Discussion:
[squid-users] ICAP - not sending Respmod
(too old to reply)
Thiago Cruz
2007-09-20 15:57:25 UTC
Permalink
Hi all,

I was testing Squid 3.0.PRE6-20070718 and the ICAP protocol was working
fine. I've updated to 3.0.PRE7-20070919 and squid stop sending Respmod,
although the Reqmod is ok, follow my conf:

icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod
icap_class filtro_url service_1 service_2
icap_access filtro_url allow all

I've tracked the connection and I can see ICAP server answering his Methods:

OPTIONS icap://127.0.0.1:1344/wwreqmod ICAP/1.0
Host: 127.0.0.1:1344

ICAP/1.0 200 OK
Allow: 204
Encapsulated: null-body=0
ISTAG: "001-000-000003"
Max-Connections: 50
Methods: REQMOD, RESPMOD, PROFILE, CERTVERIFY
Options-TTL: 300
Preview: 30
Service: Webwasher 6.5.2.2676 (WW 6.5)
Service-ID: ww
Transfer-Preview: *
X-Include: X-Authenticated-Groups,X-Authenticated-User,X-Client-IP


Bugzilla?

Thanks,
Thiago Cruz
Christos Tsantilas
2007-09-20 18:55:14 UTC
Permalink
Hi,
Works very well for me. How are you testing it?
Maybe the problem is repeated ICAP service failures. In this case squid
stops using the service.

if you change the line:
icap_service service_2 respmod_precache 0 .....
to
icap_service service_2 respmod_precache 1 .....

What are you seeing?

The squid bugzilla is here:
http://www.squid-cache.org/bugs/

Regards,
Christos
Post by Thiago Cruz
Hi all,
I was testing Squid 3.0.PRE6-20070718 and the ICAP protocol was working
fine. I've updated to 3.0.PRE7-20070919 and squid stop sending Respmod,
icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod
icap_class filtro_url service_1 service_2
icap_access filtro_url allow all
OPTIONS icap://127.0.0.1:1344/wwreqmod ICAP/1.0
Host: 127.0.0.1:1344
ICAP/1.0 200 OK
Allow: 204
Encapsulated: null-body=0
ISTAG: "001-000-000003"
Max-Connections: 50
Methods: REQMOD, RESPMOD, PROFILE, CERTVERIFY
Options-TTL: 300
Preview: 30
Service: Webwasher 6.5.2.2676 (WW 6.5)
Service-ID: ww
Transfer-Preview: *
X-Include: X-Authenticated-Groups,X-Authenticated-User,X-Client-IP
Bugzilla?
Thanks,
Thiago Cruz
Thiago Cruz
2007-09-20 21:39:58 UTC
Permalink
Hi Christos,

I guess that there is a misconfiguration with my ICAP server I'm
working on this.

Have you tried a configuration like this? It seems that service_3 will
never be actived.

icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod
icap_service service_3 respmod_precache 0 icap://172.1.1.16:1344/respmod

icap_class filtro_url service_1 service_2 service_3
icap_access filtro_url allow all

Thanks,
Thiago Cruz
Post by Christos Tsantilas
Hi,
Works very well for me. How are you testing it?
Maybe the problem is repeated ICAP service failures. In this case squid
stops using the service.
icap_service service_2 respmod_precache 0 .....
to
icap_service service_2 respmod_precache 1 .....
What are you seeing?
http://www.squid-cache.org/bugs/
Regards,
Christos
Post by Thiago Cruz
Hi all,
I was testing Squid 3.0.PRE6-20070718 and the ICAP protocol was working
fine. I've updated to 3.0.PRE7-20070919 and squid stop sending Respmod,
icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod
icap_class filtro_url service_1 service_2
icap_access filtro_url allow all
I've tracked the connection and I can see ICAP server answering his
OPTIONS icap://127.0.0.1:1344/wwreqmod ICAP/1.0
Host: 127.0.0.1:1344
ICAP/1.0 200 OK
Allow: 204
Encapsulated: null-body=0
ISTAG: "001-000-000003"
Max-Connections: 50
Methods: REQMOD, RESPMOD, PROFILE, CERTVERIFY
Options-TTL: 300
Preview: 30
Service: Webwasher 6.5.2.2676 (WW 6.5)
Service-ID: ww
Transfer-Preview: *
X-Include: X-Authenticated-Groups,X-Authenticated-User,X-Client-IP
Bugzilla?
Thanks,
Thiago Cruz
Henrik Nordstrom
2007-09-21 06:59:15 UTC
Permalink
Post by Thiago Cruz
Have you tried a configuration like this? It seems that service_3 will
never be actived.
icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod
icap_service service_3 respmod_precache 0 icap://172.1.1.16:1344/respmod
icap_class filtro_url service_1 service_2 service_3
Curretntly chaining of multipleservices at the same service point is not
supported, which means you can at most have two icap services per
request, one at reqmod_precache and one at respmod_precache.

