Dear I would like to know if anyone using C-ICAP+squidGuard on squid 3.1.x I have created a rule match acl an IP address : acl 192_168_1_240 src 192.168.1.240 it seems that always the first IP scanned by c-icap is the loopback ip (127.0.0.1) when the 192.168.1.240 IP pass trough c-icap, c-icap display : going to check addresses ip address: 127.0.0.1 192.168.1.240/255.255.255.255 Why 127.0.0.1 has prefix ?? According to this no rules match the acl and IP objects match always the default rule.. I have added an acl specific to the loopback "acl loopback src 127.0.0.1" and c-icap says correctly : going to check addresses ip address: 127.0.0.1 127.0.0.1/255.255.255.255 The ci_acl_spec_t:loopback matches Where i'm wrong ???? How to delete the 127.0.0.1 prefix in the connection link ?? Is it a squid.conf problem ?? or specific changes to squid method ?(using the 3.1.4 version) Here it is the C-ICAP debug logs : ------------------------------------------------------------------ Check request with an access entry Access control: ALLOW pool hits:2 allocations: 1 Allocating from objects pool object 0 Requested service: url_check URL to host www.freesexvideos2k.com URL page www.freesexvideos2k.com/style.css Check request with an access entry Check request with ci_acl_spec_t:loopback going to check addresses ip address: 127.0.0.1 127.0.0.1/255.255.255.255 The ci_acl_spec_t:loopback matches Check request with ci_acl_spec_t:loopback going to check addresses ip address: 127.0.0.1 127.0.0.1/255.255.255.255 The ci_acl_spec_t:loopback matches Check request with ci_acl_spec_t:192_168_1_240 going to check addresses ip address: 127.0.0.1 192.168.1.240/255.255.255.255 Going to check the db W-1 for BLOCK sg_db W-1 is not open? Going to check the db F-1 for PASS sg_db: checking domain www.freesexvideos2k.com db_entry_exists does not exists: DB_NOTFOUND: No matching key/data pair found sg_db: checking url www.freesexvideos2k.com/style.css Going to check the db W-1 for BLOCK sg_db W-1 is not open? Going to check the db F-1 for PASS sg_db: checking domain www.freesexvideos2k.com db_entry_exists does not exists: DB_NOTFOUND: No matching key/data pair found sg_db: checking url www.freesexvideos2k.com/style.css Storing to objects pool object 0 Check request with an access entry Check request with ci_acl_spec_t:all going to check addresses ip address: 127.0.0.1 0.0.0.0/0.0.0.0 The ci_acl_spec_t:all matches Check request with ci_acl_spec_t:all going to check addresses ip address: 127.0.0.1 0.0.0.0/0.0.0.0 The ci_acl_spec_t:all matches Log request to access log file /var/log/c-icap/access.log c-icap.conf ----------------------------------------------------------------- PidFile /var/run/c-icap.pid CommandsSocket /var/run/c-icap/c-icap.ctl Timeout 300 MaxKeepAliveRequests 100 KeepAliveTimeout 600 StartServers 3 MaxServers 10 MinSpareThreads 10 MaxSpareThreads 20 ThreadsPerChild 10 MaxRequestsPerChild 0 MaxMemObject 131072 Port 1345 User squid Group squid ServerAdmin you@xxxxxxxxxxxx ServerName debian TmpDir /var/lib/c_icap/temporary DebugLevel 11 ModulesDir /usr/lib/c_icap ServicesDir /usr/lib/c_icap TemplateDir /usr/share/c_icap/templates/ LoadMagicFile /etc/c-icap.magic TemplateDefaultLanguage en #TemplateReloadTime 360 #TemplateCacheSize 20 #TemplateMemBufSize 8192 acl all src 0.0.0.0/0.0.0.0 acl loopback src 127.0.0.1 RemoteProxyUsers on RemoteProxyUserHeader X-Authenticated-User RemoteProxyUserHeaderEncoded on LogFormat allFormat "%tl;%a;%un;%iu;%is;%huo" ServerLog /var/log/c-icap/server.log AccessLog /var/log/c-icap/access.log allFormat all GroupSourceByGroup hash:/etc/c-icap/c-icap-groups.txt GroupSourceByUser hash:/etc/c-icap/c-icap-user-groups.txt #ACLS FOR SQUIDGUARD RULE interne #IP Addresses acl 192_168_1_240 src 192.168.1.240 #Groups and users #no groups set #Sysloger Module logger sys_logger.so