[squid-users] Problems configuring Squid with C-ICAP+Squidclamav (SOLVED)

Yuri Voinov yvoinov at gmail.com
Thu May 12 11:07:36 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
Hm. Rare case.

In general, any OS TCP stack can resolve localhost itself to 127.0.0.1
with /etc/hosts or whatever.


12.05.16 14:42, C. L. Martinez пишет:
> On Wed 11.May'16 at 21:14:08 +0600, Yuri Voinov wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>> 
>>
>> 11.05.16 21:04, L.P.H. van Belle пишет:
>>>
>>> Hai,
>>>
>>>
>>>
>>> I reviewd your config, thing whats different in c-icap.conf compared
>> to me.
>>>
>> Obviously, the mindless copying and pasting the config - very bad
>> practice, is not it?
>>>
>>> RemoteProxyUsers off ( for you ) on for me.
>>>
>> # TAG: RemoteProxyUsers
>> # Format: RemoteProxyUsers onoff
>> # Description:
>> #    Set it to on if you want to use username provided by the proxy
server.
>> #    This is the recomended way to use users in c-icap.
>> #    If the RemoteProxyUsers is off and c-icap configured to use users or
>> #    groups the internal authentication mechanism will be used.
>> # Default:
>> #    RemoteProxyUsers off
>> RemoteProxyUsers off
>>
>> This is depending proxy configuration. And irrelevant current case.
>>>
>>>
>>>
>>> Whats the content of /etc/c-icap/squidclamav.conf ?
>>>
>>> The important part for me of the file :
>>>
>>> #clamd_local /var/run/clamd.socket ! change/check this
>>>
>> This is OS-dependent, as obvious.
>>>
>>> clamd_ip 127.0.0.1
>>>
>>> clamd_port 3310
>>>
>>>
>>>
>>> If you use socket make sure your rights are correct and icap is added
>> to the clamav group.
>>>
>> Wrong. Squid group, not clamav.
>>>
>>>
>>>
>>>
>>>
>>> And my c-icap part of the squid.conf
>>>
>>> ## Tested with Squid 3.4.8 and 3.5.x + squidclamav 6.14 and 6.15
>>>
>>> icap_enable on
>>>
>>> icap_send_client_ip on
>>>
>>> icap_send_client_username on
>>>
>>> icap_client_username_header X-Authenticated-User
>>>
>>> icap_persistent_connections on
>>>
>>> icap_preview_enable on
>>>
>>> icap_preview_size 1024
>>>
>>> icap_service service_req reqmod_precache bypass=1
>> icap://127.0.0.1:1344/squidclamav
>>>
>>> adaptation_access service_req allow all
>>>
>>> icap_service service_resp respmod_precache bypass=1
>> icap://127.0.0.1:1344/squidclamav
>>>
>>> adaptation_access service_resp allow all
>>>
>>>
>>>
>>> I think you changed to much in the example.
>>>
>>>
>>>
>>> Im reffering to these in the squid.conf
>>>
>>>> adaptation_access service_avi_resp allow all
>>>
>>> service_avi_resp?
>>>
>>>
>>>
>> Complete squid.conf fragment:
>>
>> icap_service service_avi_req reqmod_precache
>> icap://localhost:1344/squidclamav bypass=off
>> adaptation_access service_avi_req allow all
>> icap_service service_avi_resp respmod_precache
>> icap://localhost:1344/squidclamav bypass=on
>> adaptation_access service_avi_resp allow all
>>
>> Please, PLEASE, do not make recommendation when you not understand what
>> does config lines means!
>> 
>
> Ok, problem is solved. Seems there is some problem between squid and
my unbound DNS server. Changing the following lines:
>
> icap_service service_avi_req reqmod_precache
icap://localhost:1344/squidclamav bypass=off
> icap_service service_avi_resp respmod_precache
icap://localhost:1344/squidclamav bypass=on
>
> to:
>
> icap_service service_avi_req reqmod_precache
icap://127.0.0.1:1344/squidclamav bypass=off
> icap_service service_avi_resp respmod_precache
icap://127.0.0.1:1344/squidclamav bypass=on
>
> all works as expected. As you can see I have changed "localhost" for
"127.0.0.1" ... localhost entry exists inside my /etc/hosts file, and
OpenBSD resolves correctly, but under unbound's config I have enabled
"do-not-query-localhost: no" because unbound is configured to work with
dnscrypt-proxy service...
>
> I am not sure about this, but it is the only answer that explains this
problem ... or it is a bug (but I don't think so).
>
> What do you think??
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEbBAEBCAAGBQJXNGP4AAoJENNXIZxhPexGTs4H+KjRaCUYCnTjEeHf/EUDMP8S
FHfDKK4nCRbTL/KDn8i4vp1NnZjUjE/t/MfyfEnWNAO1SFknLqAFmlIX/P2Tm6b9
EzSB6XZKMfSg9PrzZxKJkRqF3tRzBXOs0lK2pEVyTd5i2xKkTCsMGw6eHOp8dveG
4DjG1OW3oGCQELJLuj+kPjnjGzYRHRL3Ck+z4ao+CWnIpCUsy0EEtT8+qhyukPkG
Z4kJZzACLq5eR3Pl6moOIsQjSxch5j6ppuOd2tvgqyelAa2VmOECIhp/E8R68QCl
EbmFT2V6xKBKtj2bMiHnYiRVRnlVd6Sd9jsFjhSyrbj2P6XeyWg/03RlOgwYiA==
=Qv20
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160512/19ac91a0/attachment.key>

More information about the squid-users mailing list