Regards
Henrik
Thiago Cruz
2007-09-21 15:55:12 UTC
Permalink
Instead of using multipleservices, could I use ICAP with cache_peer?
Something like this:

...
acl USERS external NTGroup @USERS
acl sites_1 url_regex "/etc/squid/sites"

http_access allow sites_1
http_access allow all USERS
http_access deny all
icp_access deny all

always_direct allow sites_1
never_direct allow all

icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod
icap_class filtro_url service_1 service_2

icap_access filtro_url deny sites_1
icap_access filtro_url allow all

cache_peer 172.1.1.16 parent 8088 7 no-query no-delay no-digest default

When I use this configuration, Respmod doesn't work. I only can see
Reqmod at the track file.

Regards,
Thiago Cruz
Post by Henrik Nordstrom
Post by Thiago Cruz
Have you tried a configuration like this? It seems that service_3 will
never be actived.
icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod
icap_service service_3 respmod_precache 0 icap://172.1.1.16:1344/respmod
icap_class filtro_url service_1 service_2 service_3
Curretntly chaining of multipleservices at the same service point is not
supported, which means you can at most have two icap services per
request, one at reqmod_precache and one at respmod_precache.
Regards
Henrik
Henrik Nordstrom
2007-09-21 23:41:45 UTC
Permalink
Post by Thiago Cruz
Instead of using multipleservices, could I use ICAP with cache_peer?
should work fine.

Regards
Henrik
Thiago Cruz
2007-10-05 22:05:34 UTC
Permalink
I solved the problem which squid wasn't sending respmod using Squid3
RC1, but I have another problem, when I don't want to use ICAP (acl
sites_no_authentication), the squid bypass the cache peer too. Is
there some way to force it to use cache_peer?

icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod
icap_class filtro_url2 service_1 service_2
icap_access filtro_url2 deny sites_no_authentication
icap_access filtro_url2 allow USUARIOS_PERMITIDOS

cache_peer 172.17.5.106 parent 8088 7 no-query no-delay no-digest default

Thanks,
Thiago Cruz
Post by Henrik Nordstrom
Post by Thiago Cruz
Instead of using multipleservices, could I use ICAP with cache_peer?
should work fine.
Regards
Henrik
Henrik Nordstrom
2007-10-06 10:30:30 UTC
Permalink
Post by Thiago Cruz
I solved the problem which squid wasn't sending respmod using Squid3
RC1, but I have another problem, when I don't want to use ICAP (acl
sites_no_authentication), the squid bypass the cache peer too. Is
there some way to force it to use cache_peer?
Squid FAQ How do I configure Squid forward all requests to another
proxy?
<url:http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-c050a0a0382c01fbfb9da7e9c18d58bafd4eb027>

Regards
Henrik
Thiago Cruz
2007-10-08 13:11:45 UTC
Permalink
Hello H. Nordstrom,

I had already read that but unfortunately it didn't work. For some
reason when I negate ICAP for some ACL it bypass cache_peer too. Debug
all 9 could help us?