sys_logger.server_priority alert|crit|debug|emerg|err|info|notice|warning sys_logger.Prefix "C-ICAP:" sys_logger.Facility local1 Module common bdb_tables.so Module common dnsbl_tables.so Service url_check_module srv_url_check.so #Preload squidGuard databases# url_check.LoadSquidGuardDB W-1 /var/lib/squidguard/personal-categories/W-1/ url_check.LoadSquidGuardDB F-1 /var/lib/squidguard/personal-categories/filesblock-default/ url_check.LoadSquidGuardDB W-2 /var/lib/squidguard/personal-categories/W-2/ url_check.LoadSquidGuardDB F-2 /var/lib/squidguard/personal-categories/filesblock-interne/ url_check.LoadSquidGuardDB adult /var/lib/squidguard/adult/ url_check.LoadSquidGuardDB plus-adult-artica /var/lib/squidguard/blacklist-artica/adult/ url_check.LoadSquidGuardDB mixed_adult /var/lib/squidguard/mixed_adult/ url_check.LoadSquidGuardDB sexual_education /var/lib/squidguard/sexual_education/ url_check.LoadSquidGuardDB plus-sexual_education-artica /var/lib/squidguard/blacklist-artica/sexual_education/ url_check.LoadSquidGuardDB agressif /var/lib/squidguard/agressif/ #Define profiles for rule 2 (interne) url_check.Profile interne pass W-2 url_check.Profile interne block F-2 url_check.Profile interne block adult url_check.Profile interne block plus-adult-artica url_check.Profile interne block mixed_adult url_check.Profile interne block sexual_education url_check.Profile interne block plus-sexual_education-artica url_check.Profile interne block agressif #Maps access groups and IP from profiles url_check.ProfileAccess interne 192_168_1_240 #Define profiles for rule 1 (default) url_check.Profile default pass W-1 url_check.Profile default block F-1 url_check.Profile default pass W-1 url_check.Profile default block F-1 #Clamav Service antivirus_module srv_clamav.so srv_url_check.so ServiceAlias avscan srv_clamav?allow204=off&sizelimit=off&mode=simple srv_clamav.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE MSOFFICE srv_clamav.VirScanFileTypes ARCHIVE EXECUTABLE srv_clamav.TransferIgnore flv, f4v, f4p, f4a, f4b, mpeg, mp2, mp3 srv_clamav.SendPercentData 5 srv_clamav.StartSendPercentDataAfter 2M srv_clamav.Allow204Responces off srv_clamav.MaxObjectSize 5M srv_clamav.ClamAvTmpDir /var/tmp srv_clamav.ClamAvMaxFilesInArchive 0 srv_clamav.ClamAvMaxFileSizeInArchive 100M srv_clamav.ClamAvMaxRecLevel 5 srv_clamav.VirSaveDir /opt/artica/share/www/squid-attachments srv_clamav.VirHTTPServer "https:///exec.cicap.php?usename=%f&remove=1&file="; srv_clamav.VirUpdateTime 15 squid.conf ----------------------------------------------------------------- auth_param basic credentialsttl 2 hour authenticate_ttl 1 hour authenticate_ip_ttl 60 seconds cache_effective_user squid cache_effective_group squid #--------- TWEEKS PERFORMANCES # http://blog.last.fm/2007/08/30/squid-optimization-guide memory_pools off quick_abort_min 0 KB quick_abort_max 0 KB log_icp_queries off client_db off buffered_logs on half_closed_clients off #--------- squidGuard #transfered to C-ICAP #--------- acls acl blockedsites url_regex "/etc/squid3/squid-block.acl" acl localhost src 127.0.0.1/32 acl localhost src ::1/128 acl to_localhost dst ::1/128 acl CONNECT method CONNECT acl manager proto cache_object acl FTP proto FTP acl multimedia_rep rep_mime_type -i ^video/x-ms-asf$ acl multimedia_rep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$ acl multimedia_rep rep_mime_type -i ^application/x-mms-framed$ acl multimedia_rep rep_mime_type -i ^image/ acl multimedia_rep rep_mime_type -i ^video acl multimedia_rep rep_mime_type -i ^audio acl multimedia_rep rep_mime_type -i ^application/x-dvi$ acl multimedia_rep rep_mime_type -i ^application/x-isoview acl multimedia_browsers browser -i ^Windows-Media-Player.* -i ^.*player.