[squid-users] Need help about ICAP scan timeout/max file size for big files
info at schroeffu.ch
info at schroeffu.ch
Tue Jan 8 16:46:13 UTC 2019
Hi Alex (& hi Amos)
it depends on the ICAP Service. The one I am trying to use is F-Secure FSICAPD which is not working as expected.
So i compared with ClamAV C-ICAP: With ClamAV C-ICAP there is defined "MaxStreamSize 25M" as default, so after 25MB scanned by ICAP I can see with tcpdump on port 1344 "ICAP/1.0 200 OK" from ICAP to Squid which triggers the browser to start the download. Thats what i want also for F-Secure ICAP.
#ClamAV MaxStreamSize reached ICAP response:
ICAP/1.0 200 OK
Server: C-ICAP/0.4.4
Connection: keep-alive
ISTag: CI0001-1-squidclamav-10
Encapsulated: res-hdr=0, res-body=331
Unfortunately, the F-Secure ICAP is not sending this "ICAP/1.0 200 OK" after X MB or X Seconds. I am in touch with them if this is a bug, i dont know yet, they're checking that. So, if their ICAP really is not sending "ICAP/1.0 200 OK" after X Seconds/MB, can I configure SQUID with a workaround?
So, to your questions:
> 1. How to configure Squid to never send huge files to your ICAP service?
Yes, as a workaround, but how? Header of big files are usually not included.
> 2. How to configure your ICAP service to speed up huge-file decisions?
The header seems not include the file size. Here is an example of 100MB Virus File (EICAR Signature at the beginning) Header:
RESPMOD icap://127.0.0.1:1344/response ICAP/1.0
Host: 127.0.0.1:1344
Date: Fri, 04 Jan 2019 15:56:48 GMT
Encapsulated: req-hdr=0, res-hdr=434, res-body=676
GET https://schroeffu.ch/100mbrandomvirus_begin.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Cookie: _pk_id.n/a.1636=5b8e9d8d8516ea65.1546604985.1.1546604985.1546604985.
Upgrade-Insecure-Requests: 1
Host: schroeffu.ch
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 04 Jan 2019 15:56:48 GMT
Content-Type: text/plain
Last-Modified: Fri, 04 Jan 2019 15:31:19 GMT
Vary: Accept-Encoding
ETag: W/"5c2f7c47-61a8088"
X-Powered-By: PleskLin
Content-Encoding: gzip
The 200 OK reaches Squid after 100% of 100MB has been scanned by F-secure ICAP after 114 Seconds (!), means, the browser is 114 Seconds doing nothing but watiting:
ICAP/1.0 200 OK
Server: F-Secure ICAP Server
ISTag: "FSAV-2019-01-02_04"
Connection: keep-alive
Expires: Fri, 04 Jan 2019 16:58:42 GMT
X-FSecure-Scan-Result: clean
X-FSecure-ORSP-FRS-Duration: 5.005693
X-FSecure-Transaction-Duration: 114.205939
X-FSecure-Versions: F-Secure Corporation Hydra/5.22 build 28/2018-12-28_01 F-Secure Corporation Aquarius/1.0 build 8/2019-01-02_04 fsavd/1.0/0148 fsicapd/1.1.277-263d28a
Encapsulated: res-hdr=0, res-body=242
> 3. How to configure Squid to send huge files to your ICAP service without storing them in Squid memory or in Squid disk cache?
No, this point we can forget.
I think best would be to configure squid, if ICAP is not able to scan the complete request in 10 seconds, skip (or mark as clean) and let browser download it. 10 seconds icap scan timeout seems to be the default in ESET Linux Gateway ICAP too. Can I configure that in Squid?
More information about the squid-users
mailing list