Re: [squid-users] Problems configuring Squid with C-ICAP+Squidclamav (SOLVED)
On 12/05/2016 11:13 p.m., C. L. Martinez wrote: > > But when squid sents an OPTIONS request to ICAP, why works when I use > 127.0.0.1 and not localhost?? Maybe it is a problem with openbsd's package ... > It is quite possible. 127.0.0.1 is not the only address modern computers use for localhost. Double check what your hosts file contains. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problems configuring Squid with C-ICAP+Squidclamav (SOLVED)
On Thu 12.May'16 at 22:20:47 +1200, Amos Jeffries wrote: > On 12/05/2016 8:42 p.m., C. L. Martinez wrote: > > On Wed 11.May'16 at 21:14:08 +0600, Yuri Voinov wrote: > >> > >> -BEGIN PGP SIGNED MESSAGE- > >> Hash: SHA256 > >> > >> > >> 11.05.16 21:04, L.P.H. van Belle пишет: > >>> > >>> Hai, > >>> > >>> > >>> > >>> I reviewd your config, thing whats different in c-icap.conf compared > >> to me. > >>> > >> Obviously, the mindless copying and pasting the config - very bad > >> practice, is not it? > >>> > >>> RemoteProxyUsers off ( for you ) on for me. > >>> > >> # TAG: RemoteProxyUsers > >> # Format: RemoteProxyUsers onoff > >> # Description: > >> #Set it to on if you want to use username provided by the proxy server. > >> #This is the recomended way to use users in c-icap. > >> #If the RemoteProxyUsers is off and c-icap configured to use users or > >> #groups the internal authentication mechanism will be used. > >> # Default: > >> #RemoteProxyUsers off > >> RemoteProxyUsers off > >> > >> This is depending proxy configuration. And irrelevant current case. > >>> > >>> > >>> > >>> Whats the content of /etc/c-icap/squidclamav.conf ? > >>> > >>> The important part for me of the file : > >>> > >>> #clamd_local /var/run/clamd.socket ! change/check this > >>> > >> This is OS-dependent, as obvious. > >>> > >>> clamd_ip 127.0.0.1 > >>> > >>> clamd_port 3310 > >>> > >>> > >>> > >>> If you use socket make sure your rights are correct and icap is added > >> to the clamav group. > >>> > >> Wrong. Squid group, not clamav. > >>> > >>> > >>> > >>> > >>> > >>> And my c-icap part of the squid.conf > >>> > >>> ## Tested with Squid 3.4.8 and 3.5.x + squidclamav 6.14 and 6.15 > >>> > >>> icap_enable on > >>> > >>> icap_send_client_ip on > >>> > >>> icap_send_client_username on > >>> > >>> icap_client_username_header X-Authenticated-User > >>> > >>> icap_persistent_connections on > >>> > >>> icap_preview_enable on > >>> > >>> icap_preview_size 1024 > >>> > >>> icap_service service_req reqmod_precache bypass=1 > >> icap://127.0.0.1:1344/squidclamav > >>> > >>> adaptation_access service_req allow all > >>> > >>> icap_service service_resp respmod_precache bypass=1 > >> icap://127.0.0.1:1344/squidclamav > >>> > >>> adaptation_access service_resp allow all > >>> > >>> > >>> > >>> I think you changed to much in the example. > >>> > >>> > >>> > >>> Im reffering to these in the squid.conf > >>> > adaptation_access service_avi_resp allow all > >>> > >>> service_avi_resp? > >>> > >>> > >>> > >> Complete squid.conf fragment: > >> > >> icap_service service_avi_req reqmod_precache > >> icap://localhost:1344/squidclamav bypass=off > >> adaptation_access service_avi_req allow all > >> icap_service service_avi_resp respmod_precache > >> icap://localhost:1344/squidclamav bypass=on > >> adaptation_access service_avi_resp allow all > >> > >> Please, PLEASE, do not make recommendation when you not understand what > >> does config lines means! > >> > > > > Ok, problem is solved. Seems there is some problem between squid and my > > unbound DNS server. Changing the following lines: > > > > icap_service service_avi_req reqmod_precache > > icap://localhost:1344/squidclamav bypass=off > > icap_service service_avi_resp respmod_precache > > icap://localhost:1344/squidclamav bypass=on > > > > to: > > > > icap_service service_avi_req reqmod_precache > > icap://127.0.0.1:1344/squidclamav bypass=off > > icap_service service_avi_resp respmod_precache > > icap://127.0.0.1:1344/squidclamav bypass=on > > > > all works as expected. As you can see I have changed "localhost" for > > "127.0.0.1" ... localhost entry exists inside my /etc/hosts file, and > > OpenBSD resolves correctly, but under unbound's config I have enabled > > "do-not-query-localhost: no" because unbound is configured to work with > > dnscrypt-proxy service... > > > > I