[squid-users] tcp_outgoing_address and ICAP server

Amos Jeffries squid3 at treenet.co.nz
Sat Jan 24 12:15:24 UTC 2015


On 22/01/2015 10:11 a.m., Marcus Kool wrote:
> I am using Squid 3.4.9 and have an issue with tcp_outgoing_address.
> 
> The Squid server is connceted to the internet with multiple NICs and uses
>    tcp_outgoing_address a.public.IP.address
> 
> and also want to use an ICAP server on the same host using
> 
> icap_service  reqmod_urlfilterdb   reqmod_precache  
> icap://a.local.ip.address:1344/reqmod_icapd  bypass=off  routing=on 
> on-overload=wait ipv6=off
> 
> It seems that Squid binds the connection to the ICAP server the same way
> it binds
> connections to webservers using the rule with tcp_outgoing_address
> and that it not desired nor workable.
> 
> I tried
> 
> acl myicaphost dst a.local.ip.address
> tcp_outgoing_address a.public.IP.address !myicaphost
> 
> but Squid issues the following errors:
> 2015/01/21 21:58:32 kid1| WARNING: myicaphost ACL is used in context
> without an HTTP request. Assuming mismatch.
> 2015/01/21 21:58:32 kid1| commBind: Cannot bind socket FD 10 to
> XX.XX.XX.XX: (99) Cannot assign requested address
> 2015/01/21 21:58:32 kid1| essential ICAP service is down after an
> options fetch failure: icap://XX.XX.XX.XX:1344/reqmod_icapd [down,!opt]
> 
> So the question is how to send web traffic over a specific NIC and
> traffic to the ICAP server over an other (default?) NIC ?


Please try the attached patch against Squid-3.4. It should make your
config work.

Amos
-------------- next part --------------
=== modified file 'src/acl/DestinationIp.cc'
--- src/acl/DestinationIp.cc	2013-05-13 23:32:23 +0000
+++ src/acl/DestinationIp.cc	2015-01-24 12:08:45 +0000
@@ -35,40 +35,44 @@
 #include "acl/DestinationIp.h"
 #include "acl/FilledChecklist.h"
 #include "client_side.h"
 #include "comm/Connection.h"
 #include "HttpRequest.h"
 #include "SquidConfig.h"
 
 ACLFlag ACLDestinationIP::SupportedFlags[] = {ACL_F_NO_LOOKUP, ACL_F_END};
 
 char const *
 ACLDestinationIP::typeString() const
 {
     return "dst";
 }
 
 int
 ACLDestinationIP::match(ACLChecklist *cl)
 {
     ACLFilledChecklist *checklist = Filled(cl);
 
+    // if there is no HTTP request details fallback to the dst_addr
+    if (!checklist->request)
+        return ACLIP::match(checklist->dst_addr);
+
     // Bug 3243: CVE 2009-0801
     // Bypass of browser same-origin access control in intercepted communication
     // To resolve this we will force DIRECT and only to the original client destination.
     // In which case, we also need this ACL to accurately match the destination
     if (Config.onoff.client_dst_passthru && (checklist->request->flags.intercepted || checklist->request->flags.interceptTproxy)) {
         assert(checklist->conn() && checklist->conn()->clientConnection != NULL);
         return ACLIP::match(checklist->conn()->clientConnection->local);
     }
 
     if (flags.isSet(ACL_F_NO_LOOKUP)) {
         if (!checklist->request->GetHostIsNumeric()) {
             debugs(28, 3, "aclMatchAcl:  No-lookup DNS ACL '" << AclMatchedName << "' for '" << checklist->request->GetHost() << "'");
             return 0;
         }
 
         if (ACLIP::match(checklist->request->host_addr))
             return 1;
         return 0;
     }
 

=== modified file 'src/acl/DestinationIp.h'
--- src/acl/DestinationIp.h	2013-01-27 17:35:07 +0000
+++ src/acl/DestinationIp.h	2015-01-24 12:09:01 +0000
@@ -41,33 +41,32 @@
 {
 
 public:
     static DestinationIPLookup *Instance();
     virtual void checkForAsync(ACLChecklist *)const;
 
 private:
     static DestinationIPLookup instance_;
     static IPH LookupDone;
 };
 
 class ACLDestinationIP : public ACLIP
 {
 
 public:
     MEMPROXY_CLASS(ACLDestinationIP);
 
     ACLDestinationIP(): ACLIP(ACLDestinationIP::SupportedFlags) {}
     virtual char const *typeString() const;
     virtual int match(ACLChecklist *checklist);
-    virtual bool requiresRequest() const {return true;}
 
     virtual ACL *clone()const;
 
     static ACLFlag SupportedFlags[];
 private:
     static Prototype RegistryProtoype;
     static ACLDestinationIP RegistryEntry_;
 };
 
 MEMPROXY_CLASS_INLINE(ACLDestinationIP);
 
 #endif /* SQUID_ACLDESTINATIONIP_H */



More information about the squid-users mailing list