Re: [squid-users] icap not answering

Mon, 04 Mar 2019 15:11:06 -0800

Ah thank you for that clarification, the python icap servers i tested so far are not very promissing but at least theres a connection now. 

sadly squid does not allow http access at all, only https access.



access.log
1551740163.106      0 192.168.10.116 TCP_MISS/500 4776 GET http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-to-listen-to-HTTPS-td4682393.html - HIER_NONE/- text/html 1551740163.173      0 192.168.10.116 TCP_IMS_HIT/304 294 GET http://backup:3128/squid-internal-static/icons/SN.png - HIER_NONE/- image/png 

backup is the host where squid is running on
the webpage shown in the browser says: *Unable to forward this request at this time.* 


cache.log
2019/03/05 00:08:30.319 kid1| 28,4| Eui48.cc(179) lookup: id=0x5559d1923114 query ARP table 2019/03/05 00:08:30.319 kid1| 28,4| Eui48.cc(224) lookup: id=0x5559d1923114 query ARP on each interface (160 found) 2019/03/05 00:08:30.319 kid1| 28,4| Eui48.cc(230) lookup: id=0x5559d1923114 found interface lo 2019/03/05 00:08:30.319 kid1| 28,4| Eui48.cc(230) lookup: id=0x5559d1923114 found interface eth0 2019/03/05 00:08:30.319 kid1| 28,4| Eui48.cc(239) lookup: id=0x5559d1923114 looking up ARP address for 192.168.10.116 on eth0 2019/03/05 00:08:30.319 kid1| 28,4| Eui48.cc(275) lookup: id=0x5559d1923114 got address a4:34:d9:ea:b3:34 on eth0 2019/03/05 00:08:30.319 kid1| 28,3| Checklist.cc(70) preCheck: 0x5559d14e2f78 checking slow rules 2019/03/05 00:08:30.319 kid1| 28,5| Acl.cc(124) matches: checking (ssl_bump rules) 2019/03/05 00:08:30.320 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'ALLOWED/3' is not banned 2019/03/05 00:08:30.320 kid1| 28,5| Acl.cc(124) matches: checking (ssl_bump rule) 
2019/03/05 00:08:30.320 kid1| 28,5| Acl.cc(124) matches: checking step1
2019/03/05 00:08:30.320 kid1| 28,3| Acl.cc(151) matches: checked: step1 = 1
2019/03/05 00:08:30.320 kid1| 28,3| Acl.cc(151) matches: checked: (ssl_bump rule) = 1 2019/03/05 00:08:30.320 kid1| 28,3| Acl.cc(151) matches: checked: (ssl_bump rules) = 1 2019/03/05 00:08:30.320 kid1| 28,3| Checklist.cc(63) markFinished: 0x5559d14e2f78 answer ALLOWED for match 2019/03/05 00:08:30.320 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x5559d14e2f78 answer=ALLOWED 2019/03/05 00:08:30.320 kid1| 28,3| Checklist.cc(70) preCheck: 0x5559d19279a8 checking slow rules 2019/03/05 00:08:30.320 kid1| 28,5| Acl.cc(124) matches: checking http_access 2019/03/05 00:08:30.320 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'ALLOWED/0' is not banned 2019/03/05 00:08:30.320 kid1| 28,5| Acl.cc(124) matches: checking http_access#1 
2019/03/05 00:08:30.320 kid1| 28,5| Acl.cc(124) matches: checking localnet
2019/03/05 00:08:30.320 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 192.168.10.116:45900/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] (192.168.10.0:45900)  vs 192.168.10.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] 2019/03/05 00:08:30.320 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '192.168.10.116:45900' found 2019/03/05 00:08:30.320 kid1| 28,3| Acl.cc(151) matches: checked: localnet = 1 2019/03/05 00:08:30.320 kid1| 28,3| Acl.cc(151) matches: checked: http_access#1 = 1 2019/03/05 00:08:30.320 kid1| 28,3| Acl.cc(151) matches: checked: http_access = 1 2019/03/05 00:08:30.320 kid1| 28,3| Checklist.cc(63) markFinished: 0x5559d19279a8 answer ALLOWED for match 2019/03/05 00:08:30.320 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x5559d19279a8 answer=ALLOWED 2019/03/05 00:08:30.320 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff85d5a130 2019/03/05 00:08:30.320 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff85d5a130 2019/03/05 00:08:30.320 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff85d5a130 2019/03/05 00:08:30.320 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff85d5a130 2019/03/05 00:08:30.320 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x5559d19279a8 2019/03/05 00:08:30.320 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x5559d19279a8 2019/03/05 00:08:30.320 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x5559d14e2f78 2019/03/05 00:08:30.320 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x5559d14e2f78 




current squid config:

#icap
icap_enable off
icap_preview_enable off
icap_send_client_ip on
icap_send_client_username on
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/request 
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/response 
adaptation_access service_resp allow all
acl localnet src 192.168.10.0/24
acl CONNECT method CONNECT
http_access allow localnet
coredump_dir /var/spool/squid
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320
http_port 3128 accel ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem https_port 3129 ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB 
acl step1 at_step SslBump1

ssl_bump peek step1
ssl_bump bump all

forwarded_for transparent


any ideas whats wrong?



On 03.03.19 11:11, Marcus Kool wrote:
Squid is an ICAP client, not an ICAP server!, and does not repond on port 1344. 
Marcus


On 02/03/2019 22:29, steven wrote:

Hi,
i would like todo modifications on https connections and therefore enabled ssl bump in squid 4.4, now i would like to see the real traffic and icap looks like a way to watch and change that traffic.
but squid is not answering to icap://127.0.0.1:1344 when using pyicap or telnet. 

the telnet error is:

telnet 127.0.0.1 1344
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
which is imho good because it tells me that something is answering on that port after all. 

did i misconfigure something?



config:

debug_options 28,9
#icap
icap_enable on
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/reqmod 
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/respmod 
adaptation_access service_resp allow all
acl localnet src 127.0.0.1/32 192.168.10.0/24
http_access allow localnet
acl SSL_ports port 443
acl CONNECT method CONNECT
#http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*
http_access allow localhost
coredump_dir /var/spool/squid
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320
# default end
# my config
http_port 3128 accel ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem https_port 3129 ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB 
acl step1 at_step SslBump1

ssl_bump peek step1
ssl_bump bump all

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to