[squid-users] squid does not send cached object to an icap-server

[Stefan Kügler]

Hi Yuri.

Am 05.05.2015 um 12:51 schrieb Yuri Voinov:
> This is not squid issue but your AV engine library or ICAP intermediate
> AV library configuration.

Thank you for your answer.

Can you explain me a litte bit more detailed why this is not a squid issue?

In the icap-logfile, I can see a REQMOD-request _AND_ a RESPMOD-request 
to the icap-server if the object is not in cache.

But - if the object is in cache - I can only see a REQMOD-request to the 
icap-server. I am missing RESPMOD.

It seems to me, that it is a decision of the client (squid) which 
request (REQMOD or RESPMOD) will be send to the icap-server (AV-scanner) 
- and not a decision of the av-library.

Regards, Stefan

>
> 05.05.15 16:43, Stefan Kügler пишет:
>> Hello.
>>
>>
>> I have a short question using squid as an ICAP-client.
>>
>>
>> It seems that squid doesn't send an already downloaded (and cached)
>> object to an ICAP-server.
>>
>> Here is a short description what I have done:
>>
>> 1. downloading a word-document with a macro-virus. The Virus-scanner
>> (ICAP-server) uses an old pattern-file and does not detect the virus.
>>
>> The object is now in cache.
>>
>> 2. updating the virus-scanner to the newest pattern-file. The
>> virus-scanner will now detect the macro virus.
>>
>> 3. downloading the same word-document. The object has been delivered
>> to the client without a new virus scan.
>>
>>
>>
>> And now some log-entries:
>>
>> 1. First download of the word document:
>>
>> access.log:
>> 2015-05-05 12:23:52    144 192.168.2.54 TCP_MISS/200 553301 GET
>> http://www.intern/virus.doc - HIER_DIRECT/193.175.80.229
>> application/msword
>>
>> icap.log:
>> 2015-05-05 12:23:52      5 192.168.2.54 ICAP_ECHO/204 135 REQMOD
>> icap://127.0.0.1:1344/service_scanner - -/127.0.0.1 -
>> 2015-05-05 12:23:52    130 192.168.2.54 ICAP_MOD/200 553897 RESPMOD
>> icap://127.0.0.1:1344/service_scanner - -/127.0.0.1 -
>>
>> AV-Scanner:
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Starting
>> ICAP request decoding
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Request
>> message decoded in 1 chunks
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Finished
>> ICAP request decoding
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Starting
>> ICAP request processing
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Starting
>> service processing
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: REQMOD
>> processing
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Resource at
>> <GET http://www.intern/virus.doc HTTP/1.1> has no body to be scanned
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Finished
>> service processing
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: The request
>> for URI 'http://www.intern/virus.doc' was allowed (Reason: 'Clean'.
>> Details: '')
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Create
>> response headers type: CLEAN 204
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Send headers
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Finished
>> ICAP request processing
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO: Core library
>> session cleared
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D1AF700] INFO: Connection
>> closed by foreign host while waiting for requests
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24D1AF700] INFO: Core library
>> session cleared
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Starting
>> ICAP request decoding
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Request
>> message decoded in 259 chunks
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Finished
>> ICAP request decoding
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Starting
>> ICAP request processing
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Starting
>> service processing
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: RESPMOD
>> processing
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Starting
>> virus scanning for resource at: <GET http://www.intern/virus.doc
>> HTTP/1.1>
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Starting
>> virus scanning for resource at: <GET http://www.intern/virus.doc
>> HTTP/1.1>
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
>> [service_scanner]File 'virus.doc' content is stored in
>> '/var/spool/avira-icap/icap-tmp.6baFv3'
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Finished
>> service processing
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: The request
>> for URI 'http://www.intern/virus.doc' was allowed (Reason: 'Clean'.
>> Details: '')
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Create
>> response headers type: CLEAN
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Adding HTTP
>> headers for response type: CLEAN
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Send headers
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Send the
>> original body (552960 bytes)
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Finished
>> ICAP request processing
>> May  5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO: Core library
>> session cleared
>>
>>
>>
>>
>>
>> 2. Second download of the word document (after the pattern-update):
>>
>> access.log:
>> 2015-05-05 12:27:43     35 192.168.2.54 TCP_MEM_HIT/200 553309 GET
>> http://www.intern/virus.doc - HIER_NONE/- application/msword
>>
>> icap.log:
>> 2015-05-05 12:27:43      2 192.168.2.54 ICAP_ECHO/204 135 REQMOD
>> icap://127.0.0.1:1344/service_scanner - -/127.0.0.1 -
>>
>> AV-Scanner:
>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Starting
>> ICAP request decoding
>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Request
>> message decoded in 1 chunks
>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Finished
>> ICAP request decoding
>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Starting
>> ICAP request processing
>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Starting
>> service processing
>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: REQMOD
>> processing
>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Resource at
>> <GET http://www.intern/virus.doc HTTP/1.1> has no body to be scanned
>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Finished
>> service processing
>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: The request
>> for URI 'http://www.intern/virus.doc' was allowed (Reason: 'Clean'.
>> Details: '')
>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Create
>> response headers type: CLEAN 204
>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Send headers
>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Finished
>> ICAP request processing
>> May  5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO: Core library
>> session cleared
>>
>>
>> And now my question: Is this a bug in squid - or is it possible to
>> tell squid to send already cached object to the icap-server?
>>
>> Kind regards,
>>
>> Stefan Kuegler
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users