[squid-users] squid does not send cached object to an icap-server

Yuri Voinov yvoinov at gmail.com
Mon May 18 12:01:28 UTC 2015 

http://squidclamav.darold.net/config.html


        Trust your cache (obsolete/unused in v6.x)

One of the main configuration directive for performance improvement is 
'trust_cache'. SquidClamav detect if the file to download is already 
stored in Squid cache. If you activate 'trust_cache', SquidClamav will 
not scan a file comming from Squid cache as it may have already been 
scanned during the first download. If trust_cache is disabled, no matter 
if the file is stored in the cache, SquidClamav will rescan the same 
file at each client request. I really recommand you to activate this 
directive.

	trust_cache 0

Trusted cache is disable by default as you may want to start with a 
fresh cache.


Why you need rescan cached object again? You don't trust your cache? Or 
what?

18.05.15 17:17, Stefan Kuegler пишет:
> Hi Yuri.
>>
>> http://i.imgur.com/mW7gNwD.png
>>
>> http://squidclamav.darold.net/config.html
>>
>> This is for squidclamav (I use it and have no problems with malware).
>
> I just installed squidclamav - but the behaviour is always the same. 
> An object which has been stored in squid-cache will not be detected by 
> an icap server because squid does not scan the body again:
>
> squidclamav.c(283) squidclamav_init_request_data: DEBUG initializing 
> request data handler.
> pool hits:5 allocations: 1
> Allocating from objects pool object 0
> Requested service: squidclamav
> squidclamav.c(337) squidclamav_check_preview_handler: DEBUG processing 
> preview header.
> squidclamav.c(358) squidclamav_check_preview_handler: DEBUG 
> X-Client-IP: 192.168.216.54
> squidclamav.c(1319) extract_http_info: DEBUG method GET
> squidclamav.c(1330) extract_http_info: DEBUG url 
> http://www.intern/eicar_com.zip
> squidclamav.c(389) squidclamav_check_preview_handler: DEBUG URL 
> requested: http://www.intern/eicar_com.zip
> squidclamav.c(430) squidclamav_check_preview_handler: DEBUG 
> Content-Length: 0
> squidclamav.c(449) squidclamav_check_preview_handler: DEBUG No body 
> data, allow 204
> squidclamav.c(304) squidclamav_release_request_data: DEBUG Releasing 
> request data.
> Storing to objects pool object 0
> Log request to access log file /var/log/c-icap/access.log
> Width: 0, Parameter:
>
> Any idea, how I can solve that problem. It seems that the only way to 
> be secure is to disable caching in squid. But I hope, this can't be 
> the solution.
>
> Regards,
> Stefan
>>
>> 05.05.15 17:45, Stefan Kügler пишет:
>>> Hi Yuri.
>>>
>>> Am 05.05.2015 um 12:51 schrieb Yuri Voinov:
>>>> This is not squid issue but your AV engine library or ICAP 
>>>> intermediate
>>>> AV library configuration.
>>>
>>> Thank you for your answer.
>>>
>>> Can you explain me a litte bit more detailed why this is not a squid
>> issue?
>>>
>>> In the icap-logfile, I can see a REQMOD-request _AND_ a
>> RESPMOD-request to the icap-server if the object is not in cache.
>>>
>>> But - if the object is in cache - I can only see a REQMOD-request to
>> the icap-server. I am missing RESPMOD.
>>>
>>> It seems to me, that it is a decision of the client (squid) which
>> request (REQMOD or RESPMOD) will be send to the icap-server (AV-scanner)
>> - and not a decision of the av-library.
>>>
>>> Regards, Stefan
>>>
>>>>
>>>> 05.05.15 16:43, Stefan Kügler пишет:
>>>>> Hello.
>>>>>
>>>>>
>>>>> I have a short question using squid as an ICAP-client.
>>>>>
>>>>>
>>>>> It seems that squid doesn't send an already downloaded (and cached)
>>>>> object to an ICAP-server.
>>>>>
>>>>> Here is a short description what I have done:
>>>>>
>>>>> 1. downloading a word-document with a macro-virus. The Virus-scanner
>>>>> (ICAP-server) uses an old pattern-file and does not detect the virus.
>>>>>
>>>>> The object is now in cache.
>>>>>
>>>>> 2. updating the virus-scanner to the newest pattern-file. The
>>>>> virus-scanner will now detect the macro virus.
>>>>>
>>>>> 3. downloading the same word-document. The object has been delivered
>>>>> to the client without a new virus scan.
>>>>>
>>>>>
>>>>>
>>>>> And now some log-entries:
>>>>>
>>>>> 1. First download of the word document:
>>>>>
>>>>> access.log:
>>>>> 2015-05-05 12:23:52    144 192.168.2.54 TCP_MISS/200 553301 GET
>>>>> http://www.intern/virus.doc - HIER_DIRECT/193.175.80.229
>>>>> application/msword
>>>>>
>>>>> icap.log:
>>>>> 2015-05-05 12:23:52      5 192.168.2.54 ICAP_ECHO/204 135 REQMOD
>>>>> icap://127.0.0.1:1344/service_scanner - -/127.0.0.1 -
>>>>> 2015-05-05 12:23:52    130 192.168.2.54 ICAP_MOD/200 553897 RESPMOD
>>>>> icap://127.0.0.1:1344/service_scanner - -/127.0.0.1 -
>>>>>
>>>>> AV-Scanner:
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Starting
>>>>> ICAP request decoding
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Request
>>>>> message decoded in 1 chunks
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Finished
>>>>> ICAP request decoding
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Starting
>>>>> ICAP request processing
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Starting
>>>>> service processing
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: REQMOD
>>>>> processing
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Resource at
>>>>> <GET http://www.intern/virus.doc HTTP/1.1> has no body to be scanned
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Finished
>>>>> service processing
