Le mardi 31 août 2010 07:26:29, David Touzeau a écrit : > Dear > > I would like to know if anyone using C-ICAP+squidGuard on squid 3.1.x > > > I have created a rule match acl an IP address : > > acl 192_168_1_240 src 192.168.1.240 > > it seems that always the first IP scanned by c-icap is the loopback ip > (127.0.0.1) > > when the 192.168.1.240 IP pass trough c-icap, c-icap display : > going to check addresses ip address: 127.0.0.1 > 192.168.1.240/255.255.255.255 > > Why 127.0.0.1 has prefix ?? > According to this no rules match the acl and IP objects match always the > default rule.. > > > I have added an acl specific to the loopback "acl loopback src > 127.0.0.1" and c-icap says correctly : > > going to check addresses ip address: 127.0.0.1 127.0.0.1/255.255.255.255 > The ci_acl_spec_t:loopback matches > > Where i'm wrong ???? How to delete the 127.0.0.1 prefix in the > connection link ?? > Is it a squid.conf problem ?? or specific changes to squid method > ?(using the 3.1.4 version) > > > Here it is the C-ICAP debug logs : > ------------------------------------------------------------------ > > Check request with an access entry > Access control: ALLOW > pool hits:2 allocations: 1 > Allocating from objects pool object 0 > Requested service: url_check > URL to host www.freesexvideos2k.com > URL page www.freesexvideos2k.com/style.css > Check request with an access entry > Check request with ci_acl_spec_t:loopback > going to check addresses ip address: 127.0.0.1 127.0.0.1/255.255.255.255 > The ci_acl_spec_t:loopback matches > Check request with ci_acl_spec_t:loopback > going to check addresses ip address: 127.0.0.1 127.0.0.1/255.255.255.255 > The ci_acl_spec_t:loopback matches > Check request with ci_acl_spec_t:192_168_1_240 > going to check addresses ip address: 127.0.0.1 > 192.168.1.240/255.255.255.255 > Going to check the db W-1 for BLOCK > sg_db W-1 is not open? > Going to check the db F-1 for PASS > sg_db: checking domain www.freesexvideos2k.com > db_entry_exists does not exists: DB_NOTFOUND: No matching key/data pair > found > sg_db: checking url www.freesexvideos2k.com/style.css > Going to check the db W-1 for BLOCK > sg_db W-1 is not open? > Going to check the db F-1 for PASS > sg_db: checking domain www.freesexvideos2k.com > db_entry_exists does not exists: DB_NOTFOUND: No matching key/data pair > found > sg_db: checking url www.freesexvideos2k.com/style.css > Storing to objects pool object 0 > Check request with an access entry > Check request with ci_acl_spec_t:all > going to check addresses ip address: 127.0.0.1 0.0.0.0/0.0.0.0 > The ci_acl_spec_t:all matches > Check request with ci_acl_spec_t:all > going to check addresses ip address: 127.0.0.1 0.0.0.0/0.0.0.0 > The ci_acl_spec_t:all matches > Log request to access log file /var/log/c-icap/access.log > > > c-icap.conf > ----------------------------------------------------------------- > > PidFile /var/run/c-icap.pid > CommandsSocket /var/run/c-icap/c-icap.ctl > Timeout 300 > MaxKeepAliveRequests 100 > KeepAliveTimeout 600 > StartServers 3 > MaxServers 10 > MinSpareThreads 10 > MaxSpareThreads 20 > ThreadsPerChild 10 > MaxRequestsPerChild 0 > MaxMemObject 131072 > Port 1345 > User squid > Group squid > ServerAdmin you@xxxxxxxxxxxx > ServerName debian > TmpDir /var/lib/c_icap/temporary > DebugLevel 11 > ModulesDir /usr/lib/c_icap > ServicesDir /usr/lib/c_icap > TemplateDir /usr/share/c_icap/templates/ > LoadMagicFile /etc/c-icap.magic > TemplateDefaultLanguage en > #TemplateReloadTime 360 > #TemplateCacheSize 20 > #TemplateMemBufSize 8192 > > acl all src 0.0.0.0/0.0.0.0 > acl loopback src 127.0.0.1 > > RemoteProxyUsers on > RemoteProxyUserHeader X-Authenticated-User > RemoteProxyUserHeaderEncoded on > LogFormat allFormat "%tl;%a;%un;%iu;%is;%huo" > ServerLog /var/log/c-icap/server.log > AccessLog /var/log/c-icap/access.log allFormat all > > GroupSourceByGroup hash:/etc/c-icap/c-icap-groups.txt > GroupSourceByUser hash:/etc/c-icap/c-icap-user-groups.txt > > > #ACLS FOR SQUIDGUARD RULE interne > > #IP Addresses > acl 192_168_1_240 src 192.168.1.240 > > #Groups and users > #no groups set > > #Sysloger > Module logger sys_logger.so > > sys_logger.server_priority