David Touzeau wrote:
Dear,
i would to use ICAP acls in order to not send some files to the ICAP
server
Squid Claim about these
WARNING: '0.0.0.0/0.0.0.0' is a subnetwork of '0.0.0.0/0.0.0.0'
WARNING: because of this '0.0.0.0/0.0.0.0' is ignored to keep splay tree
searching predictable
WARNING: You should probably remove '0.0.0.0/0.0.0.0' from the ACL named
'all'
The above means that you have entered "acl all ..." into your squid.conf.
Squid-3 defines it internally now to prevent people altering it and
breaking the basic security defaults of many settings.
squid[22707]: ACL::checklistMatches WARNING: 'multimedia_rep' ACL is
used but there is no HTTP reply -- not matching.
squid[22707]: CACHEMGR: <unknown>@127.0.0.1 requesting 'info'
squid[22707]: ACL::checklistMatches WARNING: 'multimedia_rep' ACL is
used but there is no HTTP reply -- not matching.
squid[22707]: CACHEMGR: <unknown>@127.0.0.1 requesting 'counters'
squid[22707]: ACL::checklistMatches WARNING: 'multimedia_rep' ACL is
used but there is no HTTP reply -- not matching.
squid[22707]: CACHEMGR: <unknown>@127.0.0.1 requesting '5min'
squid[22707]: ACL::checklistMatches WARNING: 'multimedia_rep' ACL is
used but there is no HTTP reply -- not matching.
squid[22707]: CACHEMGR: <unknown>@127.0.0.1 requesting 'diskd'
squid[22707]: ACL::checklistMatches WARNING: 'multimedia_rep' ACL is
used but there is no HTTP reply -- not matching.
squid[22707]: CACHEMGR: <unknown>@127.0.0.1 requesting 'store_io'
squid[22707]: ACL::checklistMatches WARNING: 'multimedia_rep' ACL is
used but there is no HTTP reply -- not matching.
What's wrong ? How this error means ?
Means you are checking an ACL which uses output data to determine what
inputs are going to happen to cause output to be generated...
This is a part of my squid.conf
best regards...
#--------- acls
acl blockedsites url_regex "/etc/squid3/squid-block.acl"
acl localhost src 127.0.0.1/255.255.255.255
acl localhost src 127.0.0.1
acl all src 0.0.0.0/0.0.0.0
delete the above.
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 1025-65535
acl Safe_ports port 21
acl QUERY urlpath_regex cgi-bin
acl QUERY urlpath_regex \?
Probably a good choice to delete the above.
acl CONNECT method CONNECT
#--------- TIME RESTRICTON
acl acl_kav_GET method GET
acl multimedia_rep rep_mime_type -i ^video/x-ms-asf$
acl multimedia_rep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl multimedia_rep rep_mime_type -i ^application/x-mms-framed$
acl multimedia_rep rep_mime_type -i ^image/.*
acl multimedia_rep rep_mime_type -i ^.*video.*
acl multimedia_rep rep_mime_type -i ^.*audio.*
The above three are all overly complicated. The pattern reduxes down to
actually doing this:
acl multimedia_rep rep_mime_type -i ^image/
acl multimedia_rep rep_mime_type -i video
acl multimedia_rep rep_mime_type -i audio
acl multimedia_rep rep_mime_type -i ^application/x-dvi$
acl multimedia_rep rep_mime_type -i ^application/x-isoview
acl multimedia_browsers browser -i ^.*Windows-Media-Player.* -i
^.*player.*
same overly complicated config here.
acl bigfiles_types urlpath_regex -i \.deb$
acl bigfiles_types urlpath_regex -i \.rpm$
acl bigfiles_types urlpath_regex -i \.iso$
acl bigfiles_types urlpath_regex -i \.tar\.gz$
acl bigfiles_types urlpath_regex -i \.gz$
acl bigfiles_types urlpath_regex -i \.bz$
acl bigfiles_types urlpath_regex -i \.tar$
acl bigfiles_types urlpath_regex -i \.cue$
acl bigfiles_types urlpath_regex -i \.nrg$
acl bigfiles_types urlpath_regex -i \.crf$
acl bigfiles_types urlpath_regex -i \.bwi$
acl bigfiles_types urlpath_regex -i \.bwt$
acl bigfiles_types urlpath_regex -i \.lcd$
acl bigfiles_types urlpath_regex -i \.ccd$
acl bigfiles_types urlpath_regex -i \.mdf$
acl bigfiles_types urlpath_regex -i \.mds$
acl bigfiles_types urlpath_regex -i \.vcd$
acl bigfiles_types urlpath_regex -i \.cif$
acl bigfiles_types urlpath_regex -i \.vdi$
acl bigfiles_types urlpath_regex -i \.img$
acl office_network src 80.254.72.0/24
#--------- MAIN RULES...
http_access deny blockedsites
http_access allow office_network
http_access allow Safe_ports
http_access allow SSL_ports
Uh oh. Unrestricted access to almost all ports from anyone on the
Internet vi your proxy? are you _really_ sure you want to be doing that?
The published defaults are:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
They are stated that way and ordered first to be fail-closed security
gates catching requests which have a dangerously high probability of
abuse and destruction to the Internet as a whole, your network as a
specific.
http_access allow localhost
http_access deny all
# --------- icap_service KASPERSKY
icap_enable on
icap_send_client_ip on
icap_service is_kav_resp respmod_precache 0
icap://127.0.0.1:1344/av/respmod
icap_service is_kav_req reqmod_precache 0
icap://127.0.0.1:1344/av/reqmod
# --------- icap_class
icap_class ic_kav_resp is_kav_resp
icap_class ic_kav_req is_kav_req
# --------- icap_access
icap_access ic_kav_resp deny multimedia_rep
icap_access ic_kav_resp deny multimedia_browsers
icap_access ic_kav_resp deny bigfiles_types
icap_access ic_kav_resp allow all
icap_access ic_kav_req deny multimedia_rep
*** response type being checked before it exists to figure out if
the response is going to be asked for.
icap_access ic_kav_req deny multimedia_browsers
icap_access ic_kav_req deny bigfiles_types
icap_access ic_kav_req allow all !acl_kav_GET
"all" has no meaning unless its last on the line. In which case its
only useful in suppressing authentication popups or causing custom deny
pages to appear.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
Current Beta Squid 3.1.0.17