Regards,
Thiago Cruz
Post by Henrik Nordstrom
Post by Thiago Cruz
I solved the problem which squid wasn't sending respmod using Squid3
RC1, but I have another problem, when I don't want to use ICAP (acl
sites_no_authentication), the squid bypass the cache peer too. Is
there some way to force it to use cache_peer?
Squid FAQ How do I configure Squid forward all requests to another
proxy?
<url:http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-c050a0a0382c01fbfb9da7e9c18d58bafd4eb027>
Regards
Henrik
Amos Jeffries
2007-10-08 13:46:01 UTC
Permalink
Post by Thiago Cruz
Hello H. Nordstrom,
I had already read that but unfortunately it didn't work. For some
reason when I negate ICAP for some ACL it bypass cache_peer too.
Most weird. Would you mind posting the related config both negated and
non-negated for comparison?
Post by Thiago Cruz
Debug
all 9 could help us?
Possibly. It will generate a LOT of data for even moderate server load.
I'd suggest starting at 5-6 to peek where the problems might be, then
raise a particular section.

Amos
Post by Thiago Cruz
Post by Henrik Nordstrom
Post by Thiago Cruz
I solved the problem which squid wasn't sending respmod using Squid3
RC1, but I have another problem, when I don't want to use ICAP (acl
sites_no_authentication), the squid bypass the cache peer too. Is
there some way to force it to use cache_peer?
Squid FAQ How do I configure Squid forward all requests to another
proxy?
<url:http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-c050a0a0382c01fbfb9da7e9c18d58bafd4eb027>
Regards
Henrik
Thiago Cruz
2007-10-08 19:21:35 UTC
Permalink
Of course not, here is it:
+++++++++++++++++++++++++++++++++++
http_port 8080
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
visible_hostname cacheteste.hm
cache_log /var/log/squid/cache.log
cache_store_log none
debug_options ALL,1

memory_replacement_policy lru
logformat squidmime_extended %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %ul %Sh/%<A %mt

cache_access_log /var/log/squid/access.log squidmime_extended

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 80

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 3
auth_param basic realm HM
auth_param basic credentialsttl 2 hours

external_acl_type NTGroup children=80 ttl=3600 negative_ttl=300 %LOGIN
/usr/lib/squid/wbinfo_group.pl

acl PURGE method PURGE

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl squid-stat src 172.17.6.126/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl INTRANET dstdomain .hm .hm.com.br
acl USERS_ALLOW external NTGroup @HM_USUARIOS
acl sites_no_authentication url_regex "/etc/squid/sites_no_authentication"
acl JAVA-SUN browser -i java

http_access allow PURGE localhost
http_access deny PURGE

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
deny_info BC_Safe_ports Safe_ports

http_access deny CONNECT !SSL_ports
deny_info BC_not_SSL_ports SSL_ports

http_access allow sites_no_authentication
http_access allow JAVA-SUN
http_access deny TERMO
deny_info BC_TERMO TERMO
http_access allow INTRANET
http_access allow all USERS_ALLOW
http_access deny all
deny_info BC_ACESSO_NEGADO all

always_direct allow sites_no_authentication
always_direct allow JAVA-SUN
always_direct allow INTRANET
always_direct allow CONNECT

never_direct allow all

cache_effective_user squid
cache_effective_group squid

err_html_text mailto:***@hm.com.br

coredump_dir /usr/local/squid/var/cache
forwarded_for on

icap_enable on
icap_preview_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode on
icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod

icap_class filtro_url service_1 service_2

icap_access filtro_url deny sites_no_authentication
icap_access filtro_url allow USERS_ALLOW

icap_access filtro_url deny all

cache_peer 172.17.205.106 parent 8088 7 no-query no-delay no-digest default
+++++++++++++++++++++++++++++++++++

Although I have one server only for tests, the debug mode is too big.
But if it's necessary should I post it here?

Thanks
Thiago Cruz
Post by Amos Jeffries
Post by Thiago Cruz
Hello H. Nordstrom,
I had already read that but unfortunately it didn't work. For some
reason when I negate ICAP for some ACL it bypass cache_peer too.
Most weird. Would you mind posting the related config both negated and
non-negated for comparison?
Post by Thiago Cruz
Debug
all 9 could help us?
Possibly. It will generate a LOT of data for even moderate server load.
I'd suggest starting at 5-6 to peek where the problems might be, then
raise a particular section.
Amos
Post by Thiago Cruz
Post by Henrik Nordstrom
Post by Thiago Cruz
I solved the problem which squid wasn't sending respmod using Squid3
RC1, but I have another problem, when I don't want to use ICAP (acl
sites_no_authentication), the squid bypass the cache peer too. Is
there some way to force it to use cache_peer?
Squid FAQ How do I configure Squid forward all requests to another
proxy?
<url:http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-c050a0a0382c01fbfb9da7e9c18d58bafd4eb027>
Post by Thiago Cruz
Post by Henrik Nordstrom
Regards
Henrik
Amos Jeffries
2007-10-08 23:28:17 UTC
Permalink
Thank you. Everything look normal to me.
What do you do to "negate ICP for some ACL"?

Amos
Post by Thiago Cruz
+++++++++++++++++++++++++++++++++++
http_port 8080
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
visible_hostname cacheteste.hm
cache_log /var/log/squid/cache.log
cache_store_log none
debug_options ALL,1
memory_replacement_policy lru
logformat squidmime_extended %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %ul
%Sh/%<A %mt
cache_access_log /var/log/squid/access.log squidmime_extended
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 80
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 3
auth_param basic realm HM
auth_param basic credentialsttl 2 hours
external_acl_type NTGroup children=80 ttl=3600 negative_ttl=300 %LOGIN
/usr/lib/squid/wbinfo_group.pl
acl PURGE method PURGE
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl squid-stat src 172.17.6.126/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl INTRANET dstdomain .hm .hm.com.br
acl sites_no_authentication url_regex "/etc/squid/sites_no_authentication"
acl JAVA-SUN browser -i java
http_access allow PURGE localhost
http_access deny PURGE
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
deny_info BC_Safe_ports Safe_ports
http_access deny CONNECT !SSL_ports
deny_info BC_not_SSL_ports SSL_ports
http_access allow sites_no_authentication
http_access allow JAVA-SUN
http_access deny TERMO
deny_info BC_TERMO TERMO
http_access allow INTRANET
http_access allow all USERS_ALLOW
http_access deny all
deny_info BC_ACESSO_NEGADO all
always_direct allow sites_no_authentication
always_direct allow JAVA-SUN
always_direct allow INTRANET
always_direct allow CONNECT
never_direct allow all
cache_effective_user squid
cache_effective_group squid
coredump_dir /usr/local/squid/var/cache
forwarded_for on
icap_enable on
icap_preview_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode on
icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod
icap_class filtro_url service_1 service_2
icap_access filtro_url deny sites_no_authentication
icap_access filtro_url allow USERS_ALLOW
icap_access filtro_url deny all
cache_peer 172.17.205.106 parent 8088 7 no-query no-delay no-digest
default
+++++++++++++++++++++++++++++++++++
Although I have one server only for tests, the debug mode is too big.
But if it's necessary should I post it here?
Thanks
Thiago Cruz
Post by Amos Jeffries
Post by Thiago Cruz
Hello H. Nordstrom,
I had already read that but unfortunately it didn't work. For some
reason when I negate ICAP for some ACL it bypass cache_peer too.
Most weird. Would you mind posting the related config both negated and
non-negated for comparison?
Post by Thiago Cruz
Debug
all 9 could help us?
Possibly. It will generate a LOT of data for even moderate server load.
I'd suggest starting at 5-6 to peek where the problems might be, then
raise a particular section.
Amos
Post by Thiago Cruz
Post by Henrik Nordstrom
Post by Thiago Cruz
I solved the problem which squid wasn't sending respmod using Squid3
RC1, but I have another problem, when I don't want to use ICAP (acl
sites_no_authentication), the squid bypass the cache peer too. Is
there some way to force it to use cache_peer?
Squid FAQ How do I configure Squid forward all requests to another
proxy?
<url:http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-c050a0a0382c01fbfb9da7e9c18d58bafd4eb027>
Post by Thiago Cruz
Post by Henrik Nordstrom
Regards
Henrik
Thiago Cruz
2007-10-09 12:46:57 UTC
Permalink
I had forgotten to negate ICP, but I've inserted it now.

I made a workaround for this ICAP problem but I must have another ICAP
server just for filtering theses no authentication sites and
unfortunately it isn't a good solution.

Any Idea?

