[squid-users] icap not answering
Amos Jeffries
squid3 at treenet.co.nz
Tue Mar 5 05:13:31 UTC 2019
On 5/03/19 12:10 pm, steven wrote:
> Ah thank you for that clarification, the python icap servers i tested so
> far are not very promissing but at least theres a connection now.
>
> sadly squid does not allow http access at all, only https access.
>
Er, that would be because the only http_port you have is configured with
'accl' - making it a reverse-proxy port. But you do not have any
cache_peer configured to handle that type of traffic.
So, is there any particular reason you have that port receiving 'accel'
/ reverse-proxy mode traffic?
If not remove that mode flag and things should all work for HTTP too.
>
> access.log
>
>
> 1551740163.106 0 192.168.10.116 TCP_MISS/500 4776 GET
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-to-listen-to-HTTPS-td4682393.html
> - HIER_NONE/- text/html
> 1551740163.173 0 192.168.10.116 TCP_IMS_HIT/304 294 GET
> http://backup:3128/squid-internal-static/icons/SN.png - HIER_NONE/-
> image/png
>
That is part of the 500 error page being delivered.
Since you are running a reverse-proxy, the Squid visible host name
really should be a FQDN so visitors can resolve the URLs of content
provided by Squid.
> backup is the host where squid is running on
>
>
> the webpage shown in the browser says: *Unable to forward this request
> at this time.*
>
>
> cache.log
>
The log section provided shows only the first http_access and ssl_bump
rules deciding to allow the client to contact the proxy so it can peek
at the TLS client handshake.
> current squid config:
>
> #icap
> icap_enable off
> icap_preview_enable off
> icap_send_client_ip on
> icap_send_client_username on
> icap_service service_req reqmod_precache bypass=1
> icap://127.0.0.1:1344/request
> adaptation_access service_req allow all
> icap_service service_resp respmod_precache bypass=0
> icap://127.0.0.1:1344/response
> adaptation_access service_resp allow all
> acl localnet src 192.168.10.0/24
> acl CONNECT method CONNECT
NP: the CONNECT ACL should be a built-in now. No need for the line above :-)
> http_access allow localnet
...
> http_port 3128 accel ssl-bump generate-host-certificates=on \
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem
HTH
Amos
More information about the squid-users
mailing list