[squid-users] tcp_outgoing_address and ICAP server
Amos Jeffries
squid3 at treenet.co.nz
Sat Jan 24 12:15:24 UTC 2015
On 22/01/2015 10:11 a.m., Marcus Kool wrote:
> I am using Squid 3.4.9 and have an issue with tcp_outgoing_address.
>
> The Squid server is connceted to the internet with multiple NICs and uses
> tcp_outgoing_address a.public.IP.address
>
> and also want to use an ICAP server on the same host using
>
> icap_service reqmod_urlfilterdb reqmod_precache
> icap://a.local.ip.address:1344/reqmod_icapd bypass=off routing=on
> on-overload=wait ipv6=off
>
> It seems that Squid binds the connection to the ICAP server the same way
> it binds
> connections to webservers using the rule with tcp_outgoing_address
> and that it not desired nor workable.
>
> I tried
>
> acl myicaphost dst a.local.ip.address
> tcp_outgoing_address a.public.IP.address !myicaphost
>
> but Squid issues the following errors:
> 2015/01/21 21:58:32 kid1| WARNING: myicaphost ACL is used in context
> without an HTTP request. Assuming mismatch.
> 2015/01/21 21:58:32 kid1| commBind: Cannot bind socket FD 10 to
> XX.XX.XX.XX: (99) Cannot assign requested address
> 2015/01/21 21:58:32 kid1| essential ICAP service is down after an
> options fetch failure: icap://XX.XX.XX.XX:1344/reqmod_icapd [down,!opt]
>
> So the question is how to send web traffic over a specific NIC and
> traffic to the ICAP server over an other (default?) NIC ?
Please try the attached patch against Squid-3.4. It should make your
config work.
Amos
-------------- next part --------------
=== modified file 'src/acl/DestinationIp.cc'
--- src/acl/DestinationIp.cc 2013-05-13 23:32:23 +0000
+++ src/acl/DestinationIp.cc 2015-01-24 12:08:45 +0000
@@ -35,40 +35,44 @@
#include "acl/DestinationIp.h"
#include "acl/FilledChecklist.h"
#include "client_side.h"
#include "comm/Connection.h"
#include "HttpRequest.h"
#include "SquidConfig.h"
ACLFlag ACLDestinationIP::SupportedFlags[] = {ACL_F_NO_LOOKUP, ACL_F_END};
char const *
ACLDestinationIP::typeString() const
{
return "dst";
}
int
ACLDestinationIP::match(ACLChecklist *cl)
{
ACLFilledChecklist *checklist = Filled(cl);
+ // if there is no HTTP request details fallback to the dst_addr
+ if (!checklist->request)
+ return ACLIP::match(checklist->dst_addr);
+
// Bug 3243: CVE 2009-0801
// Bypass of browser same-origin access control in intercepted communication
// To resolve this we will force DIRECT and only to the original client destination.
// In which case, we also need this ACL to accurately match the destination
if (Config.onoff.client_dst_passthru && (checklist->request->flags.intercepted || checklist->request->flags.interceptTproxy)) {
assert(checklist->conn() && checklist->conn()->clientConnection != NULL);
return ACLIP::match(checklist->conn()->clientConnection->local);
}
if (flags.isSet(ACL_F_NO_LOOKUP)) {
if (!checklist->request->GetHostIsNumeric()) {
debugs(28, 3, "aclMatchAcl: No-lookup DNS ACL '" << AclMatchedName << "' for '" << checklist->request->GetHost() << "'");
return 0;
}
if (ACLIP::match(checklist->request->host_addr))
return 1;
return 0;
}
=== modified file 'src/acl/DestinationIp.h'
--- src/acl/DestinationIp.h 2013-01-27 17:35:07 +0000
+++ src/acl/DestinationIp.h 2015-01-24 12:09:01 +0000
@@ -41,33 +41,32 @@
{
public:
static DestinationIPLookup *Instance();
virtual void checkForAsync(ACLChecklist *)const;
private:
static DestinationIPLookup instance_;
static IPH LookupDone;
};
class ACLDestinationIP : public ACLIP
{
public:
MEMPROXY_CLASS(ACLDestinationIP);
ACLDestinationIP(): ACLIP(ACLDestinationIP::SupportedFlags) {}
virtual char const *typeString() const;
virtual int match(ACLChecklist *checklist);
- virtual bool requiresRequest() const {return true;}
virtual ACL *clone()const;
static ACLFlag SupportedFlags[];
private:
static Prototype RegistryProtoype;
static ACLDestinationIP RegistryEntry_;
};
MEMPROXY_CLASS_INLINE(ACLDestinationIP);
#endif /* SQUID_ACLDESTINATIONIP_H */
More information about the squid-users
mailing list