On 25/01/2015 9:39 a.m., Marcus Kool wrote: > > > On 01/24/2015 10:15 AM, Amos Jeffries wrote: >> On 22/01/2015 10:11 a.m., Marcus Kool wrote: >>> I am using Squid 3.4.9 and have an issue with tcp_outgoing_address. >>> >>> The Squid server is connceted to the internet with multiple NICs and >>> uses >>> tcp_outgoing_address a.public.IP.address >>> >>> and also want to use an ICAP server on the same host using >>> >>> icap_service reqmod_urlfilterdb reqmod_precache >>> icap://a.local.ip.address:1344/reqmod_icapd bypass=off routing=on >>> on-overload=wait ipv6=off >>> >>> It seems that Squid binds the connection to the ICAP server the same way >>> it binds >>> connections to webservers using the rule with tcp_outgoing_address >>> and that it not desired nor workable. >>> >>> I tried >>> >>> acl myicaphost dst a.local.ip.address >>> tcp_outgoing_address a.public.IP.address !myicaphost >>> >>> but Squid issues the following errors: >>> 2015/01/21 21:58:32 kid1| WARNING: myicaphost ACL is used in context >>> without an HTTP request. Assuming mismatch. >>> 2015/01/21 21:58:32 kid1| commBind: Cannot bind socket FD 10 to >>> XX.XX.XX.XX: (99) Cannot assign requested address >>> 2015/01/21 21:58:32 kid1| essential ICAP service is down after an >>> options fetch failure: icap://XX.XX.XX.XX:1344/reqmod_icapd [down,!opt] >>> >>> So the question is how to send web traffic over a specific NIC and >>> traffic to the ICAP server over an other (default?) NIC ? >> >> >> Please try the attached patch against Squid-3.4. It should make your >> config work. >> >> Amos > > Thank you for the patch. > It resolves 1 issue: there is no longer the warning > WARNING: myicaphost ACL is used in context without an HTTP request. > Assuming mismatch. > > But the binding to the wrong NIC with the external IP still happens: > > 2015/01/24 17:19:48.027 kid1| Xaction.cc(133) openConnection: > Adaptation::Icap::OptXact opens connection to 10.10.0.6:1344 > 2015/01/24 17:19:48.027 kid1| AsyncCall.cc(18) AsyncCall: The AsyncCall > Adaptation::Icap::Xaction::noteCommConnected constructed, this=0x1d9d7e0 > [call53] > 2015/01/24 17:19:48.027 kid1| comm.cc(549) comm_openex: comm_openex: > Attempt open socket for: a.public.IP.address > 2015/01/24 17:19:48.027 kid1| comm.cc(590) comm_openex: comm_openex: > Opened socket local=a.public.IP.address remote=[::] FD 10 flags=1 : > family=2, type=1, protocol=6 > > The firewall and routing was changed to allow traffic from the external > IP to > the internal IP so for us the urgency of the issue is low, but > the binding remains on the external IP despite the ACL saying not to do it. Aha, conceptual problem. tcp_outgoing_address does not forbid things. There is no "allow/deny" action, just a set-IP action. It either sets the IP or it leaves it alone. Your rule sets the IP when the dst is non-myicaphost. So what tcp_outgoing_address rule or OS level routing rule matches when it *is* myicaphost? Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