* acl bigfiles_types urlpath_regex -i \.deb$ acl bigfiles_types urlpath_regex -i \.rpm$ acl bigfiles_types urlpath_regex -i \.iso$ acl bigfiles_types urlpath_regex -i \.tar\.gz$ acl bigfiles_types urlpath_regex -i \.gz$ acl bigfiles_types urlpath_regex -i \.bz$ acl bigfiles_types urlpath_regex -i \.tar$ acl bigfiles_types urlpath_regex -i \.cue$ acl bigfiles_types urlpath_regex -i \.nrg$ acl bigfiles_types urlpath_regex -i \.crf$ acl bigfiles_types urlpath_regex -i \.bwi$ acl bigfiles_types urlpath_regex -i \.bwt$ acl bigfiles_types urlpath_regex -i \.lcd$ acl bigfiles_types urlpath_regex -i \.ccd$ acl bigfiles_types urlpath_regex -i \.mdf$ acl bigfiles_types urlpath_regex -i \.mds$ acl bigfiles_types urlpath_regex -i \.vcd$ acl bigfiles_types urlpath_regex -i \.cif$ acl bigfiles_types urlpath_regex -i \.vdi$ acl bigfiles_types urlpath_regex -i \.img$ acl office_network src 192.168.1.0/24 #--------- MAIN RULES... # --------- SAFE ports acl Safe_ports port 80 #http acl Safe_ports port 20 #ftp-data acl Safe_ports port 21 #ftp acl Safe_ports port 22 #ssh acl Safe_ports port 443 563 #https, snews acl Safe_ports port 1863 #msn acl Safe_ports port 70 #gopher acl Safe_ports port 210 #wais acl Safe_ports port 1025-65535 #unregistered ports acl Safe_ports port 280 #http-mgmt acl Safe_ports port 488 #gss-http acl Safe_ports port 591 #filemaker acl Safe_ports port 777 #multiling http acl Safe_ports port 631 #cups acl Safe_ports port 873 #rsync acl Safe_ports port 901 #SWAT# http_access allow localhost http_access allow manager localhost http_access deny blockedsites acl MULTIMEDIA rep_mime_type -i ^(audio\/x-mpegurl|audio\/mpeg|video\/flv|video\/x-flv|application\/x-shockwave-flash|audio\/ogg|video\/ogg|application\/ogg)$ http_access allow office_network acl SSL_ports port 443 563 6667 9000 2 http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access deny all # --------- ICAP Services.(1 service(s)) # --------- icap_service C-ICAP mode 3.1.x # --------- icap_service C-ICAP + SquidGuard icap_service service_url_check reqmod_precache 0 bypass=on icap://127.0.0.1:1345/url_check icap_service service_antivir respmod_precache bypass=on icap://127.0.0.1:1345/srv_clamav # --------- adaptation for C-ICAP service adaptation_service_set class_url_check service_url_check adaptation_access class_url_check allow all adaptation_service_set class_antivirus service_antivir adaptation_access class_antivirus deny MULTIMEDIA adaptation_access class_antivirus allow all icap_enable on icap_preview_size 128 icap_service_failure_limit -1 icap_preview_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_client_username_encode on # --------- ident_lookup_access hierarchy_stoplist cgi-bin ? # --------- General settings visible_hostname proxyweb # --------- time-out dead_peer_timeout 10 seconds dns_timeout 2 minutes connect_timeout 1600 seconds persistent_request_timeout 3 minutes pconn_timeout 1600 seconds # --------- Objects limits request_body_max_size 5 MB request_header_max_size 64 KB maximum_object_size 300 MB minimum_object_size 0 KB maximum_object_size_in_memory 8 KB #http/https ports http_port 3128 transparent always_direct allow all # --------- Caches #cache_replacement_policy heap LFUDA cache_mem 8 MB cache_swap_high 90 cache_swap_low 95 # --------- DNS and ip caches ipcache_size 1024 ipcache_low 90 ipcache_high 95 fqdncache_size 1024 # --------- SPECIFIC DNS SERVERS #--------- FTP specific parameters ftp_list_width 32 ftp_passive yes debug_options ALL,1 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 icp_port 3130 #Logs------------------------------------------------- emulate_httpd_log on #fqdn is disabled to provide IP addresses to filters log_fqdn off coredump_dir /var/squid/cache cache_store_log /var/log/squid/store.log cache_log /var/log/squid/cache.log pid_filename /var/run/squid.pid access_log /var/log/squid/access.log icap_log /var/log/squid/icap_access.log cache_dir ufs /var/cache/squid 2000 16 256 # --------- OTHER CACHES
