On 01/25/2015 02:33 PM, Amos Jeffries wrote:
On 26/01/2015 4:59 a.m., Marcus Kool wrote:
The debug trace starts with:
Xaction.cc(133) openConnection: *Adaptation::Icap::OptXact* opens
connection to 10.10.0.6:1344
and then
comm.cc(549) comm_openex: comm_openex: Attempt open socket for:
*a.public.IP.address*
comm.cc(590) comm_openex: comm_openex:Opened socket
local=*a.public.IP.address* remote=[::] FD 10 flags=1 : family=2,
type=1, protocol=6
so I think it is clear that the socket to the ICAP server on 10.10.0.6
is bound to the NIC with an external IP address (not obeying the ACL).
Okay you need to expand that with debug level 28,3 to see what Squid is
doing with the ACLs.
well, I edited squid.conf again to extend the debug_options and
noticed that the config file had this:
tcp_outgoing_address a.public.ip.address
... (many lines)
acl myicaphost dst 10.10.0.6
tcp_outgoing_address a.public.ip.address !myicaphost
After commenting out the first tcp_outgoing_address, the binding works as expected,
i.e. squid does not bind the socket to the ICAP server on the external IP address.
So the ACL patch + correction of the squid.conf resolve the issue.
Thanks
Marcus
I do not understand your statement "I dont know why it was binding".
Squid only uses
bind() if there is an explicit outgoing address required to be used.
Have you considered the possibility of a bug ?
Yes, a bug in the binding would report bind errors opening a socket for
local=[::]. A bug in the ICAP will depend on what the ACL behaviour is.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
