Search squid archive

Re: Problems configuring Squid with C-ICAP+Squidclamav (SOLVED)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu 12.May'16 at 22:20:47 +1200, Amos Jeffries wrote:
> On 12/05/2016 8:42 p.m., C. L. Martinez wrote:
> > On Wed 11.May'16 at 21:14:08 +0600, Yuri Voinov wrote:
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA256
> >>  
> >>
> >> 11.05.16 21:04, L.P.H. van Belle пишет:
> >>>
> >>> Hai,
> >>>
> >>>
> >>>
> >>> I reviewd your config, thing whats different in c-icap.conf compared
> >> to me.
> >>>
> >> Obviously, the mindless copying and pasting the config - very bad
> >> practice, is not it?
> >>>
> >>> RemoteProxyUsers off ( for you ) on for me.
> >>>
> >> # TAG: RemoteProxyUsers
> >> # Format: RemoteProxyUsers onoff
> >> # Description:
> >> #    Set it to on if you want to use username provided by the proxy server.
> >> #    This is the recomended way to use users in c-icap.
> >> #    If the RemoteProxyUsers is off and c-icap configured to use users or
> >> #    groups the internal authentication mechanism will be used.
> >> # Default:
> >> #    RemoteProxyUsers off
> >> RemoteProxyUsers off
> >>
> >> This is depending proxy configuration. And irrelevant current case.
> >>>
> >>>
> >>>
> >>> Whats the content of /etc/c-icap/squidclamav.conf ?
> >>>
> >>> The important part for me of the file :
> >>>
> >>> #clamd_local /var/run/clamd.socket ! change/check this
> >>>
> >> This is OS-dependent, as obvious.
> >>>
> >>> clamd_ip 127.0.0.1
> >>>
> >>> clamd_port 3310
> >>>
> >>>
> >>>
> >>> If you use socket make sure your rights are correct and icap is added
> >> to the clamav group.
> >>>
> >> Wrong. Squid group, not clamav.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> And my c-icap part of the squid.conf
> >>>
> >>> ## Tested with Squid 3.4.8 and 3.5.x + squidclamav 6.14 and 6.15
> >>>
> >>> icap_enable on
> >>>
> >>> icap_send_client_ip on
> >>>
> >>> icap_send_client_username on
> >>>
> >>> icap_client_username_header X-Authenticated-User
> >>>
> >>> icap_persistent_connections on
> >>>
> >>> icap_preview_enable on
> >>>
> >>> icap_preview_size 1024
> >>>
> >>> icap_service service_req reqmod_precache bypass=1
> >> icap://127.0.0.1:1344/squidclamav
> >>>
> >>> adaptation_access service_req allow all
> >>>
> >>> icap_service service_resp respmod_precache bypass=1
> >> icap://127.0.0.1:1344/squidclamav
> >>>
> >>> adaptation_access service_resp allow all
> >>>
> >>>
> >>>
> >>> I think you changed to much in the example.
> >>>
> >>>
> >>>
> >>> Im reffering to these in the squid.conf
> >>>
> >>>> adaptation_access service_avi_resp allow all
> >>>
> >>> service_avi_resp?
> >>>
> >>>
> >>>
> >> Complete squid.conf fragment:
> >>
> >> icap_service service_avi_req reqmod_precache
> >> icap://localhost:1344/squidclamav bypass=off
> >> adaptation_access service_avi_req allow all
> >> icap_service service_avi_resp respmod_precache
> >> icap://localhost:1344/squidclamav bypass=on
> >> adaptation_access service_avi_resp allow all
> >>
> >> Please, PLEASE, do not make recommendation when you not understand what
> >> does config lines means!
> >>  
> > 
> > Ok, problem is solved. Seems there is some problem between squid and my unbound DNS server. Changing the following lines:
> > 
> > icap_service service_avi_req reqmod_precache icap://localhost:1344/squidclamav bypass=off
> > icap_service service_avi_resp respmod_precache icap://localhost:1344/squidclamav bypass=on
> > 
> > to:
> > 
> > icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squidclamav bypass=off
> > icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squidclamav bypass=on
> > 
> > all works as expected. As you can see I have changed "localhost" for "127.0.0.1" ... localhost entry exists inside my /etc/hosts file, and OpenBSD resolves correctly, but under unbound's config I have enabled "do-not-query-localhost: no" because unbound is configured to work with dnscrypt-proxy service...
> > 
> > I am not sure about this, but it is the only answer that explains this problem ... or it is a bug (but I don't think so).
> > 
> > What do you think??
> > 
> 
> I think that Squid told you it was sending an OPTIONS request to ICAP
> service, which failed. So it marked the service down. The service was
> not allowed to be bypassed (bypass=off), so cannot cope with being down.
> 
> It is possible "localhost" had to be resolved to do that OPTIONS
> request. However, if as you say it already has an entry in your
> /etc/hosts file then Squid should have loaded that entry as a permanent
> record and never be looking it up in DNS.
> 
> Amos

But when squid sents an OPTIONS request to ICAP, why works when I use 127.0.0.1 and not localhost?? Maybe it is a problem with openbsd's package ...

-- 
Greetings,
C. L. Martinez
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux