[squid-users] tcp_outgoing_address and ICAP server

Amos Jeffries squid3 at treenet.co.nz
Sun Jan 25 01:24:50 UTC 2015 

On 25/01/2015 9:39 a.m., Marcus Kool wrote:
> 
> 
> On 01/24/2015 10:15 AM, Amos Jeffries wrote:
>> On 22/01/2015 10:11 a.m., Marcus Kool wrote:
>>> I am using Squid 3.4.9 and have an issue with tcp_outgoing_address.
>>>
>>> The Squid server is connceted to the internet with multiple NICs and
>>> uses
>>>     tcp_outgoing_address a.public.IP.address
>>>
>>> and also want to use an ICAP server on the same host using
>>>
>>> icap_service  reqmod_urlfilterdb   reqmod_precache
>>> icap://a.local.ip.address:1344/reqmod_icapd  bypass=off  routing=on
>>> on-overload=wait ipv6=off
>>>
>>> It seems that Squid binds the connection to the ICAP server the same way
>>> it binds
>>> connections to webservers using the rule with tcp_outgoing_address
>>> and that it not desired nor workable.
>>>
>>> I tried
>>>
>>> acl myicaphost dst a.local.ip.address
>>> tcp_outgoing_address a.public.IP.address !myicaphost
>>>
>>> but Squid issues the following errors:
>>> 2015/01/21 21:58:32 kid1| WARNING: myicaphost ACL is used in context
>>> without an HTTP request. Assuming mismatch.
>>> 2015/01/21 21:58:32 kid1| commBind: Cannot bind socket FD 10 to
>>> XX.XX.XX.XX: (99) Cannot assign requested address
>>> 2015/01/21 21:58:32 kid1| essential ICAP service is down after an
>>> options fetch failure: icap://XX.XX.XX.XX:1344/reqmod_icapd [down,!opt]
>>>
>>> So the question is how to send web traffic over a specific NIC and
>>> traffic to the ICAP server over an other (default?) NIC ?
>>
>>
>> Please try the attached patch against Squid-3.4. It should make your
>> config work.
>>
>> Amos
> 
> Thank you for the patch.
> It resolves 1 issue: there is no longer the warning
>    WARNING: myicaphost ACL is used in context without an HTTP request.
> Assuming mismatch.
> 
> But the binding to the wrong NIC with the external IP still happens:
> 
> 2015/01/24 17:19:48.027 kid1| Xaction.cc(133) openConnection:
> Adaptation::Icap::OptXact opens connection to 10.10.0.6:1344
> 2015/01/24 17:19:48.027 kid1| AsyncCall.cc(18) AsyncCall: The AsyncCall
> Adaptation::Icap::Xaction::noteCommConnected constructed, this=0x1d9d7e0
> [call53]
> 2015/01/24 17:19:48.027 kid1| comm.cc(549) comm_openex: comm_openex:
> Attempt open socket for: a.public.IP.address
> 2015/01/24 17:19:48.027 kid1| comm.cc(590) comm_openex: comm_openex:
> Opened socket local=a.public.IP.address remote=[::] FD 10 flags=1 :
> family=2, type=1, protocol=6
> 
> The firewall and routing was changed to allow traffic from the external
> IP to
> the internal IP so for us the urgency of the issue is low, but
> the binding remains on the external IP despite the ACL saying not to do it.

Aha, conceptual problem.

tcp_outgoing_address does not forbid things. There is no "allow/deny"
action, just a set-IP action. It either sets the IP or it leaves it alone.

Your rule sets the IP when the dst is non-myicaphost. So what
tcp_outgoing_address rule or OS level routing rule matches when it *is*
myicaphost?

Amos

More information about the squid-users mailing list