alert|crit|debug|emerg|err|info|notice|warning > > sys_logger.Prefix "C-ICAP:" > sys_logger.Facility local1 > > Module common bdb_tables.so > Module common dnsbl_tables.so > Service url_check_module srv_url_check.so > > > #Preload squidGuard databases# > url_check.LoadSquidGuardDB W-1 /var/lib/squidguard/personal-categories/W-1/ > url_check.LoadSquidGuardDB F-1 > /var/lib/squidguard/personal-categories/filesblock-default/ > url_check.LoadSquidGuardDB W-2 /var/lib/squidguard/personal-categories/W-2/ > url_check.LoadSquidGuardDB F-2 > /var/lib/squidguard/personal-categories/filesblock-interne/ > url_check.LoadSquidGuardDB adult /var/lib/squidguard/adult/ > url_check.LoadSquidGuardDB plus-adult-artica > /var/lib/squidguard/blacklist-artica/adult/ > url_check.LoadSquidGuardDB mixed_adult /var/lib/squidguard/mixed_adult/ > url_check.LoadSquidGuardDB sexual_education > /var/lib/squidguard/sexual_education/ > url_check.LoadSquidGuardDB plus-sexual_education-artica > /var/lib/squidguard/blacklist-artica/sexual_education/ > url_check.LoadSquidGuardDB agressif /var/lib/squidguard/agressif/ > > #Define profiles for rule 2 (interne) > url_check.Profile interne pass W-2 > url_check.Profile interne block F-2 > url_check.Profile interne block adult > url_check.Profile interne block plus-adult-artica > url_check.Profile interne block mixed_adult > url_check.Profile interne block sexual_education > url_check.Profile interne block plus-sexual_education-artica > url_check.Profile interne block agressif > > > #Maps access groups and IP from profiles > url_check.ProfileAccess interne 192_168_1_240 > > > #Define profiles for rule 1 (default) > url_check.Profile default pass W-1 > url_check.Profile default block F-1 > url_check.Profile default pass W-1 > url_check.Profile default block F-1 > > > #Clamav > Service antivirus_module srv_clamav.so srv_url_check.so > ServiceAlias avscan srv_clamav?allow204=off&sizelimit=off&mode=simple > srv_clamav.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE MSOFFICE > srv_clamav.VirScanFileTypes ARCHIVE EXECUTABLE > srv_clamav.TransferIgnore flv, f4v, f4p, f4a, f4b, mpeg, mp2, mp3 > srv_clamav.SendPercentData 5 > srv_clamav.StartSendPercentDataAfter 2M > srv_clamav.Allow204Responces off > srv_clamav.MaxObjectSize 5M > srv_clamav.ClamAvTmpDir /var/tmp > srv_clamav.ClamAvMaxFilesInArchive 0 > srv_clamav.ClamAvMaxFileSizeInArchive 100M > srv_clamav.ClamAvMaxRecLevel 5 > srv_clamav.VirSaveDir /opt/artica/share/www/squid-attachments > srv_clamav.VirHTTPServer > "https:///exec.cicap.php?usename=%f&remove=1&file="; > srv_clamav.VirUpdateTime 15 > > > > squid.conf > ----------------------------------------------------------------- > > > auth_param basic credentialsttl 2 hour > authenticate_ttl 1 hour > authenticate_ip_ttl 60 seconds > cache_effective_user squid > cache_effective_group squid > #--------- TWEEKS PERFORMANCES > # http://blog.last.fm/2007/08/30/squid-optimization-guide > memory_pools off > quick_abort_min 0 KB > quick_abort_max 0 KB > log_icp_queries off > client_db off > buffered_logs on > half_closed_clients off > > #--------- squidGuard > #transfered to C-ICAP > > > #--------- acls > acl blockedsites url_regex "/etc/squid3/squid-block.acl" > acl localhost src 127.0.0.1/32 > acl localhost src ::1/128 > acl to_localhost dst ::1/128 > acl CONNECT method CONNECT > acl manager proto cache_object > acl FTP proto FTP > acl multimedia_rep rep_mime_type -i ^video/x-ms-asf$ > acl multimedia_rep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$ > acl multimedia_rep rep_mime_type -i ^application/x-mms-framed$ > acl multimedia_rep rep_mime_type -i ^image/ > acl multimedia_rep rep_mime_type -i ^video > acl multimedia_rep rep_mime_type -i ^audio > acl multimedia_rep rep_mime_type -i ^application/x-dvi$ > acl multimedia_rep rep_mime_type -i ^application/x-isoview > acl multimedia_browsers browser -i ^Windows-Media-Player.* -i ^.*player.