Re: [squid-users] icap_class None squid 3.0

From: Alex Rousskov <[email protected]>
Date: Wed, 30 Jan 2008 09:35:48 -0700

On Wed, 2008-01-30 at 07:27 +0100, Juergen.Paulo@finanzit.com wrote:
> Hi Alex,
>
> my question was:
> Does the special ( implied ) icap_class None exist in squid 3.0?

Not that I know of.

> We have for about 100 icap_services and icap_classes configured in squid
> 2.5 witch work
> as icap-client with webwasher-csm.
> In some special cases it was necessary to bypass icap for some destination
> domains.
> Thats why we use the given syntax:
>
> acl NO_ICAP_FOR dstdomain XXX
> icap_access None deny NO_ICAP_FOR
>
> In squid 3.0 it seems not to work as inspected.
>
> I have no Idea, what I have to do to define an icap_service that does
> no req or res, put this in an icap_class do_no_icap and then
> icap_access do_no_icap allow NO_ICAP_FOR.
> That's why we use this special None directive in 2.5

Since Squid3 cannot send the same message to two ICAP services, I am not
sure why a special None class would be needed. My understanding is that
as soon as the first icap_access ACL matches, processing stops. If that
is correct, then you can place your NO_ICAP_FOR ACL at the top of the
icap_access list, using any existing ICAP class. You may need one rule
for REQMOD and one for RESPMOD class if you use both vectoring points.

If you do not get better suggestions, I would suggest that you try the
above and let us know whether it worked as expected.

Thank you,

Alex.

>
>
>
> Alex Rousskov
> <rousskov@measure
> ment-factory.com> An
> juergen.paulo@finanzit.com
> 29.01.2008 19:43 Kopie
> squid-users@squid-cache.org
> Thema
> Re: [squid-users] icap_class None
> squid 3.0 [FinanzIT: Viruscheck]
>
>
>
>
>
>
>
>
>
>
> On Tue, 2008-01-29 at 08:53 +0100, Juergen.Paulo@finanzit.com wrote:
> > This syntax worked for squid 2.5:
> >
> > acl NO_ICAP_FOR dstdomain XXX
> > icap_access None deny NO_ICAP_FOR
> >
> > in squid 3.0 there comes up:
> >
> > FATAL: Did not find ICAP class 'None' referenced on line XXX
> >
> > Is there a need to config an icap_class None an how do I do this ?
>
> If you do not want ICAP, you can disable it with icap_enable. If you
> want to fine-tune access for an existing ICAP class, then you should use
> that class name on the icap_access line.
>
> If you are using ICAP services without classes, then you can try to use
> a service name on the icap_access line, but that may not work.
>
> You should probably just add a class for your service. For example,
>
> icap_service service_req reqmod_precache 0 icap://10.0.0.104:1344/req
> icap_class class_req service_req
> icap_access class_req deny NO_ICAP_FOR
> icap_access class_req allow all
>
> The whole icap_service/class design is rather cumbersome and confusing.
> It will probably be replaced when we add support for service chaining in
> Squid3.
>
> HTH,
>
> Alex.
>
>
>
Received on Wed Jan 30 2008 - 09:36:02 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:05 MST