am not sure about this, but it is the only answer that explains this > > problem ... or it is a bug (but I don't think so). > > > > What do you think?? > > > > I think that Squid told you it was sending an OPTIONS request to ICAP > service, which failed. So it marked the service down. The service was > not allowed to be bypassed (bypass=off), so cannot cope with being down. > > It is possible "localhost" had to be resolved to do that OPTIONS > request. However, if as you say it already has an entry in your > /etc/hosts file then Squid should have loaded that entry as a permanent > record and never be looking it up in DNS. > > Amos But when squid sents an OPTIONS request to ICAP, why works when I use 127.0.0.1 and not localhost?? Maybe it is a problem with openbsd's package ... -- Greetings, C. L. Martinez ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problems configuring Squid with C-ICAP+Squidclamav (SOLVED)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hm. Rare case. In general, any OS TCP stack can resolve localhost itself to 127.0.0.1 with /etc/hosts or whatever. 12.05.16 14:42, C. L. Martinez пишет: > On Wed 11.May'16 at 21:14:08 +0600, Yuri Voinov wrote: >> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> >> 11.05.16 21:04, L.P.H. van Belle пишет: >>> >>> Hai, >>> >>> >>> >>> I reviewd your config, thing whats different in c-icap.conf compared >> to me. >>> >> Obviously, the mindless copying and pasting the config - very bad >> practice, is not it? >>> >>> RemoteProxyUsers off ( for you ) on for me. >>> >> # TAG: RemoteProxyUsers >> # Format: RemoteProxyUsers onoff >> # Description: >> #Set it to on if you want to use username provided by the proxy server. >> #This is the recomended way to use users in c-icap. >> #If the RemoteProxyUsers is off and c-icap configured to use users or >> #groups the internal authentication mechanism will be used. >> # Default: >> #RemoteProxyUsers off >> RemoteProxyUsers off >> >> This is depending proxy configuration. And irrelevant current case. >>> >>> >>> >>> Whats the content of /etc/c-icap/squidclamav.conf ? >>> >>> The important part for me of the file : >>> >>> #clamd_local /var/run/clamd.socket ! change/check this >>> >> This is OS-dependent, as obvious. >>> >>> clamd_ip 127.0.0.1 >>> >>> clamd_port 3310 >>> >>> >>> >>> If you use socket make sure your rights are correct and icap is added >> to the clamav group. >>> >> Wrong. Squid group, not clamav. >>> >>> >>> >>> >>> >>> And my c-icap part of the squid.conf >>> >>> ## Tested with Squid 3.4.8 and 3.5.x + squidclamav 6.14 and 6.15 >>> >>> icap_enable on >>> >>> icap_send_client_ip on >>> >>> icap_send_client_username on >>> >>> icap_client_username_header X-Authenticated-User >>> >>> icap_persistent_connections on >>> >>> icap_preview_enable on >>> >>> icap_preview_size 1024 >>> >>> icap_service service_req reqmod_precache bypass=1 >> icap://127.0.0.1:1344/squidclamav >>> >>> adaptation_access service_req allow all >>> >>> icap_service service_resp respmod_precache bypass=1 >> icap://127.0.0.1:1344/squidclamav >>> >>> adaptation_access service_resp allow all >>> >>> >>> >>> I think you changed to much in the example. >>> >>> >>> >>> Im reffering to these in the squid.conf >>> adaptation_access service_avi_resp allow all >>> >>> service_avi_resp? >>> >>> >>> >> Complete squid.conf fragment: >> >> icap_service service_avi_req reqmod_precache >> icap://localhost:1344/squidclamav bypass=off >> adaptation_access service_avi_req allow all >> icap_service service_avi_resp respmod_precache >> icap://localhost:1344/squidclamav bypass=on >> adaptation_access service_avi_resp allow all >> >> Please, PLEASE, do not make recommendation when you not understand what >> does config lines means! >> > > Ok, problem is solved. Seems there is some problem between squid and my unbound DNS server. Changing the following lines: > > icap_service service_avi_req reqmod_precache icap://localhost:1344/squidclamav bypass=off > icap_service service_avi_resp respmod_precache icap://localhost:1344/squidclamav bypass=on > > to: > > icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squidclamav bypass=off > icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squidclamav bypass=on > > all works as expected. As you can see I have changed "localhost" for "127.0.0.1" ... localhost entry exists