[squid-users] ICAP question

Alex Rousskov rousskov at measurement-factory.com
Sun Oct 9 18:43:23 UTC 2016


On 10/09/2016 11:02 AM, James Lay wrote:

> WARNING: Squid is configured to use ICAP method REQMOD for service
> icap://localhost:1344/srv_cfg_filter but OPTIONS response declares the
> methods are RESPMOD

If your srv_content_filtering.so service does not need to see HTTP
requests, then you can remove srv_cfg_filter_req from your Squid
configuration.

If your srv_content_filtering.so service needs to see both HTTP requests
and responses, then you have two options, in no particular order:

A) Tell c-icap and/or srv_content_filtering.so to send a "Methods:
REQMOD,RESPMOD" ICAP response header field in OPTIONS response. Sorry, I
do not know how to do that in c-icap and even whether that is actually
possible with that software. Please note that using one service URI for
two modes is not uncommon in the ICAP world, but violates the following
ICAP RFC 3507 MUST:

  Each service should have a distinct URI
  and support only one method in addition to OPTIONS

B) Use different ICAP service URIs for different services (REQMOD and
RESPMOD) and configure each service appropriately on both Squid and
c-icap side. This is what RFC 3507 wants you to do. For example, some
ICAP servers and services would allow you to use these URIs:

  * for REQMOD: icap://localhost:1344/srv_cfg_filter?mode=REQMOD
  * for RESPMOD: icap://localhost:1344/srv_cfg_filter?mode=RESPMOD


IIRC, Squid will try to use your service in both modes despite that
WARNING. However, I do not know whether c-icap and that service itself
will be happy about receiving REQMOD requests.


HTH,

Alex.



> Here's the icap snippet from squid.conf:
> 
> icap_enable on
> icap_send_client_ip on
> icap_persistent_connections on
> icap_service srv_cfg_filter_req reqmod_precache
> icap://localhost:1344/srv_cfg_filter bypass=on
> adaptation_access srv_cfg_filter_req allow all
> icap_service srv_cfg_filter_resp respmod_precache
> icap://localhost:1344/srv_cfg_filter bypass=off
> adaptation_access srv_cfg_filter_resp allow all
> 
> interesting c-icap.conf bits:
> 
> ModulesDir /opt/icap/lib/c_icap
> ServicesDir /opt/icap/lib/c_icap
> acl localhost src 127.0.0.1/255.255.255.255
> acl PERMIT_REQUESTS type REQMOD RESPMOD
> icap_access allow localhost PERMIT_REQUESTS
> icap_access deny all
> Include srv_content_filtering.conf
> 
> lastly, srv_content_filtering.conf:
> 
> Service srv_cfg_filter srv_content_filtering.so
> srv_content_filtering.Match default body /(test)/ig score=5
> LogFormat mySrvContentFiltering "%tl, %>a %im %is %huo  [Scores:
> %{srv_content_filtering:scores}Sa] [ActionFilter:
> %{srv_content_filtering:action_filter}Sa] [Action:
> %{srv_content_filtering:action}Sa]"
> 
> not sure why I can't seem to get this to fly...any assistance would be
> appreciated...thank you.



More information about the squid-users mailing list