[]'s
Thiago Cruz
Post by Amos Jeffries
Thank you. Everything look normal to me.
What do you do to "negate ICP for some ACL"?
Amos
Post by Thiago Cruz
+++++++++++++++++++++++++++++++++++
http_port 8080
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
visible_hostname cacheteste.hm
cache_log /var/log/squid/cache.log
cache_store_log none
debug_options ALL,1
memory_replacement_policy lru
logformat squidmime_extended %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %ul
%Sh/%<A %mt
cache_access_log /var/log/squid/access.log squidmime_extended
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 80
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 3
auth_param basic realm HM
auth_param basic credentialsttl 2 hours
external_acl_type NTGroup children=80 ttl=3600 negative_ttl=300 %LOGIN
/usr/lib/squid/wbinfo_group.pl
acl PURGE method PURGE
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl squid-stat src 172.17.6.126/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl INTRANET dstdomain .hm .hm.com.br
acl sites_no_authentication url_regex "/etc/squid/sites_no_authentication"
acl JAVA-SUN browser -i java
http_access allow PURGE localhost
http_access deny PURGE
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
deny_info BC_Safe_ports Safe_ports
http_access deny CONNECT !SSL_ports
deny_info BC_not_SSL_ports SSL_ports
http_access allow sites_no_authentication
http_access allow JAVA-SUN
http_access deny TERMO
deny_info BC_TERMO TERMO
http_access allow INTRANET
http_access allow all USERS_ALLOW
http_access deny all
deny_info BC_ACESSO_NEGADO all
always_direct allow sites_no_authentication
always_direct allow JAVA-SUN
always_direct allow INTRANET
always_direct allow CONNECT
never_direct allow all
cache_effective_user squid
cache_effective_group squid
coredump_dir /usr/local/squid/var/cache
forwarded_for on
icap_enable on
icap_preview_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode on
icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod
icap_class filtro_url service_1 service_2
icap_access filtro_url deny sites_no_authentication
icap_access filtro_url allow USERS_ALLOW
icap_access filtro_url deny all
cache_peer 172.17.205.106 parent 8088 7 no-query no-delay no-digest
default
+++++++++++++++++++++++++++++++++++
Although I have one server only for tests, the debug mode is too big.
But if it's necessary should I post it here?
Thanks
Thiago Cruz
Post by Amos Jeffries
Post by Thiago Cruz
Hello H. Nordstrom,
I had already read that but unfortunately it didn't work. For some
reason when I negate ICAP for some ACL it bypass cache_peer too.
Most weird. Would you mind posting the related config both negated and
non-negated for comparison?
Post by Thiago Cruz
Debug
all 9 could help us?
Possibly. It will generate a LOT of data for even moderate server load.
I'd suggest starting at 5-6 to peek where the problems might be, then
raise a particular section.
Amos
Post by Thiago Cruz
Post by Henrik Nordstrom
Post by Thiago Cruz
I solved the problem which squid wasn't sending respmod using Squid3
RC1, but I have another problem, when I don't want to use ICAP (acl
sites_no_authentication), the squid bypass the cache peer too. Is
there some way to force it to use cache_peer?
Squid FAQ How do I configure Squid forward all requests to another
proxy?
<url:http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-c050a0a0382c01fbfb9da7e9c18d58bafd4eb027>
Post by Thiago Cruz
Post by Amos Jeffries
Post by Thiago Cruz
Post by Henrik Nordstrom
Regards
Henrik
Amos Jeffries
2007-10-09 13:18:46 UTC
Permalink
Post by Thiago Cruz
I had forgotten to negate ICP, but I've inserted it now.
I made a workaround for this ICAP problem but I must have another ICAP
server just for filtering theses no authentication sites and
unfortunately it isn't a good solution.
Any Idea?
Sorry, I mis-spelled the quote.
You said earlier before I joined the thread that you "when I negate
ICAP for some ACL it bypass cache_peer too" (cut-n-paste this time :-)


I must be going blind. An idea just occurs to me:

always_direct allow sites_no_authentication
means bypass any peers and go direct for 'sites_no_authentication'

never_direct allow all
means NOTHING can go direct, use peer or fail.

If this idea is right, then the always_direct is kicking all the peer
logics aside and forcing it to go direct before the never_direct gets
tested.

Try this:
always_direct deny sites_no_authentication

or remove the line and finish with:
always_direct deny all

Amos
Post by Thiago Cruz
[]'s
Thiago Cruz
Post by Amos Jeffries
Thank you. Everything look normal to me.
What do you do to "negate ICP for some ACL"?
Amos
Post by Thiago Cruz
+++++++++++++++++++++++++++++++++++
http_port 8080
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
visible_hostname cacheteste.hm
cache_log /var/log/squid/cache.log
cache_store_log none
debug_options ALL,1
memory_replacement_policy lru
logformat squidmime_extended %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %ul
%Sh/%<A %mt
cache_access_log /var/log/squid/access.log squidmime_extended
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 80
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 3
auth_param basic realm HM
auth_param basic credentialsttl 2 hours
external_acl_type NTGroup children=80 ttl=3600 negative_ttl=300 %LOGIN
/usr/lib/squid/wbinfo_group.pl
acl PURGE method PURGE
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl squid-stat src 172.17.6.126/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl INTRANET dstdomain .hm .hm.com.br
acl sites_no_authentication url_regex "/etc/squid/sites_no_authentication"
acl JAVA-SUN browser -i java
http_access allow PURGE localhost
http_access deny PURGE
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
deny_info BC_Safe_ports Safe_ports
http_access deny CONNECT !SSL_ports
deny_info BC_not_SSL_ports SSL_ports
http_access allow sites_no_authentication
http_access allow JAVA-SUN
http_access deny TERMO
deny_info BC_TERMO TERMO
http_access allow INTRANET
http_access allow all USERS_ALLOW
http_access deny all
deny_info BC_ACESSO_NEGADO all
always_direct allow sites_no_authentication
always_direct allow JAVA-SUN
always_direct allow INTRANET
always_direct allow CONNECT
never_direct allow all
cache_effective_user squid
cache_effective_group squid
coredump_dir /usr/local/squid/var/cache
forwarded_for on
icap_enable on
icap_preview_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode on
icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod
icap_class filtro_url service_1 service_2
icap_access filtro_url deny sites_no_authentication
icap_access filtro_url allow USERS_ALLOW
icap_access filtro_url deny all
cache_peer 172.17.205.106 parent 8088 7 no-query no-delay no-digest
default
+++++++++++++++++++++++++++++++++++
Although I have one server only for tests, the debug mode is too big.
But if it's necessary should I post it here?
Thanks
Thiago Cruz
Post by Amos Jeffries
Post by Thiago Cruz
Hello H. Nordstrom,
I had already read that but unfortunately it didn't work. For some
reason when I negate ICAP for some ACL it bypass cache_peer too.
Most weird. Would you mind posting the related config both negated and
non-negated for comparison?
Post by Thiago Cruz
Debug
all 9 could help us?
Possibly. It will generate a LOT of data for even moderate server load.
I'd suggest starting at 5-6 to peek where the problems might be, then
raise a particular section.
Amos
Post by Thiago Cruz
Post by Henrik Nordstrom
Post by Thiago Cruz
I solved the problem which squid wasn't sending respmod using Squid3
RC1, but I have another problem, when I don't want to use ICAP (acl
sites_no_authentication), the squid bypass the cache peer too. Is
there some way to force it to use cache_peer?
Squid FAQ How do I configure Squid forward all requests to another
proxy?
<url:http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-c050a0a0382c01fbfb9da7e9c18d58bafd4eb027>
Post by Thiago Cruz
Post by Amos Jeffries
Post by Thiago Cruz
Post by Henrik Nordstrom
Regards
Henrik
Thiago Cruz
2007-10-09 19:53:18 UTC
Permalink
Amos,

I removed the line, like you said, and works fine. It was my fault I
forgot that line on my test, anyway thank you my friend. Now I can use
ICAP for filtering web contents and via parent proxy scan for threats.

