[squid-users] ftp_port and squidclamav
Alex Rousskov
rousskov at measurement-factory.com
Sat Aug 28 15:10:23 UTC 2021
On 8/28/21 8:36 AM, Andrea Venturoli wrote:
> I've got Squid (4.15) configured as an HTTP[s] server, with squidclamav:
>> icap_enable on
>> icap_send_client_ip on
>> icap_preview_enable on
>> icap_preview_size 1024
>> icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
>> adaptation_access service_req allow all
>> icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
>> adaptation_access service_resp allow all
> Everything is fine on this side.
> Now I'm trying to make it act as an FTP proxy, with:
>> ftp_port 2121
> This works partially: I'm usually able to see remote directories, but
> uploads will fail (timing out on the client side).
> If I disable ICAP at all (comment the above lines), then the FTP proxy
> works properly.
This can be a Squid bug or an ICAP service bug/incompatibility with fake
HTTP messages that Squid is using to represent native FTP traffic. FWIW,
the mapping between native FTP traffic (that Squid sees) and fake HTTP
messages (that your ICAP service sees) is described at
https://wiki.squid-cache.org/Features/FtpRelay
> I'm failing to understand the interaction between the two: even simple
> files fail to upload and I see no signs of ClamAV taking much time to
> scan them.
> Is this some known problem?
FWIW, I am not aware of it.
> Any suggestion on how to gain a better understanding?
Reproduce the problem using a single transaction on an otherwise idle
Squid with full debugging enabled and share the corresponding cache.log:
https://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction
If the above is not feasible, collect ICAP requests and responses for
the failing transaction and share them instead (a packet capture may be
the easiest way to do that, but you can also try ALL,2 debugging if you
can reproduce with a single transaction on an otherwise idle Squid).
> Or, is there any way I can tell Squid to avoid passing FTP traffic
> (coming on port 2121) to ICAP (while of course doing that for the rest)?
Yes, the adaptation_access directive controls what traffic goes to your
ICAP services. To match ftp_port traffic, I would give the ftp_port a
name and then try using that name in a myportname ACL. Other ACLs may
also work, but I would start with myportname. If myportname does not
work for ftp_port traffic, it is a Squid bug.
HTH,
Alex.
More information about the squid-users
mailing list