inside my /etc/hosts file, and OpenBSD resolves correctly, but under unbound's config I have enabled "do-not-query-localhost: no" because unbound is configured to work with dnscrypt-proxy service... > > I am not sure about this, but it is the only answer that explains this problem ... or it is a bug (but I don't think so). > > What do you think?? > > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEbBAEBCAAGBQJXNGP4AAoJENNXIZxhPexGTs4H+KjRaCUYCnTjEeHf/EUDMP8S FHfDKK4nCRbTL/KDn8i4vp1NnZjUjE/t/MfyfEnWNAO1SFknLqAFmlIX/P2Tm6b9 EzSB6XZKMfSg9PrzZxKJkRqF3tRzBXOs0lK2pEVyTd5i2xKkTCsMGw6eHOp8dveG 4DjG1OW3oGCQELJLuj+kPjnjGzYRHRL3Ck+z4ao+CWnIpCUsy0EEtT8+qhyukPkG Z4kJZzACLq5eR3Pl6moOIsQjSxch5j6ppuOd2tvgqyelAa2VmOECIhp/E8R68QCl EbmFT2V6xKBKtj2bMiHnYiRVRnlVd6Sd9jsFjhSyrbj2P6XeyWg/03RlOgwYiA== =Qv20 -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problems configuring Squid with C-ICAP+Squidclamav (SOLVED)
On 12/05/2016 8:42 p.m., C. L. Martinez wrote: > On Wed 11.May'16 at 21:14:08 +0600, Yuri Voinov wrote: >> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> >> 11.05.16 21:04, L.P.H. van Belle пишет: >>> >>> Hai, >>> >>> >>> >>> I reviewd your config, thing whats different in c-icap.conf compared >> to me. >>> >> Obviously, the mindless copying and pasting the config - very bad >> practice, is not it? >>> >>> RemoteProxyUsers off ( for you ) on for me. >>> >> # TAG: RemoteProxyUsers >> # Format: RemoteProxyUsers onoff >> # Description: >> #Set it to on if you want to use username provided by the proxy server. >> #This is the recomended way to use users in c-icap. >> #If the RemoteProxyUsers is off and c-icap configured to use users or >> #groups the internal authentication mechanism will be used. >> # Default: >> #RemoteProxyUsers off >> RemoteProxyUsers off >> >> This is depending proxy configuration. And irrelevant current case. >>> >>> >>> >>> Whats the content of /etc/c-icap/squidclamav.conf ? >>> >>> The important part for me of the file : >>> >>> #clamd_local /var/run/clamd.socket ! change/check this >>> >> This is OS-dependent, as obvious. >>> >>> clamd_ip 127.0.0.1 >>> >>> clamd_port 3310 >>> >>> >>> >>> If you use socket make sure your rights are correct and icap is added >> to the clamav group. >>> >> Wrong. Squid group, not clamav. >>> >>> >>> >>> >>> >>> And my c-icap part of the squid.conf >>> >>> ## Tested with Squid 3.4.8 and 3.5.x + squidclamav 6.14 and 6.15 >>> >>> icap_enable on >>> >>> icap_send_client_ip on >>> >>> icap_send_client_username on >>> >>> icap_client_username_header X-Authenticated-User >>> >>> icap_persistent_connections on >>> >>> icap_preview_enable on >>> >>> icap_preview_size 1024 >>> >>> icap_service service_req reqmod_precache bypass=1 >> icap://127.0.0.1:1344/squidclamav >>> >>> adaptation_access service_req allow all >>> >>> icap_service service_resp respmod_precache bypass=1 >> icap://127.0.0.1:1344/squidclamav >>> >>> adaptation_access service_resp allow all >>> >>> >>> >>> I think you changed to much in the example. >>> >>> >>> >>> Im reffering to these in the squid.conf >>> adaptation_access service_avi_resp allow all >>> >>> service_avi_resp? >>> >>> >>> >> Complete squid.conf fragment: >> >> icap_service service_avi_req reqmod_precache >> icap://localhost:1344/squidclamav bypass=off >> adaptation_access service_avi_req allow all >> icap_service service_avi_resp respmod_precache >> icap://localhost:1344/squidclamav bypass=on >> adaptation_access service_avi_resp allow all >> >> Please, PLEASE, do not make recommendation when you not understand what >> does config lines means! >> > > Ok, problem is solved. Seems there is some problem between squid and my > unbound DNS server. Changing the following lines: > > icap_service service_avi_req reqmod_precache > icap://localhost:1344/squidclamav bypass=off > icap_service service_avi_resp respmod_precache > icap://localhost:1344/squidclamav bypass=on > > to: > > icap_service service_avi_req reqmod_precache > icap://127.0.0.1:1344/squidclamav bypass=off > icap_service service_avi_resp respmod_precache > icap://127.0.0.1:1344/squidclamav bypass=on > > all works as expected. As you can see I have changed "localhost" for > "127.0.0.1" ... localhost entry exists inside my /etc/hosts file, and OpenBSD > resolves correctly, but under unbound's config I have enabled > "do-not-query-localhost: no" because unbound