>> acl Safe_ports port 777 > >>> acl CONNECT method CONNECT > >>> acl INTRANET dstdomain .hm .hm.com.br > >>> acl USERS_ALLOW external NTGroup @HM_USUARIOS > >>> acl sites_no_authentication url_regex > "/etc/squid/sites_no_authentication" > >>> acl JAVA-SUN browser -i java > >>> > >>> http_access allow PURGE localhost > >>> http_access deny PURGE > >>> > >>> http_access allow manager localhost > >>> http_access deny manager > >>> http_access deny !Safe_ports > >>> deny_info BC_Safe_ports Safe_ports > >>> > >>> http_access deny CONNECT !SSL_ports > >>> deny_info BC_not_SSL_ports SSL_ports > >>> > >>> http_access allow sites_no_authentication > >>> http_access allow JAVA-SUN > >>> http_access deny TERMO > >>> deny_info BC_TERMO TERMO > >>> http_access allow INTRANET > >>> http_access allow all USERS_ALLOW > >>> http_access deny all > >>> deny_info BC_ACESSO_NEGADO all > >>> > >>> always_direct allow sites_no_authentication > >>> always_direct allow JAVA-SUN > >>> always_direct allow INTRANET > >>> always_direct allow CONNECT > >>> > >>> never_direct allow all > >>> > >>> cache_effective_user squid > >>> cache_effective_group squid > >>> > >>> err_html_text mailto:ti.inf@xxxxxxxxx > >>> > >>> coredump_dir /usr/local/squid/var/cache > >>> forwarded_for on > >>> > >>> icap_enable on > >>> icap_preview_enable on > >>> icap_send_client_ip on > >>> icap_send_client_username on > >>> icap_client_username_header X-Authenticated-User > >>> icap_client_username_encode on > >>> icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod > >>> icap_service service_2 respmod_precache 0 > icap://127.0.0.1:1344/wwrespmod > >>> > >>> icap_class filtro_url service_1 service_2 > >>> > >>> icap_access filtro_url deny sites_no_authentication > >>> icap_access filtro_url allow USERS_ALLOW > >>> > >>> icap_access filtro_url deny all > >>> > >>> cache_peer 172.17.205.106 parent 8088 7 no-query no-delay no-digest > >>> default > >>> +++++++++++++++++++++++++++++++++++ > >>> > >>> Although I have one server only for tests, the debug mode is too big. > >>> But if it's necessary should I post it here? > >>> > >>> Thanks > >>> Thiago Cruz > >>> > >>> On 10/8/07, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > >>>> Thiago Cruz wrote: > >>>>> Hello H. Nordstrom, > >>>>> > >>>>> I had already read that but unfortunately it didn't work. For some > >>>>> reason when I negate ICAP for some ACL it bypass cache_peer too. > >>>> Most weird. Would you mind posting the related config both negated and > >>>> non-negated for comparison? > >>>> > >>>> > >>>>> Debug > >>>>> all 9 could help us? > >>>> Possibly. It will generate a LOT of data for even moderate server load. > >>>> I'd suggest starting at 5-6 to peek where the problems might be, then > >>>> raise a particular section. > >>>> > >>>> Amos > >>>> > >>>> > >>>>> On 10/6/07, Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx> wrote: > >>>>>> On fre, 2007-10-05 at 19:05 -0300, Thiago Cruz wrote: > >>>>>>> I solved the problem which squid wasn't sending respmod using Squid3 > >>>>>>> RC1, but I have another problem, when I don't want to use ICAP (acl > >>>>>>> sites_no_authentication), the squid bypass the cache peer too. Is > >>>>>>> there some way to force it to use cache_peer? > >>>>>> Squid FAQ How do I configure Squid forward all requests to another > >>>>>> proxy? > >>>>>> > >> > <url:http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-c050a0a0382c01fbfb9da7e9c18d58bafd4eb027> > >>>>>> Regards > >>>>>> Henrik > >>>>>> > >>>> > >> > >> > >
