[squid-users] Secure ICAP

TRAN DAC dacvinh0993 at gmail.com
Mon May 6 16:19:09 UTC 2019 

Hello,

I am trying to secure ICAP connections between my Squid proxy and my ICAP
Server. On my ICAP Server, i use stunnel with this configuration file (with
self signed certificate):

*cert = crt.pem*
*key= key.pem*
*CAfile=crt.pem*

*[icaps]*

*accept = 10.2.2.236:11344 <http://10.2.2.236:11344/>*
*connect = 10.2.2.236:1344 <http://10.2.2.236:1344/>*


squid.conf file on the proxy Squid:

*icap_enable on*
*icap_send_client_ip on*
*icap_service service_req reqmod_precache icaps://10.2.2.236:11344/request
<http://10.2.2.236:11344/request> tls-cafile=crt.pem*
*adaptation_access service_req allow all*

*//to decrypt ssl traffic*
*http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
generate-host-certificates=on
dynamic_cert_mem_cache_size=4MBsslcrtd_program
/usr/local/squid/libexec/security_file_certgen -s
/usr/local/squid/var/logs/ssl_db -M 4MBssl_bump bump allssl_bump peek step1*

However i have still these errors:

 *WARNING: Squid got an invalid ICAP OPTIONS response from service
icaps://10.2.2.236:11344/request <http://10.2.2.236:11344/request>; error:
unsupported status code of OPTIONS response*
*2019/05/06 17:50:27 kid1| essential ICAP service is down after an options
fetch failure: icaps://10.2.2.236:11344/request
<http://10.2.2.236:11344/request> [down,!valid]*
*2019/05/06 17:53:28 kid1| WARNING: Squid got an invalid ICAP OPTIONS
response from service icaps://10.2.2.236:11344/request
<http://10.2.2.236:11344/request>; error: unsupported status code of
OPTIONS response*
*2019/05/06 17:56:28 kid1| WARNING: Squid got an invalid ICAP OPTIONS
response from service icaps://10.2.2.236:11344/request
<http://10.2.2.236:11344/request>; error: unsupported status code of
OPTIONS response*

And from the ICAP server stunnel logs the ssl initiation worked fine but it
can't connect to the port1344I ensure that non secure ICAP works perfectly
and my iptables rules are fine.

Thanks in advance for your help.

Kind regards,
Tran Dac.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190506/df005f10/attachment.html>

More information about the squid-users mailing list