<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Ah thank you for that clarification, the python icap servers i
tested so far are not very promissing but at least theres a
connection now.</p>
<p>sadly squid does not allow http access at all, only https access.</p>
<p><br>
</p>
<p><br>
</p>
<p>access.log<br>
</p>
<p><br>
1551740163.106 0 192.168.10.116 TCP_MISS/500 4776 GET
<a class="moz-txt-link-freetext" href="http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-to-listen-to-HTTPS-td4682393.html">http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-to-listen-to-HTTPS-td4682393.html</a>
- HIER_NONE/- text/html<br>
1551740163.173 0 192.168.10.116 TCP_IMS_HIT/304 294 GET
<a class="moz-txt-link-freetext" href="http://backup:3128/squid-internal-static/icons/SN.png">http://backup:3128/squid-internal-static/icons/SN.png</a> -
HIER_NONE/- image/png<br>
</p>
<p>backup is the host where squid is running on</p>
<p><br>
</p>
<p>the webpage shown in the browser says: <b>Unable to forward this
request at this time.</b></p>
<p><br>
</p>
<p>cache.log</p>
<p>2019/03/05 00:08:30.319 kid1| 28,4| Eui48.cc(179) lookup:
id=0x5559d1923114 query ARP table<br>
2019/03/05 00:08:30.319 kid1| 28,4| Eui48.cc(224) lookup:
id=0x5559d1923114 query ARP on each interface (160 found)<br>
2019/03/05 00:08:30.319 kid1| 28,4| Eui48.cc(230) lookup:
id=0x5559d1923114 found interface lo<br>
2019/03/05 00:08:30.319 kid1| 28,4| Eui48.cc(230) lookup:
id=0x5559d1923114 found interface eth0<br>
2019/03/05 00:08:30.319 kid1| 28,4| Eui48.cc(239) lookup:
id=0x5559d1923114 looking up ARP address for 192.168.10.116 on
eth0<br>
2019/03/05 00:08:30.319 kid1| 28,4| Eui48.cc(275) lookup:
id=0x5559d1923114 got address a4:34:d9:ea:b3:34 on eth0<br>
2019/03/05 00:08:30.319 kid1| 28,3| Checklist.cc(70) preCheck:
0x5559d14e2f78 checking slow rules<br>
2019/03/05 00:08:30.319 kid1| 28,5| Acl.cc(124) matches: checking
(ssl_bump rules)<br>
2019/03/05 00:08:30.320 kid1| 28,5| Checklist.cc(397)
bannedAction: Action 'ALLOWED/3' is not banned<br>
2019/03/05 00:08:30.320 kid1| 28,5| Acl.cc(124) matches: checking
(ssl_bump rule)<br>
2019/03/05 00:08:30.320 kid1| 28,5| Acl.cc(124) matches: checking
step1<br>
2019/03/05 00:08:30.320 kid1| 28,3| Acl.cc(151) matches: checked:
step1 = 1<br>
2019/03/05 00:08:30.320 kid1| 28,3| Acl.cc(151) matches: checked:
(ssl_bump rule) = 1<br>
2019/03/05 00:08:30.320 kid1| 28,3| Acl.cc(151) matches: checked:
(ssl_bump rules) = 1<br>
2019/03/05 00:08:30.320 kid1| 28,3| Checklist.cc(63) markFinished:
0x5559d14e2f78 answer ALLOWED for match<br>
2019/03/05 00:08:30.320 kid1| 28,3| Checklist.cc(163)
checkCallback: ACLChecklist::checkCallback: 0x5559d14e2f78
answer=ALLOWED<br>
2019/03/05 00:08:30.320 kid1| 28,3| Checklist.cc(70) preCheck:
0x5559d19279a8 checking slow rules<br>
2019/03/05 00:08:30.320 kid1| 28,5| Acl.cc(124) matches: checking
http_access<br>
2019/03/05 00:08:30.320 kid1| 28,5| Checklist.cc(397)
bannedAction: Action 'ALLOWED/0' is not banned<br>
2019/03/05 00:08:30.320 kid1| 28,5| Acl.cc(124) matches: checking
http_access#1<br>
2019/03/05 00:08:30.320 kid1| 28,5| Acl.cc(124) matches: checking
localnet<br>
2019/03/05 00:08:30.320 kid1| 28,9| Ip.cc(96)
aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare:
192.168.10.116:45900/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
(192.168.10.0:45900) vs
192.168.10.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]<br>
2019/03/05 00:08:30.320 kid1| 28,3| Ip.cc(538) match:
aclIpMatchIp: '192.168.10.116:45900' found<br>
2019/03/05 00:08:30.320 kid1| 28,3| Acl.cc(151) matches: checked:
localnet = 1<br>
2019/03/05 00:08:30.320 kid1| 28,3| Acl.cc(151) matches: checked:
http_access#1 = 1<br>
2019/03/05 00:08:30.320 kid1| 28,3| Acl.cc(151) matches: checked:
http_access = 1<br>
2019/03/05 00:08:30.320 kid1| 28,3| Checklist.cc(63) markFinished:
0x5559d19279a8 answer ALLOWED for match<br>
2019/03/05 00:08:30.320 kid1| 28,3| Checklist.cc(163)
checkCallback: ACLChecklist::checkCallback: 0x5559d19279a8
answer=ALLOWED<br>
2019/03/05 00:08:30.320 kid1| 28,4| FilledChecklist.cc(67)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff85d5a130<br>
2019/03/05 00:08:30.320 kid1| 28,4| Checklist.cc(197)
~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed
0x7fff85d5a130<br>
2019/03/05 00:08:30.320 kid1| 28,4| FilledChecklist.cc(67)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff85d5a130<br>