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: The request
>>>>> for URI 'http://www.intern/virus.doc' was allowed (Reason: 'Clean'.
>>>>> Details: '')
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Create
>>>>> response headers type: CLEAN 204
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Send 
>>>>> headers
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Finished
>>>>> ICAP request processing
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Core 
>>>>> library
>>>>> session cleared
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D1AF700] INFO: Connection
>>>>> closed by foreign host while waiting for requests
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D1AF700] INFO: Core 
>>>>> library
>>>>> session cleared
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Starting
>>>>> ICAP request decoding
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Request
>>>>> message decoded in 259 chunks
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Finished
>>>>> ICAP request decoding
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Starting
>>>>> ICAP request processing
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Starting
>>>>> service processing
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: RESPMOD
>>>>> processing
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Starting
>>>>> virus scanning for resource at: <GET http://www.intern/virus.doc
>>>>> HTTP/1.1>
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Starting
>>>>> virus scanning for resource at: <GET http://www.intern/virus.doc
>>>>> HTTP/1.1>
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
>>>>> [service_scanner]File 'virus.doc' content is stored in
>>>>> '/var/spool/avira-icap/icap-tmp.6baFv3'
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Finished
>>>>> service processing
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: The request
>>>>> for URI 'http://www.intern/virus.doc' was allowed (Reason: 'Clean'.
>>>>> Details: '')
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Create
>>>>> response headers type: CLEAN
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Adding HTTP
>>>>> headers for response type: CLEAN
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Send 
>>>>> headers
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Send the
>>>>> original body (552960 bytes)
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Finished
>>>>> ICAP request processing
>>>>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Core 
>>>>> library
>>>>> session cleared
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2. Second download of the word document (after the pattern-update):
>>>>>
>>>>> access.log:
>>>>> 2015-05-05 12:27:43     35 192.168.2.54 TCP_MEM_HIT/200 553309 GET
>>>>> http://www.intern/virus.doc - HIER_NONE/- application/msword
>>>>>
>>>>> icap.log:
>>>>> 2015-05-05 12:27:43      2 192.168.2.54 ICAP_ECHO/204 135 REQMOD
>>>>> icap://127.0.0.1:1344/service_scanner - -/127.0.0.1 -
>>>>>
>>>>> AV-Scanner:
>>>>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Starting
>>>>> ICAP request decoding
>>>>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Request
>>>>> message decoded in 1 chunks
>>>>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Finished
>>>>> ICAP request decoding
>>>>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Starting
>>>>> ICAP request processing
>>>>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Starting
>>>>> service processing
>>>>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: REQMOD
>>>>> processing
>>>>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Resource at
>>>>> <GET http://www.intern/virus.doc HTTP/1.1> has no body to be scanned
>>>>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Finished
>>>>> service processing
>>>>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: The request
>>>>> for URI 'http://www.intern/virus.doc' was allowed (Reason: 'Clean'.
>>>>> Details: '')
>>>>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Create
>>>>> response headers type: CLEAN 204
>>>>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Send 
>>>>> headers
>>>>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Finished
>>>>> ICAP request processing
>>>>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Core 
>>>>> library
>>>>> session cleared
>>>>>
>>>>>
>>>>> And now my question: Is this a bug in squid - or is it possible to
>>>>> tell squid to send already cached object to the icap-server?
>>>>>
>>>>> Kind regards,
>>>>>
>>>>> Stefan Kuegler
>>>>> _______________________________________________
>>>>> squid-users mailing list
>>>>> squid-users at lists.squid-cache.org
>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> squid-users at lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>>
>> iQEcBAEBCAAGBQJVSNkvAAoJENNXIZxhPexGsh8IAJGL1gSY3rzshF+BeHmsqZIJ
>> 4L0y2fjrQ66Q8Jz8fKk5saSemIdDRigH0fPAt4Bbb8cVnMcniP09cZ/lspaz3NxA
>> blodVyDYSLnmWIYzFfg19nd3UWDgIq4yOz3/rXCmHEkQ5sXrJQhJeP4Azeyez4Zj
>> Qef9ae75cbHexa12U8KERr9SDSnN18tRt4SPz8ZRaoYsoqIC4WRfkO8a0NPfHJp0
>> cYVj8pwHwbz5TPzYpPrGRR/rPbeO5FOVlIDVrxdHbafLjeYofVR8UOnKn67dxIVu
>> MJuunsVNtbPaWcDaGkUQ5Z8vvebGDB3pRPNm8XHXp7idGoDTQFJ6JbdK7ofA6do=
>> =VGI/
>> -----END PGP SIGNATURE-----
>>
>
> Viele Grüße - Stefan Kügler
> SerNet GmbH

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150518/5c526e91/attachment-0001.html>

More information about the squid-users mailing list