[squid-users] tcp_outgoing_address and ICAP server
Marcus Kool
marcus.kool at urlfilterdb.com
Mon Jan 26 00:45:16 UTC 2015
On 01/25/2015 02:33 PM, Amos Jeffries wrote:
> On 26/01/2015 4:59 a.m., Marcus Kool wrote:
>>
>>
>> The debug trace starts with:
>> Xaction.cc(133) openConnection: *Adaptation::Icap::OptXact* opens
>> connection to 10.10.0.6:1344
>> and then
>> comm.cc(549) comm_openex: comm_openex: Attempt open socket for:
>> *a.public.IP.address*
>> comm.cc(590) comm_openex: comm_openex:Opened socket
>> local=*a.public.IP.address* remote=[::] FD 10 flags=1 : family=2,
>> type=1, protocol=6
>>
>> so I think it is clear that the socket to the ICAP server on 10.10.0.6
>> is bound to the NIC with an external IP address (not obeying the ACL).
>>
>
> Okay you need to expand that with debug level 28,3 to see what Squid is
> doing with the ACLs.
well, I edited squid.conf again to extend the debug_options and
noticed that the config file had this:
tcp_outgoing_address a.public.ip.address
... (many lines)
acl myicaphost dst 10.10.0.6
tcp_outgoing_address a.public.ip.address !myicaphost
After commenting out the first tcp_outgoing_address, the binding works as expected,
i.e. squid does not bind the socket to the ICAP server on the external IP address.
So the ACL patch + correction of the squid.conf resolve the issue.
Thanks
Marcus
>> I do not understand your statement "I dont know why it was binding".
>>
>>> Squid only uses
>>> bind() if there is an explicit outgoing address required to be used.
>>
>> Have you considered the possibility of a bug ?
>
> Yes, a bug in the binding would report bind errors opening a socket for
> local=[::]. A bug in the ICAP will depend on what the ACL behaviour is.
>
> Amos
>
>
>
More information about the squid-users
mailing list