* > acl bigfiles_types urlpath_regex -i \.deb$ > acl bigfiles_types urlpath_regex -i \.rpm$ > acl bigfiles_types urlpath_regex -i \.iso$ > acl bigfiles_types urlpath_regex -i \.tar\.gz$ > acl bigfiles_types urlpath_regex -i \.gz$ > acl bigfiles_types urlpath_regex -i \.bz$ > acl bigfiles_types urlpath_regex -i \.tar$ > acl bigfiles_types urlpath_regex -i \.cue$ > acl bigfiles_types urlpath_regex -i \.nrg$ > acl bigfiles_types urlpath_regex -i \.crf$ > acl bigfiles_types urlpath_regex -i \.bwi$ > acl bigfiles_types urlpath_regex -i \.bwt$ > acl bigfiles_types urlpath_regex -i \.lcd$ > acl bigfiles_types urlpath_regex -i \.ccd$ > acl bigfiles_types urlpath_regex -i \.mdf$ > acl bigfiles_types urlpath_regex -i \.mds$ > acl bigfiles_types urlpath_regex -i \.vcd$ > acl bigfiles_types urlpath_regex -i \.cif$ > acl bigfiles_types urlpath_regex -i \.vdi$ > acl bigfiles_types urlpath_regex -i \.img$ > acl office_network src 192.168.1.0/24 > > > #--------- MAIN RULES... > # --------- SAFE ports > acl Safe_ports port 80 #http > acl Safe_ports port 20 #ftp-data > acl Safe_ports port 21 #ftp > acl Safe_ports port 22 #ssh > acl Safe_ports port 443 563 #https, snews > acl Safe_ports port 1863 #msn > acl Safe_ports port 70 #gopher > acl Safe_ports port 210 #wais > acl Safe_ports port 1025-65535 #unregistered ports > acl Safe_ports port 280 #http-mgmt > acl Safe_ports port 488 #gss-http > acl Safe_ports port 591 #filemaker > acl Safe_ports port 777 #multiling http > acl Safe_ports port 631 #cups > acl Safe_ports port 873 #rsync > acl Safe_ports port 901 #SWAT# > http_access allow localhost > http_access allow manager localhost > http_access deny blockedsites > acl MULTIMEDIA rep_mime_type -i > ^(audio\/x-mpegurl|audio\/mpeg|video\/flv|video\/x-flv|application\/x-shock > wave-flash|audio\/ogg|video\/ogg|application\/ogg)$ http_access allow > office_network > acl SSL_ports port 443 563 6667 9000 2 > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access deny to_localhost > http_access deny all > > # --------- ICAP Services.(1 service(s)) > # --------- icap_service C-ICAP mode 3.1.x > # --------- icap_service C-ICAP + SquidGuard > > icap_service service_url_check reqmod_precache 0 bypass=on > icap://127.0.0.1:1345/url_check > icap_service service_antivir respmod_precache bypass=on > icap://127.0.0.1:1345/srv_clamav > > > > # --------- adaptation for C-ICAP service > adaptation_service_set class_url_check service_url_check > adaptation_access class_url_check allow all > adaptation_service_set class_antivirus service_antivir > adaptation_access class_antivirus deny MULTIMEDIA > adaptation_access class_antivirus allow all > > > icap_enable on > icap_preview_size 128 > icap_service_failure_limit -1 > icap_preview_enable on > icap_send_client_ip on > icap_send_client_username on > icap_client_username_header X-Authenticated-User > icap_client_username_encode on > > > > > # --------- ident_lookup_access > hierarchy_stoplist cgi-bin ? > > # --------- General settings > visible_hostname proxyweb > > > # --------- time-out > dead_peer_timeout 10 seconds > dns_timeout 2 minutes > connect_timeout 1600 seconds > persistent_request_timeout 3 minutes > pconn_timeout 1600 seconds > > > # --------- Objects limits > request_body_max_size 5 MB > request_header_max_size 64 KB > maximum_object_size 300 MB > minimum_object_size 0 KB > maximum_object_size_in_memory 8 KB > > > #http/https ports > http_port 3128 transparent > > always_direct allow all > > > # --------- Caches > #cache_replacement_policy heap LFUDA > cache_mem 8 MB > cache_swap_high 90 > cache_swap_low 95 > # --------- DNS and ip caches > ipcache_size 1024 > ipcache_low 90 > ipcache_high 95 > fqdncache_size 1024 > > > # --------- SPECIFIC DNS SERVERS > > #--------- FTP specific parameters > ftp_list_width 32 > ftp_passive yes > > debug_options ALL,1 > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > icp_port 3130 > > > #Logs------------------------------------------------- > emulate_httpd_log on > #fqdn is disabled to provide IP addresses to filters > log_fqdn off > coredump_dir /var/squid/cache > cache_store_log /var/log/squid/store.log > cache_log /var/log/squid/cache.log > pid_filename /var/run/squid.pid > access_log /var/log/squid/access.log > icap_log /var/log/squid/icap_access.log > > cache_dir ufs /var/cache/squid 2000 16 256 > # --------- OTHER CACHES C-icap will report the ip of the source that connects to it, in this case 127.0.0.1 because they are in same box. That is normal.
