[squid-users] Need help about ICAP scan timeout/max file size for big files

info at schroeffu.ch info at schroeffu.ch
Fri Jan 4 10:38:59 UTC 2019


Hi all,

i am trying to solve the problem, that SQUID is caching all the big files (for example 1GB) before sending them to the client, but the connected ICAP virus scanner is configured with max_file_size 2MB and scan_timeout 5 seconds. So all bigger files, or longer scanning times, should result in "clean" state from the icap virus scanner.

I am running antivirus FSIGK (F-Secure Internet GateKeeper) as an ICAP daemon connected to Squid with this configuration:

#ICAP
icap_enable on
acl domains_dont_icapscan url_regex -i "/etc/squid/ka/domains_dont_icapscan.acl"
acl audio rep_mime_type -i ^(audio/x-mpegurl|audio/mpeg|audio/ogg|audio/aac|audio/mp3)$

icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/request
adaptation_access service_req allow !domains_dont_icapscan
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/response
adaptation_access service_resp allow !domains_dont_icapscan !audio

Detecting viruses is working, but downloading large files is a huge problem. Squid is downloading them completely first into the servers memory and caching them, before sending them to the client. Its not stop scanning & caching after 2MB/5Seconds. When downloading big files (f.e. 1gb) the browser just does nothing but waiting a long time, because squid is downloading and caching 1gb before forward to client.

I tried change respmod_precache to respmod_postcache but it seems not to be implemented yet, with respmod_postcache fsigk icap log is empty , no virus detection works anymore.
I have a test-virus-file with 100MB (https://schroeffu.ch/100mbrandomvirus_begin.txt (https://schroeffu.ch/100mbrandomvirus_begin.txt) eicar+randomcontent) and the virus is detected by fsigk with settings max_scan_size=104400136 / scan_timeout=9000 , change them to max_scan_size=2147483 (2mb) and scan_timeout=5 (5Seconds) the virus is correctly not detected anymore, but, squid still does cache the 100mb before sending to the client.

How can I configure the ICAP Service to truly let bigger files/longer scan times through the icap service marked as "clean"?

Thanks for any help!
Schroeffu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190104/d495aa1e/attachment-0001.html>


More information about the squid-users mailing list