[squid-users] Problems configuring Squid with C-ICAP+Squidclamav (SOLVED)
C. L. Martinez
carlopmart at gmail.com
Thu May 12 08:42:39 UTC 2016
On Wed 11.May'16 at 21:14:08 +0600, Yuri Voinov wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>
> 11.05.16 21:04, L.P.H. van Belle пишет:
> >
> > Hai,
> >
> >
> >
> > I reviewd your config, thing whats different in c-icap.conf compared
> to me.
> >
> Obviously, the mindless copying and pasting the config - very bad
> practice, is not it?
> >
> > RemoteProxyUsers off ( for you ) on for me.
> >
> # TAG: RemoteProxyUsers
> # Format: RemoteProxyUsers onoff
> # Description:
> # Set it to on if you want to use username provided by the proxy server.
> # This is the recomended way to use users in c-icap.
> # If the RemoteProxyUsers is off and c-icap configured to use users or
> # groups the internal authentication mechanism will be used.
> # Default:
> # RemoteProxyUsers off
> RemoteProxyUsers off
>
> This is depending proxy configuration. And irrelevant current case.
> >
> >
> >
> > Whats the content of /etc/c-icap/squidclamav.conf ?
> >
> > The important part for me of the file :
> >
> > #clamd_local /var/run/clamd.socket ! change/check this
> >
> This is OS-dependent, as obvious.
> >
> > clamd_ip 127.0.0.1
> >
> > clamd_port 3310
> >
> >
> >
> > If you use socket make sure your rights are correct and icap is added
> to the clamav group.
> >
> Wrong. Squid group, not clamav.
> >
> >
> >
> >
> >
> > And my c-icap part of the squid.conf
> >
> > ## Tested with Squid 3.4.8 and 3.5.x + squidclamav 6.14 and 6.15
> >
> > icap_enable on
> >
> > icap_send_client_ip on
> >
> > icap_send_client_username on
> >
> > icap_client_username_header X-Authenticated-User
> >
> > icap_persistent_connections on
> >
> > icap_preview_enable on
> >
> > icap_preview_size 1024
> >
> > icap_service service_req reqmod_precache bypass=1
> icap://127.0.0.1:1344/squidclamav
> >
> > adaptation_access service_req allow all
> >
> > icap_service service_resp respmod_precache bypass=1
> icap://127.0.0.1:1344/squidclamav
> >
> > adaptation_access service_resp allow all
> >
> >
> >
> > I think you changed to much in the example.
> >
> >
> >
> > Im reffering to these in the squid.conf
> >
> > > adaptation_access service_avi_resp allow all
> >
> > service_avi_resp?
> >
> >
> >
> Complete squid.conf fragment:
>
> icap_service service_avi_req reqmod_precache
> icap://localhost:1344/squidclamav bypass=off
> adaptation_access service_avi_req allow all
> icap_service service_avi_resp respmod_precache
> icap://localhost:1344/squidclamav bypass=on
> adaptation_access service_avi_resp allow all
>
> Please, PLEASE, do not make recommendation when you not understand what
> does config lines means!
>
Ok, problem is solved. Seems there is some problem between squid and my unbound DNS server. Changing the following lines:
icap_service service_avi_req reqmod_precache icap://localhost:1344/squidclamav bypass=off
icap_service service_avi_resp respmod_precache icap://localhost:1344/squidclamav bypass=on
to:
icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squidclamav bypass=off
icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squidclamav bypass=on
all works as expected. As you can see I have changed "localhost" for "127.0.0.1" ... localhost entry exists inside my /etc/hosts file, and OpenBSD resolves correctly, but under unbound's config I have enabled "do-not-query-localhost: no" because unbound is configured to work with dnscrypt-proxy service...
I am not sure about this, but it is the only answer that explains this problem ... or it is a bug (but I don't think so).
What do you think??
--
Greetings,
C. L. Martinez
More information about the squid-users
mailing list