Thank all,
Thiago Cruz
Post by Amos Jeffries
Post by Thiago Cruz
I had forgotten to negate ICP, but I've inserted it now.
I made a workaround for this ICAP problem but I must have another ICAP
server just for filtering theses no authentication sites and
unfortunately it isn't a good solution.
Any Idea?
Sorry, I mis-spelled the quote.
You said earlier before I joined the thread that you "when I negate
ICAP for some ACL it bypass cache_peer too" (cut-n-paste this time :-)
always_direct allow sites_no_authentication
means bypass any peers and go direct for 'sites_no_authentication'
never_direct allow all
means NOTHING can go direct, use peer or fail.
If this idea is right, then the always_direct is kicking all the peer
logics aside and forcing it to go direct before the never_direct gets
tested.
always_direct deny sites_no_authentication
always_direct deny all
Amos
Post by Thiago Cruz
[]'s
Thiago Cruz
Post by Amos Jeffries
Thank you. Everything look normal to me.
What do you do to "negate ICP for some ACL"?
Amos
Post by Thiago Cruz
+++++++++++++++++++++++++++++++++++
http_port 8080
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
visible_hostname cacheteste.hm
cache_log /var/log/squid/cache.log
cache_store_log none
debug_options ALL,1
memory_replacement_policy lru
logformat squidmime_extended %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %ul
%Sh/%<A %mt
cache_access_log /var/log/squid/access.log squidmime_extended
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 80
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 3
auth_param basic realm HM
auth_param basic credentialsttl 2 hours
external_acl_type NTGroup children=80 ttl=3600 negative_ttl=300 %LOGIN
/usr/lib/squid/wbinfo_group.pl
acl PURGE method PURGE
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl squid-stat src 172.17.6.126/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl INTRANET dstdomain .hm .hm.com.br
acl sites_no_authentication url_regex
"/etc/squid/sites_no_authentication"
Post by Thiago Cruz
Post by Amos Jeffries
Post by Thiago Cruz
acl JAVA-SUN browser -i java
http_access allow PURGE localhost
http_access deny PURGE
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
deny_info BC_Safe_ports Safe_ports
http_access deny CONNECT !SSL_ports
deny_info BC_not_SSL_ports SSL_ports
http_access allow sites_no_authentication
http_access allow JAVA-SUN
http_access deny TERMO
deny_info BC_TERMO TERMO
http_access allow INTRANET
http_access allow all USERS_ALLOW
http_access deny all
deny_info BC_ACESSO_NEGADO all
always_direct allow sites_no_authentication
always_direct allow JAVA-SUN
always_direct allow INTRANET
always_direct allow CONNECT
never_direct allow all
cache_effective_user squid
cache_effective_group squid
coredump_dir /usr/local/squid/var/cache
forwarded_for on
icap_enable on
icap_preview_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode on
icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
icap_service service_2 respmod_precache 0
icap://127.0.0.1:1344/wwrespmod
Post by Thiago Cruz
Post by Amos Jeffries
Post by Thiago Cruz
icap_class filtro_url service_1 service_2
icap_access filtro_url deny sites_no_authentication
icap_access filtro_url allow USERS_ALLOW
icap_access filtro_url deny all
cache_peer 172.17.205.106 parent 8088 7 no-query no-delay no-digest
default
+++++++++++++++++++++++++++++++++++
Although I have one server only for tests, the debug mode is too big.
But if it's necessary should I post it here?
Thanks
Thiago Cruz
Post by Amos Jeffries
Post by Thiago Cruz
Hello H. Nordstrom,
I had already read that but unfortunately it didn't work. For some
reason when I negate ICAP for some ACL it bypass cache_peer too.
Most weird. Would you mind posting the related config both negated and
non-negated for comparison?
Post by Thiago Cruz
Debug
all 9 could help us?
Possibly. It will generate a LOT of data for even moderate server load.
I'd suggest starting at 5-6 to peek where the problems might be, then
raise a particular section.
Amos
Post by Thiago Cruz
Post by Henrik Nordstrom
Post by Thiago Cruz
I solved the problem which squid wasn't sending respmod using Squid3
RC1, but I have another problem, when I don't want to use ICAP (acl
sites_no_authentication), the squid bypass the cache peer too. Is
there some way to force it to use cache_peer?
Squid FAQ How do I configure Squid forward all requests to another
proxy?
<url:http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-c050a0a0382c01fbfb9da7e9c18d58bafd4eb027>
Post by Thiago Cruz
Post by Amos Jeffries
Post by Thiago Cruz
Post by Amos Jeffries
Post by Thiago Cruz
Post by Henrik Nordstrom
Regards
Henrik
Loading...