[squid-users] While using icap_service squid working when ip is used and failing when domain name is provided
squid3 at treenet.co.nz
Tue Aug 13 06:48:59 UTC 2019
On 13/08/19 3:55 am, Prudhvisagar Bellamkonda wrote:
> Thanks for checking my message.
> Please check the below configuration, we are running squid 3.5 version.
> This service is running on aws its a ui application trying to connect to
> virus scanner to scan the uploaded file and send the request to
> downstream application if the file is valid.
> We implemented squid before the virus scanner
> https_port 8443 accel defaultsite=imageuploadqa.com no-vhost
Since this is a reverse-proxy it really should be listening on port 443
unless you have a good reason not to.
Do all these backend systems accept URLs of the form:
FYI: One of the major benefits of reverse-proxy is that they can protect
against garbage traffic for bogus domains etc aimed at your domain. The
no-vhost style config disables that protection completely.
No matter what URL anyone sends to this proxy it will automatically
force re-write with that scheme://domain:port/ string before any
internal services and even Squids own ACLs get to see the traffic.
> cache_peer imageuploadroute53downstreamappkication.com. parent 443 0 proxy-only
> name=imageuploadAccel ssl sslflags=DONT_VERIFY_PEER
Please remove that DONT_VERIFY_PEER. It is highly dangerous and actually
Just add the sslcafile= option with a PEM file containing the CA(s)
which issued that peers X.509 certificate.
> acl imageupload dstdomain imageuploadqa.com
> http_access allow imageupload
> cache_peer_access imageuploadAccel allow imageupload
> cache_peer_access imageuploadAccel deny all
> icap_enable on
> icap_service service_avi_req reqmod_precache
> icap://domainnameofvirusscanner:1344/SYMCScanReqEx-AV bypass=off (not
> working, but working when we are trying to use the IP)
That is a very strong hint that the problem is DNS related.
Check both A and AAAA are resolving without a timeout or SERVFAIL
result. That the IP(s) produced are all able to be connected to by the
proxy machine OR connection attempts get a quick non-routable ICMP error
> adaptation_access service_avi_req allow all
> icap_log /var/log/squid/icap.log icap_squid
> it also working when "cache_peer_access imageuploadAccel deny all" Line
> is removed
Very Odd. All that line is doing is making it clear to you what the
behaviour is for that peer.
> Please let me know if am missing any configuration
Please explain "not working" in more detail - what do you see happening
* failing to connect?
* - does the domain name resolve properly when looked up by your Squid?
* failing to send the ICAP request?
* failing to get a response?
* failing to deliver the response it gets?
* is any of those a timeout or an explicit error seen by Squid?
* is Squid producing any error message explaining the problem?
* are there any hints in cache.log?
Lots of details please.
More information about the squid-users