Re: [squid-users] ICAP - not sending Respmod

From: Amos Jeffries <[email protected]>
Date: Wed, 10 Oct 2007 02:18:46 +1300

Thiago Cruz wrote:
> I had forgotten to negate ICP, but I've inserted it now.
>
> I made a workaround for this ICAP problem but I must have another ICAP
> server just for filtering theses no authentication sites and
> unfortunately it isn't a good solution.
>
> Any Idea?

Sorry, I mis-spelled the quote.
You said earlier before I joined the thread that you "when I negate
ICAP for some ACL it bypass cache_peer too" (cut-n-paste this time :-)

I must be going blind. An idea just occurs to me:

    always_direct allow sites_no_authentication
means bypass any peers and go direct for 'sites_no_authentication'

    never_direct allow all
means NOTHING can go direct, use peer or fail.

If this idea is right, then the always_direct is kicking all the peer
logics aside and forcing it to go direct before the never_direct gets
tested.

Try this:
   always_direct deny sites_no_authentication

or remove the line and finish with:
     always_direct deny all

Amos

>
> []'s
> Thiago Cruz
>
> On 10/8/07, Amos Jeffries <squid3@treenet.co.nz> wrote:
>>> Of course not, here is it:
>> Thank you. Everything look normal to me.
>> What do you do to "negate ICP for some ACL"?
>>
>> Amos
>>
>>> +++++++++++++++++++++++++++++++++++
>>> http_port 8080
>>> icp_port 0
>>> hierarchy_stoplist cgi-bin ?
>>> acl QUERY urlpath_regex cgi-bin \?
>>> cache deny QUERY
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern . 0 20% 4320
>>> visible_hostname cacheteste.hm
>>> cache_log /var/log/squid/cache.log
>>> cache_store_log none
>>> debug_options ALL,1
>>>
>>> memory_replacement_policy lru
>>> logformat squidmime_extended %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %ul
>>> %Sh/%<A %mt
>>>
>>> cache_access_log /var/log/squid/access.log squidmime_extended
>>>
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp
>>> auth_param ntlm children 80
>>>
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic
>>> auth_param basic children 3
>>> auth_param basic realm HM
>>> auth_param basic credentialsttl 2 hours
>>>
>>> external_acl_type NTGroup children=80 ttl=3600 negative_ttl=300 %LOGIN
>>> /usr/lib/squid/wbinfo_group.pl
>>>
>>> acl PURGE method PURGE
>>>
>>> acl all src 0.0.0.0/0.0.0.0
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/255.255.255.255
>>> acl squid-stat src 172.17.6.126/255.255.255.255
>>> acl to_localhost dst 127.0.0.0/8
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80
>>> acl Safe_ports port 21
>>> acl Safe_ports port 443
>>> acl Safe_ports port 70
>>> acl Safe_ports port 210
>>> acl Safe_ports port 1025-65535
>>> acl Safe_ports port 280
>>> acl Safe_ports port 488
>>> acl Safe_ports port 591
>>> acl Safe_ports port 777
>>> acl CONNECT method CONNECT
>>> acl INTRANET dstdomain .hm .hm.com.br
>>> acl USERS_ALLOW external NTGroup @HM_USUARIOS
>>> acl sites_no_authentication url_regex "/etc/squid/sites_no_authentication"
>>> acl JAVA-SUN browser -i java
>>>
>>> http_access allow PURGE localhost
>>> http_access deny PURGE
>>>
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access deny !Safe_ports
>>> deny_info BC_Safe_ports Safe_ports
>>>
>>> http_access deny CONNECT !SSL_ports
>>> deny_info BC_not_SSL_ports SSL_ports
>>>
>>> http_access allow sites_no_authentication
>>> http_access allow JAVA-SUN
>>> http_access deny TERMO
>>> deny_info BC_TERMO TERMO
>>> http_access allow INTRANET
>>> http_access allow all USERS_ALLOW
>>> http_access deny all
>>> deny_info BC_ACESSO_NEGADO all
>>>
>>> always_direct allow sites_no_authentication
>>> always_direct allow JAVA-SUN
>>> always_direct allow INTRANET
>>> always_direct allow CONNECT
>>>
>>> never_direct allow all
>>>
>>> cache_effective_user squid
>>> cache_effective_group squid
>>>
>>> err_html_text mailto:ti.inf@hm.com.br
>>>
>>> coredump_dir /usr/local/squid/var/cache
>>> forwarded_for on
>>>
>>> icap_enable on
>>> icap_preview_enable on
>>> icap_send_client_ip on
>>> icap_send_client_username on
>>> icap_client_username_header X-Authenticated-User
>>> icap_client_username_encode on
>>> icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
>>> icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod
>>>
>>> icap_class filtro_url service_1 service_2
>>>
>>> icap_access filtro_url deny sites_no_authentication
>>> icap_access filtro_url allow USERS_ALLOW
>>>
>>> icap_access filtro_url deny all
>>>
>>> cache_peer 172.17.205.106 parent 8088 7 no-query no-delay no-digest
>>> default
>>> +++++++++++++++++++++++++++++++++++
>>>
>>> Although I have one server only for tests, the debug mode is too big.
>>> But if it's necessary should I post it here?
>>>
>>> Thanks
>>> Thiago Cruz
>>>
>>> On 10/8/07, Amos Jeffries <squid3@treenet.co.nz> wrote:
>>>> Thiago Cruz wrote:
>>>>> Hello H. Nordstrom,
>>>>>
>>>>> I had already read that but unfortunately it didn't work. For some
>>>>> reason when I negate ICAP for some ACL it bypass cache_peer too.
>>>> Most weird. Would you mind posting the related config both negated and
>>>> non-negated for comparison?
>>>>
>>>>
>>>>> Debug
>>>>> all 9 could help us?
>>>> Possibly. It will generate a LOT of data for even moderate server load.
>>>> I'd suggest starting at 5-6 to peek where the problems might be, then
>>>> raise a particular section.
>>>>
>>>> Amos
>>>>
>>>>
>>>>> On 10/6/07, Henrik Nordstrom <henrik@henriknordstrom.net> wrote:
>>>>>> On fre, 2007-10-05 at 19:05 -0300, Thiago Cruz wrote:
>>>>>>> I solved the problem which squid wasn't sending respmod using Squid3
>>>>>>> RC1, but I have another problem, when I don't want to use ICAP (acl
>>>>>>> sites_no_authentication), the squid bypass the cache peer too. Is
>>>>>>> there some way to force it to use cache_peer?
>>>>>> Squid FAQ How do I configure Squid forward all requests to another
>>>>>> proxy?
>>>>>>
>> <url:http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-c050a0a0382c01fbfb9da7e9c18d58bafd4eb027>
>>>>>> Regards
>>>>>> Henrik
>>>>>>
>>>>
>>
>>
Received on Tue Oct 09 2007 - 07:18:53 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT