On 13/08/19 3:55 am, Prudhvisagar Bellamkonda wrote: > Hi, > Thanks for checking my message. > Please check the below configuration, we are running squid 3.5 version. > > This service is running on aws its a ui application trying to connect to > virus scanner to scan the uploaded file and send the request to > downstream application if the file is valid. > > We implemented squid before the virus scanner > > https_port 8443 accel defaultsite=imageuploadqa.com no-vhost Since this is a reverse-proxy it really should be listening on port 443 unless you have a good reason not to. Do all these backend systems accept URLs of the form: https://imageuploadqa.com:8443/... FYI: One of the major benefits of reverse-proxy is that they can protect against garbage traffic for bogus domains etc aimed at your domain. The no-vhost style config disables that protection completely. No matter what URL anyone sends to this proxy it will automatically force re-write with that scheme://domain:port/ string before any internal services and even Squids own ACLs get to see the traffic. > cert=/qa/certificate/imageupload.cer > key=/qa/certificate/private/imageupload.pem > cache_peer imageuploadroute53downstreamappkication.com. parent 443 0 proxy-only > name=imageuploadAccel ssl sslflags=DONT_VERIFY_PEER Please remove that DONT_VERIFY_PEER. It is highly dangerous and actually not useful. Just add the sslcafile= option with a PEM file containing the CA(s) which issued that peers X.509 certificate. > acl imageupload dstdomain imageuploadqa.com > http_access allow imageupload > cache_peer_access imageuploadAccel allow imageupload > cache_peer_access imageuploadAccel deny all > icap_enable on > icap_service service_avi_req reqmod_precache > icap://domainnameofvirusscanner:1344/SYMCScanReqEx-AV bypass=off (not > working, but working when we are trying to use the IP) That is a very strong hint that the problem is DNS related. Check both A and AAAA are resolving without a timeout or SERVFAIL result. That the IP(s) produced are all able to be connected to by the proxy machine OR connection attempts get a quick non-routable ICMP error back. > adaptation_access service_avi_req allow all > icap_log /var/log/squid/icap.log icap_squid > > > it also working when "cache_peer_access imageuploadAccel deny all" Line > is removed Very Odd. All that line is doing is making it clear to you what the behaviour is for that peer. > > Please let me know if am missing any configuration > Please explain "not working" in more detail - what do you see happening exactly? Is it; * failing to connect? * - does the domain name resolve properly when looked up by your Squid? * failing to send the ICAP request? * failing to get a response? * failing to deliver the response it gets? * is any of those a timeout or an explicit error seen by Squid? * is Squid producing any error message explaining the problem? * are there any hints in cache.log? Lots of details please. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
