[squid-users] tcp_outgoing_address and ICAP server

Marcus Kool marcus.kool at urlfilterdb.com
Sat Jan 24 20:39:33 UTC 2015



On 01/24/2015 10:15 AM, Amos Jeffries wrote:
> On 22/01/2015 10:11 a.m., Marcus Kool wrote:
>> I am using Squid 3.4.9 and have an issue with tcp_outgoing_address.
>>
>> The Squid server is connceted to the internet with multiple NICs and uses
>>     tcp_outgoing_address a.public.IP.address
>>
>> and also want to use an ICAP server on the same host using
>>
>> icap_service  reqmod_urlfilterdb   reqmod_precache
>> icap://a.local.ip.address:1344/reqmod_icapd  bypass=off  routing=on
>> on-overload=wait ipv6=off
>>
>> It seems that Squid binds the connection to the ICAP server the same way
>> it binds
>> connections to webservers using the rule with tcp_outgoing_address
>> and that it not desired nor workable.
>>
>> I tried
>>
>> acl myicaphost dst a.local.ip.address
>> tcp_outgoing_address a.public.IP.address !myicaphost
>>
>> but Squid issues the following errors:
>> 2015/01/21 21:58:32 kid1| WARNING: myicaphost ACL is used in context
>> without an HTTP request. Assuming mismatch.
>> 2015/01/21 21:58:32 kid1| commBind: Cannot bind socket FD 10 to
>> XX.XX.XX.XX: (99) Cannot assign requested address
>> 2015/01/21 21:58:32 kid1| essential ICAP service is down after an
>> options fetch failure: icap://XX.XX.XX.XX:1344/reqmod_icapd [down,!opt]
>>
>> So the question is how to send web traffic over a specific NIC and
>> traffic to the ICAP server over an other (default?) NIC ?
>
>
> Please try the attached patch against Squid-3.4. It should make your
> config work.
>
> Amos

Thank you for the patch.
It resolves 1 issue: there is no longer the warning
    WARNING: myicaphost ACL is used in context without an HTTP request. Assuming mismatch.

But the binding to the wrong NIC with the external IP still happens:

2015/01/24 17:19:48.027 kid1| Xaction.cc(133) openConnection: Adaptation::Icap::OptXact opens connection to 10.10.0.6:1344
2015/01/24 17:19:48.027 kid1| AsyncCall.cc(18) AsyncCall: The AsyncCall Adaptation::Icap::Xaction::noteCommConnected constructed, this=0x1d9d7e0 [call53]
2015/01/24 17:19:48.027 kid1| comm.cc(549) comm_openex: comm_openex: Attempt open socket for: a.public.IP.address
2015/01/24 17:19:48.027 kid1| comm.cc(590) comm_openex: comm_openex: Opened socket local=a.public.IP.address remote=[::] FD 10 flags=1 : family=2, type=1, protocol=6

The firewall and routing was changed to allow traffic from the external IP to
the internal IP so for us the urgency of the issue is low, but
the binding remains on the external IP despite the ACL saying not to do it.

Marcus




More information about the squid-users mailing list