is configured to work with > dnscrypt-proxy service... > > I am not sure about this, but it is the only answer that explains this > problem ... or it is a bug (but I don't think so). > > What do you think?? > I think that Squid told you it was sending an OPTIONS request to ICAP service, which failed. So it marked the service down. The service was not allowed to be bypassed (bypass=off), so cannot cope with being down. It is possible "localhost" had to be resolved to do that OPTIONS request. However, if as you say it already has an entry in your /etc/hosts file then Squid should have loaded that entry as a permanent record and never be looking it up in DNS. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problems configuring Squid with C-ICAP+Squidclamav (SOLVED)
On Wed 11.May'16 at 21:14:08 +0600, Yuri Voinov wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > > 11.05.16 21:04, L.P.H. van Belle пишет: > > > > Hai, > > > > > > > > I reviewd your config, thing whats different in c-icap.conf compared > to me. > > > Obviously, the mindless copying and pasting the config - very bad > practice, is not it? > > > > RemoteProxyUsers off ( for you ) on for me. > > > # TAG: RemoteProxyUsers > # Format: RemoteProxyUsers onoff > # Description: > #Set it to on if you want to use username provided by the proxy server. > #This is the recomended way to use users in c-icap. > #If the RemoteProxyUsers is off and c-icap configured to use users or > #groups the internal authentication mechanism will be used. > # Default: > #RemoteProxyUsers off > RemoteProxyUsers off > > This is depending proxy configuration. And irrelevant current case. > > > > > > > > Whats the content of /etc/c-icap/squidclamav.conf ? > > > > The important part for me of the file : > > > > #clamd_local /var/run/clamd.socket ! change/check this > > > This is OS-dependent, as obvious. > > > > clamd_ip 127.0.0.1 > > > > clamd_port 3310 > > > > > > > > If you use socket make sure your rights are correct and icap is added > to the clamav group. > > > Wrong. Squid group, not clamav. > > > > > > > > > > > > And my c-icap part of the squid.conf > > > > ## Tested with Squid 3.4.8 and 3.5.x + squidclamav 6.14 and 6.15 > > > > icap_enable on > > > > icap_send_client_ip on > > > > icap_send_client_username on > > > > icap_client_username_header X-Authenticated-User > > > > icap_persistent_connections on > > > > icap_preview_enable on > > > > icap_preview_size 1024 > > > > icap_service service_req reqmod_precache bypass=1 > icap://127.0.0.1:1344/squidclamav > > > > adaptation_access service_req allow all > > > > icap_service service_resp respmod_precache bypass=1 > icap://127.0.0.1:1344/squidclamav > > > > adaptation_access service_resp allow all > > > > > > > > I think you changed to much in the example. > > > > > > > > Im reffering to these in the squid.conf > > > > > adaptation_access service_avi_resp allow all > > > > service_avi_resp? > > > > > > > Complete squid.conf fragment: > > icap_service service_avi_req reqmod_precache > icap://localhost:1344/squidclamav bypass=off > adaptation_access service_avi_req allow all > icap_service service_avi_resp respmod_precache > icap://localhost:1344/squidclamav bypass=on > adaptation_access service_avi_resp allow all > > Please, PLEASE, do not make recommendation when you not understand what > does config lines means! > Ok, problem is solved. Seems there is some problem between squid and my unbound DNS server. Changing the following lines: icap_service service_avi_req reqmod_precache icap://localhost:1344/squidclamav bypass=off icap_service service_avi_resp respmod_precache icap://localhost:1344/squidclamav bypass=on to: icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squidclamav bypass=off icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squidclamav bypass=on all works as expected. As you can see I have changed "localhost" for "127.0.0.1" ... localhost entry exists inside my /etc/hosts file, and OpenBSD resolves correctly, but under unbound's config I have enabled "do-not-query-localhost: no" because unbound is configured to work with dnscrypt-proxy service... I am not sure about this, but it is the only answer that explains this problem ... or it is a bug (but I don't think so). What do you think?? -- Greetings, C. L. Martinez ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users