[squid-users] icap not answering
steven
commercials24 at yahoo.de
Mon Mar 4 23:10:46 UTC 2019
Ah thank you for that clarification, the python icap servers i tested so
far are not very promissing but at least theres a connection now.
sadly squid does not allow http access at all, only https access.
access.log
1551740163.106 0 192.168.10.116 TCP_MISS/500 4776 GET
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-to-listen-to-HTTPS-td4682393.html
- HIER_NONE/- text/html
1551740163.173 0 192.168.10.116 TCP_IMS_HIT/304 294 GET
http://backup:3128/squid-internal-static/icons/SN.png - HIER_NONE/-
image/png
backup is the host where squid is running on
the webpage shown in the browser says: *Unable to forward this request
at this time.*
cache.log
2019/03/05 00:08:30.319 kid1| 28,4| Eui48.cc(179) lookup:
id=0x5559d1923114 query ARP table
2019/03/05 00:08:30.319 kid1| 28,4| Eui48.cc(224) lookup:
id=0x5559d1923114 query ARP on each interface (160 found)
2019/03/05 00:08:30.319 kid1| 28,4| Eui48.cc(230) lookup:
id=0x5559d1923114 found interface lo
2019/03/05 00:08:30.319 kid1| 28,4| Eui48.cc(230) lookup:
id=0x5559d1923114 found interface eth0
2019/03/05 00:08:30.319 kid1| 28,4| Eui48.cc(239) lookup:
id=0x5559d1923114 looking up ARP address for 192.168.10.116 on eth0
2019/03/05 00:08:30.319 kid1| 28,4| Eui48.cc(275) lookup:
id=0x5559d1923114 got address a4:34:d9:ea:b3:34 on eth0
2019/03/05 00:08:30.319 kid1| 28,3| Checklist.cc(70) preCheck:
0x5559d14e2f78 checking slow rules
2019/03/05 00:08:30.319 kid1| 28,5| Acl.cc(124) matches: checking
(ssl_bump rules)
2019/03/05 00:08:30.320 kid1| 28,5| Checklist.cc(397) bannedAction:
Action 'ALLOWED/3' is not banned
2019/03/05 00:08:30.320 kid1| 28,5| Acl.cc(124) matches: checking
(ssl_bump rule)
2019/03/05 00:08:30.320 kid1| 28,5| Acl.cc(124) matches: checking step1
2019/03/05 00:08:30.320 kid1| 28,3| Acl.cc(151) matches: checked: step1 = 1
2019/03/05 00:08:30.320 kid1| 28,3| Acl.cc(151) matches: checked:
(ssl_bump rule) = 1
2019/03/05 00:08:30.320 kid1| 28,3| Acl.cc(151) matches: checked:
(ssl_bump rules) = 1
2019/03/05 00:08:30.320 kid1| 28,3| Checklist.cc(63) markFinished:
0x5559d14e2f78 answer ALLOWED for match
2019/03/05 00:08:30.320 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0x5559d14e2f78 answer=ALLOWED
2019/03/05 00:08:30.320 kid1| 28,3| Checklist.cc(70) preCheck:
0x5559d19279a8 checking slow rules
2019/03/05 00:08:30.320 kid1| 28,5| Acl.cc(124) matches: checking
http_access
2019/03/05 00:08:30.320 kid1| 28,5| Checklist.cc(397) bannedAction:
Action 'ALLOWED/0' is not banned
2019/03/05 00:08:30.320 kid1| 28,5| Acl.cc(124) matches: checking
http_access#1
2019/03/05 00:08:30.320 kid1| 28,5| Acl.cc(124) matches: checking localnet
2019/03/05 00:08:30.320 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
192.168.10.116:45900/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
(192.168.10.0:45900) vs
192.168.10.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
2019/03/05 00:08:30.320 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp:
'192.168.10.116:45900' found
2019/03/05 00:08:30.320 kid1| 28,3| Acl.cc(151) matches: checked:
localnet = 1
2019/03/05 00:08:30.320 kid1| 28,3| Acl.cc(151) matches: checked:
http_access#1 = 1
2019/03/05 00:08:30.320 kid1| 28,3| Acl.cc(151) matches: checked:
http_access = 1
2019/03/05 00:08:30.320 kid1| 28,3| Checklist.cc(63) markFinished:
0x5559d19279a8 answer ALLOWED for match
2019/03/05 00:08:30.320 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0x5559d19279a8 answer=ALLOWED