2019/03/05 00:08:30.320 kid1| 28,4| Checklist.cc(197)
~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed
0x7fff85d5a130<br>
2019/03/05 00:08:30.320 kid1| 28,4| FilledChecklist.cc(67)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x5559d19279a8<br>
2019/03/05 00:08:30.320 kid1| 28,4| Checklist.cc(197)
~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed
0x5559d19279a8<br>
2019/03/05 00:08:30.320 kid1| 28,4| FilledChecklist.cc(67)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x5559d14e2f78<br>
2019/03/05 00:08:30.320 kid1| 28,4| Checklist.cc(197)
~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed
0x5559d14e2f78<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>current squid config:</p>
<p>#icap<br>
icap_enable off<br>
icap_preview_enable off<br>
icap_send_client_ip on<br>
icap_send_client_username on<br>
icap_service service_req reqmod_precache bypass=1
icap://127.0.0.1:1344/request<br>
adaptation_access service_req allow all <br>
icap_service service_resp respmod_precache bypass=0
icap://127.0.0.1:1344/response<br>
adaptation_access service_resp allow all<br>
acl localnet src 192.168.10.0/24<br>
acl CONNECT method CONNECT<br>
http_access allow localnet<br>
coredump_dir /var/spool/squid<br>
refresh_pattern ^ftp: 1440 20% 10080<br>
refresh_pattern ^gopher: 1440 0% 1440<br>
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>
refresh_pattern . 0 20% 4320<br>
http_port 3128 accel ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem<br>
https_port 3129 ssl-bump intercept generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem<br>
sslcrtd_program /usr/lib/squid/security_file_certgen -s
/var/lib/ssl_db -M 4MB<br>
acl step1 at_step SslBump1<br>
<br>
ssl_bump peek step1<br>
ssl_bump bump all<br>
<br>
forwarded_for transparent<br>
<br>
</p>
<p><br>
</p>
<p>any ideas whats wrong?<br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 03.03.19 11:11, Marcus Kool wrote:<br>
</div>
<blockquote type="cite"
cite="mid:f132eb9f-e448-ebef-e1dc-b27359a23d6c@urlfilterdb.com">Squid
is an ICAP client, not an ICAP server!, and does not repond on
port 1344.
<br>
Marcus
<br>
<br>
<br>
On 02/03/2019 22:29, steven wrote:
<br>
<blockquote type="cite">Hi,
<br>
<br>
<br>
i would like todo modifications on https connections and
therefore enabled ssl bump in squid 4.4, now i would like to see
the real traffic and icap looks like a way to watch and change
that traffic.
<br>
<br>
but squid is not answering to icap://127.0.0.1:1344 when using
pyicap or telnet.
<br>
<br>
the telnet error is:
<br>
<br>
telnet 127.0.0.1 1344
<br>
Trying 127.0.0.1...
<br>
telnet: Unable to connect to remote host: Connection refused
<br>
<br>
which is imho good because it tells me that something is
answering on that port after all.
<br>
<br>
did i misconfigure something?
<br>
<br>
<br>
<br>
config:
<br>
<br>
debug_options 28,9
<br>
#icap
<br>
icap_enable on
<br>
icap_service service_req reqmod_precache bypass=1
icap://127.0.0.1:1344/reqmod
<br>
adaptation_access service_req allow all
<br>
icap_service service_resp respmod_precache bypass=0
icap://127.0.0.1:1344/respmod
<br>
adaptation_access service_resp allow all
<br>
acl localnet src 127.0.0.1/32 192.168.10.0/24
<br>
http_access allow localnet
<br>
acl SSL_ports port 443
<br>
acl CONNECT method CONNECT
<br>
#http_access deny !Safe_ports
<br>
#http_access deny CONNECT !SSL_ports
<br>
http_access allow localhost manager
<br>
http_access deny manager
<br>
include /etc/squid/conf.d/*
<br>
http_access allow localhost
<br>
coredump_dir /var/spool/squid
<br>
refresh_pattern ^ftp: 1440 20% 10080
<br>
refresh_pattern ^gopher: 1440 0% 1440
<br>
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
<br>
refresh_pattern . 0 20% 4320
<br>
# default end
<br>
# my config
<br>
http_port 3128 accel ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem
<br>
https_port 3129 ssl-bump intercept generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem
<br>
sslcrtd_program /usr/lib/squid/security_file_certgen -s
/var/lib/ssl_db -M 4MB
<br>
acl step1 at_step SslBump1
<br>
<br>
ssl_bump peek step1
<br>
ssl_bump bump all
<br>
<br>
_______________________________________________
<br>
squid-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
<br>
</blockquote>
_______________________________________________
<br>
squid-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
<br>
</blockquote>
</body>
</html>