Search squid archive

ICAP failure when using clamav scan denied reply

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am using squid 3.2.3
+ http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11699.patch(Polish:
replace several assert(isOpen(fd)))
+ c-icap 0.1.7
+ squidclamav 6.9
+ squidGuard 1.4

    as default I deny all application/octet-stream reply access, and
disable virus scan picture ^.*\.(ico|gif|png|jpg)$ in squidclamav.
    my problem is when user try to access a link that end of .gif but
reply content type is application/octet-stream, c-icap will store that
content to /var/tmp and keep it, then die in icap process, even I
reload icap.


Squid Cache: Version 3.2.3
configure options:  '--enable-icmp' '--enable-delay-pools'
'--enable-icap-client' '--enable-removal-policies=heap,lru'
'--enable-snmp' '--enable-cachemgr-hostname=localhost' '--enable-ssl'
'--enable-cache-digests' '--enable-epoll' '--disable-ipfw-transparent'
'--disable-ipf-transparent' '--disable-pf-transparent'
'--disable-linux-netfilter' '--enable-follow-x-forwarded-for'
'--enable-ident-lookups' '--enable-ssl-crtd' '--enable-auth'
'--enable-auth-basic=LDAP,NCSA,SMB,MSNT,MSNT-multi-domain'
'--enable-auth-ntlm=smb_lm' '--enable-auth-negotiate=kerberos,wrapper'
'--enable-external-acl-helpers=kerberos_ldap_group,AD_group,unix_group,wbinfo_group,LDAP_group,file_userip,LM_group'
'--with-default-user=squid' '--enable-ltdl-convenience'

acl blockmime rep_mime_type application/octet-stream
http_reply_access deny blockmime
http_reply_access allow all

icap_enable on
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_service squidclamav_req reqmod_precache bypass=0
icap://127.0.0.1:1344/squidclamav
icap_service squidclamav_resp respmod_precache bypass=0
icap://127.0.0.1:1344/squidclamav
adaptation_access squidclamav_req allow all
adaptation_access squidclamav_resp allow all

c-icap.conf

PidFile /var/run/c-icap/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 600
StartServers 10
MaxServers 20
MinSpareThreads     10
MaxSpareThreads     20
ThreadsPerChild     10
MaxRequestsPerChild  0
Port 1344
User apache
Group apache
ServerAdmin i@***.com.cn
ServerName proxy
TmpDir /var/tmp
MaxMemObject 1048576
DebugLevel 0
ModulesDir /usr/local/lib/c_icap
ServicesDir /usr/local/lib/c_icap
TemplateDir /usr/local/share/c_icap/templates/
TemplateDefaultLanguage en
LoadMagicFile /usr/local/etc/c-icap.magic
RemoteProxyUsers off
RemoteProxyUserHeader X-Authenticated-User
RemoteProxyUserHeaderEncoded on
ServerLog /var/log/c-icap/server.log
AccessLog /var/log/c-icap/access.log
Service echo srv_echo.so
Service squidclamav squidclamav.so


squidclamav.conf

clamd_local /var/run/clamav/clamd.sock
redirect http://proxy/cgi-bin/clwarn.cgi
maxsize 50000000
timeout 2
logredir 0
dnslookup 1
abort ^.*\.(ico|gif|png|jpg)$
abort ^.*\.(css|xml|xsl|js|html|jsp)$
abort ^.*\.swf$
abortcontent ^image\/.*$
abortcontent ^text\/.*$
abortcontent ^application\/x-javascript$
abortcontent ^video\/x-flv$
abortcontent ^video\/mp4$
abortcontent ^application\/x-shockwave-flash$
abortcontent ^.*application\/x-mms-framed.*$

my squid log
1375345064.448   6471 1.1.2.3 TCP_DENIED_REPLY/403 9044 GET
http://bbs.chinaacc.com/getresource.php?thumb=1&rid=104959 user_Name
FIRSTUP_PARENT/1.1.2.2 text/html

ls -l --time-style=+%s /var/tmp
-rw------- 1 apache apache 3924554 1375345064 CI_TMP_bykwF4

lsof /var/tmp/CI_TMP_bykwF4
c-icap  20802 apache   33u   REG  253,0  3924554 244479 CI_TMP_bykwF4

lsof -p 20802
c-icap  20802 apache   31u   REG    253,0  3924554   181742
/var/tmp/CI_TMP_pZJZ3q
c-icap  20802 apache   32u   REG    253,0  3924554   244478
/var/tmp/CI_TMP_nj2kWD
c-icap  20802 apache   33u   REG    253,0  3924554   244479
/var/tmp/CI_TMP_bykwF4
c-icap  20802 apache   35u  IPv4 20636425      0t0      TCP
localhost:icap->localhost:37850 (ESTABLISHED)

firebug report:

GET getresource.php?thumb=1&rid=104959 200 OK    bbs.chinaacc.com
3.7 MB    1.1.2.2:8000    8.43s
ParamsHeadersResponseCookies
Response Headersview source
Connection    keep-alive
Content-Disposition    inline; filename="62037b5agw1droqc7t0qeg.gif"
Content-Encoding    none
Content-Length    3924554
Content-Type    application/octet-stream
Date    Thu, 01 Aug 2013 08:29:43 GMT
Last-Modified    Thu, 01 Aug 2013 08:29:43 GMT
Proxy-Authentication-Info    Negotiate
oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqiHRChCBhCm+q94YpjxLaCevHSu6pf+h8c3qgm0klDOgz9hinJRUaR7kq1pwV5+64cHmG146DDjehdQ+AmKcPRxnMsNnjqGr1zcPK2czlMdEDWOCGka7B3jJPGMIJDK6onV1cKqgcUIPosg==
Server    nginx
Via    ICAP/1.0 proxy (C-ICAP/0.1.7 SquidClamav/Antivirus service )
X-Cache    MISS from webproxy, MISS from proxy
X-Cache-Lookup    MISS from proxy:8001, MISS from proxy:8000
X-Powered-By    PHP/5.2.10
Request Headersview source
Accept    text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding    gzip, deflate
Accept-Language    en-US,en;q=0.5
Connection    keep-alive
Cookie    uid=O5dxe1H6GMwUmXg4A3drAg==
Host    bbs.chinaacc.com
User-Agent    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0)
Gecko/20100101 Firefox/20.0

-- 
Regards,
John Xue




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux