On 8/28/21 8:36 AM, Andrea Venturoli wrote: > I've got Squid (4.15) configured as an HTTP[s] server, with squidclamav: >> icap_enable on >> icap_send_client_ip on >> icap_preview_enable on >> icap_preview_size 1024 >> icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav >> adaptation_access service_req allow all >> icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav >> adaptation_access service_resp allow all > Everything is fine on this side. > Now I'm trying to make it act as an FTP proxy, with: >> ftp_port 2121 > This works partially: I'm usually able to see remote directories, but > uploads will fail (timing out on the client side). > If I disable ICAP at all (comment the above lines), then the FTP proxy > works properly. This can be a Squid bug or an ICAP service bug/incompatibility with fake HTTP messages that Squid is using to represent native FTP traffic. FWIW, the mapping between native FTP traffic (that Squid sees) and fake HTTP messages (that your ICAP service sees) is described at https://wiki.squid-cache.org/Features/FtpRelay > I'm failing to understand the interaction between the two: even simple > files fail to upload and I see no signs of ClamAV taking much time to > scan them. > Is this some known problem? FWIW, I am not aware of it. > Any suggestion on how to gain a better understanding? Reproduce the problem using a single transaction on an otherwise idle Squid with full debugging enabled and share the corresponding cache.log: https://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction If the above is not feasible, collect ICAP requests and responses for the failing transaction and share them instead (a packet capture may be the easiest way to do that, but you can also try ALL,2 debugging if you can reproduce with a single transaction on an otherwise idle Squid). > Or, is there any way I can tell Squid to avoid passing FTP traffic > (coming on port 2121) to ICAP (while of course doing that for the rest)? Yes, the adaptation_access directive controls what traffic goes to your ICAP services. To match ftp_port traffic, I would give the ftp_port a name and then try using that name in a myportname ACL. Other ACLs may also work, but I would start with myportname. If myportname does not work for ftp_port traffic, it is a Squid bug. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
