Hi Alex (& hi Amos) it depends on the ICAP Service. The one I am trying to use is F-Secure FSICAPD which is not working as expected. So i compared with ClamAV C-ICAP: With ClamAV C-ICAP there is defined "MaxStreamSize 25M" as default, so after 25MB scanned by ICAP I can see with tcpdump on port 1344 "ICAP/1.0 200 OK" from ICAP to Squid which triggers the browser to start the download. Thats what i want also for F-Secure ICAP. #ClamAV MaxStreamSize reached ICAP response: ICAP/1.0 200 OK Server: C-ICAP/0.4.4 Connection: keep-alive ISTag: CI0001-1-squidclamav-10 Encapsulated: res-hdr=0, res-body=331 Unfortunately, the F-Secure ICAP is not sending this "ICAP/1.0 200 OK" after X MB or X Seconds. I am in touch with them if this is a bug, i dont know yet, they're checking that. So, if their ICAP really is not sending "ICAP/1.0 200 OK" after X Seconds/MB, can I configure SQUID with a workaround? So, to your questions: > 1. How to configure Squid to never send huge files to your ICAP service? Yes, as a workaround, but how? Header of big files are usually not included. > 2. How to configure your ICAP service to speed up huge-file decisions? The header seems not include the file size. Here is an example of 100MB Virus File (EICAR Signature at the beginning) Header: RESPMOD icap://127.0.0.1:1344/response ICAP/1.0 Host: 127.0.0.1:1344 Date: Fri, 04 Jan 2019 15:56:48 GMT Encapsulated: req-hdr=0, res-hdr=434, res-body=676 GET https://schroeffu.ch/100mbrandomvirus_begin.txt HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Cookie: _pk_id.n/a.1636=5b8e9d8d8516ea65.1546604985.1.1546604985.1546604985. Upgrade-Insecure-Requests: 1 Host: schroeffu.ch HTTP/1.1 200 OK Server: nginx Date: Fri, 04 Jan 2019 15:56:48 GMT Content-Type: text/plain Last-Modified: Fri, 04 Jan 2019 15:31:19 GMT Vary: Accept-Encoding ETag: W/"5c2f7c47-61a8088" X-Powered-By: PleskLin Content-Encoding: gzip The 200 OK reaches Squid after 100% of 100MB has been scanned by F-secure ICAP after 114 Seconds (!), means, the browser is 114 Seconds doing nothing but watiting: ICAP/1.0 200 OK Server: F-Secure ICAP Server ISTag: "FSAV-2019-01-02_04" Connection: keep-alive Expires: Fri, 04 Jan 2019 16:58:42 GMT X-FSecure-Scan-Result: clean X-FSecure-ORSP-FRS-Duration: 5.005693 X-FSecure-Transaction-Duration: 114.205939 X-FSecure-Versions: F-Secure Corporation Hydra/5.22 build 28/2018-12-28_01 F-Secure Corporation Aquarius/1.0 build 8/2019-01-02_04 fsavd/1.0/0148 fsicapd/1.1.277-263d28a Encapsulated: res-hdr=0, res-body=242 > 3. How to configure Squid to send huge files to your ICAP service without storing them in Squid memory or in Squid disk cache? No, this point we can forget. I think best would be to configure squid, if ICAP is not able to scan the complete request in 10 seconds, skip (or mark as clean) and let browser download it. 10 seconds icap scan timeout seems to be the default in ESET Linux Gateway ICAP too. Can I configure that in Squid? _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
