[squid-users] icap not answering

Amos Jeffries squid3 at treenet.co.nz
Tue Mar 5 05:13:31 UTC 2019


On 5/03/19 12:10 pm, steven wrote:
> Ah thank you for that clarification, the python icap servers i tested so
> far are not very promissing but at least theres a connection now.
> 
> sadly squid does not allow http access at all, only https access.
> 

Er, that would be because the only http_port you have is configured with
'accl' - making it a reverse-proxy port. But you do not have any
cache_peer configured to handle that type of traffic.


So, is there any particular reason you have that port receiving 'accel'
/ reverse-proxy mode traffic?
 If not remove that mode flag and things should all work for HTTP too.


> 
> access.log
> 
> 
> 1551740163.106      0 192.168.10.116 TCP_MISS/500 4776 GET
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-to-listen-to-HTTPS-td4682393.html
> - HIER_NONE/- text/html

> 1551740163.173      0 192.168.10.116 TCP_IMS_HIT/304 294 GET
> http://backup:3128/squid-internal-static/icons/SN.png - HIER_NONE/-
> image/png
> 

That is part of the 500 error page being delivered.

Since you are running a reverse-proxy, the Squid visible host name
really should be a FQDN so visitors can resolve the URLs of content
provided by Squid.


> backup is the host where squid is running on
> 
> 
> the webpage shown in the browser says: *Unable to forward this request
> at this time.*
> 
> 
> cache.log
> 

The log section provided shows only the first http_access and ssl_bump
rules deciding to allow the client to contact the proxy so it can peek
at the TLS client handshake.


> current squid config:
> 
> #icap
> icap_enable off
> icap_preview_enable off
> icap_send_client_ip on
> icap_send_client_username on
> icap_service service_req reqmod_precache bypass=1
> icap://127.0.0.1:1344/request
> adaptation_access service_req allow all
> icap_service service_resp respmod_precache bypass=0
> icap://127.0.0.1:1344/response
> adaptation_access service_resp allow all
> acl localnet src 192.168.10.0/24
> acl CONNECT method CONNECT

NP: the CONNECT ACL should be a built-in now. No need for the line above :-)


> http_access allow localnet
...
> http_port 3128 accel ssl-bump generate-host-certificates=on \
>     dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem



HTH
Amos


More information about the squid-users mailing list