[squid-users] While using icap_service squid working when ip is used and failing when domain name is provided

Amos Jeffries squid3 at treenet.co.nz
Tue Aug 13 06:48:59 UTC 2019 

On 13/08/19 3:55 am, Prudhvisagar Bellamkonda wrote:
> Hi, 
> Thanks for checking my message. 
>  Please check the below configuration, we are running squid 3.5 version. 
> 
> This service is running on aws its a ui application trying to connect to
> virus scanner to scan the uploaded file and send the request to
> downstream application if the file is valid. 
> 
> We implemented squid before the virus scanner 
>  
> https_port 8443 accel defaultsite=imageuploadqa.com no-vhost

Since this is a reverse-proxy it really should be listening on port 443
unless you have a good reason not to.

Do all these backend systems accept URLs of the form:
  https://imageuploadqa.com:8443/...

FYI: One of the major benefits of reverse-proxy is that they can protect
against garbage traffic for bogus domains etc aimed at your domain. The
no-vhost style config disables that protection completely.
 No matter what URL anyone sends to this proxy it will automatically
force re-write with that scheme://domain:port/ string before any
internal services and even Squids own ACLs get to see the traffic.


> cert=/qa/certificate/imageupload.cer
> key=/qa/certificate/private/imageupload.pem
> cache_peer imageuploadroute53downstreamappkication.com. parent 443 0 proxy-only
> name=imageuploadAccel ssl sslflags=DONT_VERIFY_PEER

Please remove that DONT_VERIFY_PEER. It is highly dangerous and actually
not useful.

Just add the sslcafile= option with a PEM file containing the CA(s)
which issued that peers X.509 certificate.


> acl imageupload dstdomain imageuploadqa.com
> http_access allow imageupload
> cache_peer_access imageuploadAccel allow imageupload
> cache_peer_access imageuploadAccel deny all
> icap_enable on
> icap_service service_avi_req reqmod_precache
> icap://domainnameofvirusscanner:1344/SYMCScanReqEx-AV bypass=off (not
> working, but working when we are trying to use the IP)

That is a very strong hint that the problem is DNS related.

Check both A and AAAA are resolving without a timeout or SERVFAIL
result. That the IP(s) produced are all able to be connected to by the
proxy machine OR connection attempts get a quick non-routable ICMP error
back.


> adaptation_access service_avi_req allow all
> icap_log /var/log/squid/icap.log icap_squid
> 
> 
> it also working when "cache_peer_access imageuploadAccel deny all" Line
> is removed

Very Odd. All that line is doing is making it clear to you what the
behaviour is for that peer.

> 
> Please let me know if am missing any configuration 
> 

Please explain "not working" in more detail - what do you see happening
exactly?

Is it;
 * failing to connect?
 * - does the domain name resolve properly when looked up by your Squid?
 * failing to send the ICAP request?
 * failing to get a response?
 * failing to deliver the response it gets?
 * is any of those a timeout or an explicit error seen by Squid?
 * is Squid producing any error message explaining the problem?
 * are there any hints in cache.log?


Lots of details please.


Amos

More information about the squid-users mailing list