2019/03/05 00:08:30.320 kid1| 28,4| FilledChecklist.cc(67)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff85d5a130
2019/03/05 00:08:30.320 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x7fff85d5a130
2019/03/05 00:08:30.320 kid1| 28,4| FilledChecklist.cc(67)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff85d5a130
2019/03/05 00:08:30.320 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x7fff85d5a130
2019/03/05 00:08:30.320 kid1| 28,4| FilledChecklist.cc(67)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x5559d19279a8
2019/03/05 00:08:30.320 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x5559d19279a8
2019/03/05 00:08:30.320 kid1| 28,4| FilledChecklist.cc(67)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x5559d14e2f78
2019/03/05 00:08:30.320 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x5559d14e2f78
current squid config:
#icap
icap_enable off
icap_preview_enable off
icap_send_client_ip on
icap_send_client_username on
icap_service service_req reqmod_precache bypass=1
icap://127.0.0.1:1344/request
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=0
icap://127.0.0.1:1344/response
adaptation_access service_resp allow all
acl localnet src 192.168.10.0/24
acl CONNECT method CONNECT
http_access allow localnet
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
http_port 3128 accel ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem
https_port 3129 ssl-bump intercept generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db
-M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
forwarded_for transparent
any ideas whats wrong?
On 03.03.19 11:11, Marcus Kool wrote:
> Squid is an ICAP client, not an ICAP server!, and does not repond on
> port 1344.
> Marcus
>
>
> On 02/03/2019 22:29, steven wrote:
>> Hi,
>>
>>
>> i would like todo modifications on https connections and therefore
>> enabled ssl bump in squid 4.4, now i would like to see the real
>> traffic and icap looks like a way to watch and change that traffic.
>>
>> but squid is not answering to icap://127.0.0.1:1344 when using pyicap
>> or telnet.
>>
>> the telnet error is:
>>
>> telnet 127.0.0.1 1344
>> Trying 127.0.0.1...
>> telnet: Unable to connect to remote host: Connection refused
>>
>> which is imho good because it tells me that something is answering on
>> that port after all.
>>
>> did i misconfigure something?
>>
>>
>>
>> config:
>>
>> debug_options 28,9
>> #icap
>> icap_enable on
>> icap_service service_req reqmod_precache bypass=1
>> icap://127.0.0.1:1344/reqmod
>> adaptation_access service_req allow all
>> icap_service service_resp respmod_precache bypass=0
>> icap://127.0.0.1:1344/respmod
>> adaptation_access service_resp allow all
>> acl localnet src 127.0.0.1/32 192.168.10.0/24
>> http_access allow localnet
>> acl SSL_ports port 443
>> acl CONNECT method CONNECT
>> #http_access deny !Safe_ports
>> #http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>> include /etc/squid/conf.d/*
>> http_access allow localhost
>> coredump_dir /var/spool/squid
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern . 0 20% 4320
>> # default end
>> # my config
>> http_port 3128 accel ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem
>> https_port 3129 ssl-bump intercept generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem
>> sslcrtd_program /usr/lib/squid/security_file_certgen -s
>> /var/lib/ssl_db -M 4MB
>> acl step1 at_step SslBump1
>>
>> ssl_bump peek step1
>> ssl_bump bump all
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190305/1c066a23/attachment-0001.html>
More information about the squid-users
mailing list