[squid-users] squid 3.5.12 and ecap

Amos Jeffries squid3 at treenet.co.nz
Wed Dec 16 03:08:28 UTC 2015


On 16/12/2015 12:53 a.m., behrad eslami wrote:
> Hi I add simple rule to ecap module and deny some url. I forground
> (squid -N -d10) all things work well. when i run service wtih mutiple
> workers, after a while some url not filter and user can open them in
> browsers. I compile Squid 3.5.12 and libecpa 1.0.0. squid compiled
> with below options:
> '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=aufs,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-follow-x-forwarded-for' '--enable-eui' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-auto-locale' '--disable-translation' '--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-build-info= linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu
' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security' '--disable-ipv6' '--disable-wccp' '--disable-auth-basic' '--disable-auth-digest' '--disable-auth-negotiate' '--disable-auth-ntlm' '--disable-external-acl-helpers' '--disable-url-rewrite-helpers' '--disable-storeid-rewrite-helpers' '--without-mit-krb5' '--without-heimdal-krb5' '--without-gnugss' '--disable-unlinkd' '--disable-ident-lookups' '--disable-esi' '--disable-select' '--disable-poll' '--disable-kqueue' '--disable-devpoll' '--enable-epoll'
> 

This looks like Debian based build settings. With a bunch of extra
things disabled. What OS is this being used on?

NP: you can use --disable-auth to do all of the --disable-auth-*
settings in one simpler option.


> and my ecap config is:
> icap_enable on
> icap_send_client_ip on
> icap_client_username_encode on

None of that is eCAP configuration. The 'i' (not 'e') at the start of
the directive names should give it away.

This is the eCAP part:

> loadable_modules /usr/local/lib/ecap_adapter_MY_processing.so
> ecap_enable on
> ecap_service ecapModifier respmod_precache \
>      uri=ecap://www.deltaglobal.net/adapter_My_processing  \
>        victim=sadeghsalehi\
>         replacement=***
> adaptation_access ecapModifier allow all
> loadable_modules /usr/local/lib/ecap_adapter_My_request.so
> ecap_enable onecap_service eReqmod reqmod_precache bypass=1  ecap://e-cap.org/ecap/services/My/request
> adaptation_access   eReqmod  allow all

Looks correct, and should be working.

Notice that you have "bypass=1" configured, so any problem down to just
a long delay in processing time can cause the second eCAP module to be
bypassed and do nothing.

Your config looks fine. You will need to dig down into what the module
is actually doing and what it is having trouble with.

NP: -N is no just foreground, but also disables all multi-process
activity by the workers. Perhapse there is a problem with the ecap
module being either loaded and/or used by multiple processes simultaneously.

Amos



More information about the squid-users mailing list