Re: [squid-users] ICAP - not sending Respmod

From: Amos Jeffries <squid3@dont-contact.us>
Date: Tue, 9 Oct 2007 12:28:17 +1300 (NZDT)

> Of course not, here is it:

Thank you. Everything look normal to me.
What do you do to "negate ICP for some ACL"?

Amos

> +++++++++++++++++++++++++++++++++++
> http_port 8080
> icp_port 0
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> visible_hostname cacheteste.hm
> cache_log /var/log/squid/cache.log
> cache_store_log none
> debug_options ALL,1
>
> memory_replacement_policy lru
> logformat squidmime_extended %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %ul
> %Sh/%<A %mt
>
> cache_access_log /var/log/squid/access.log squidmime_extended
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 80
>
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 3
> auth_param basic realm HM
> auth_param basic credentialsttl 2 hours
>
> external_acl_type NTGroup children=80 ttl=3600 negative_ttl=300 %LOGIN
> /usr/lib/squid/wbinfo_group.pl
>
> acl PURGE method PURGE
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl squid-stat src 172.17.6.126/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80
> acl Safe_ports port 21
> acl Safe_ports port 443
> acl Safe_ports port 70
> acl Safe_ports port 210
> acl Safe_ports port 1025-65535
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl CONNECT method CONNECT
> acl INTRANET dstdomain .hm .hm.com.br
> acl USERS_ALLOW external NTGroup @HM_USUARIOS
> acl sites_no_authentication url_regex "/etc/squid/sites_no_authentication"
> acl JAVA-SUN browser -i java
>
> http_access allow PURGE localhost
> http_access deny PURGE
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> deny_info BC_Safe_ports Safe_ports
>
> http_access deny CONNECT !SSL_ports
> deny_info BC_not_SSL_ports SSL_ports
>
> http_access allow sites_no_authentication
> http_access allow JAVA-SUN
> http_access deny TERMO
> deny_info BC_TERMO TERMO
> http_access allow INTRANET
> http_access allow all USERS_ALLOW
> http_access deny all
> deny_info BC_ACESSO_NEGADO all
>
> always_direct allow sites_no_authentication
> always_direct allow JAVA-SUN
> always_direct allow INTRANET
> always_direct allow CONNECT
>
> never_direct allow all
>
> cache_effective_user squid
> cache_effective_group squid
>
> err_html_text mailto:ti.inf@hm.com.br
>
> coredump_dir /usr/local/squid/var/cache
> forwarded_for on
>
> icap_enable on
> icap_preview_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_header X-Authenticated-User
> icap_client_username_encode on
> icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
> icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod
>
> icap_class filtro_url service_1 service_2
>
> icap_access filtro_url deny sites_no_authentication
> icap_access filtro_url allow USERS_ALLOW
>
> icap_access filtro_url deny all
>
> cache_peer 172.17.205.106 parent 8088 7 no-query no-delay no-digest
> default
> +++++++++++++++++++++++++++++++++++
>
> Although I have one server only for tests, the debug mode is too big.
> But if it's necessary should I post it here?
>
> Thanks
> Thiago Cruz
>
> On 10/8/07, Amos Jeffries <squid3@treenet.co.nz> wrote:
>> Thiago Cruz wrote:
>> > Hello H. Nordstrom,
>> >
>> > I had already read that but unfortunately it didn't work. For some
>> > reason when I negate ICAP for some ACL it bypass cache_peer too.
>>
>> Most weird. Would you mind posting the related config both negated and
>> non-negated for comparison?
>>
>>
>> > Debug
>> > all 9 could help us?
>>
>> Possibly. It will generate a LOT of data for even moderate server load.
>> I'd suggest starting at 5-6 to peek where the problems might be, then
>> raise a particular section.
>>
>> Amos
>>
>>
>> >
>> > On 10/6/07, Henrik Nordstrom <henrik@henriknordstrom.net> wrote:
>> >> On fre, 2007-10-05 at 19:05 -0300, Thiago Cruz wrote:
>> >>> I solved the problem which squid wasn't sending respmod using Squid3
>> >>> RC1, but I have another problem, when I don't want to use ICAP (acl
>> >>> sites_no_authentication), the squid bypass the cache peer too. Is
>> >>> there some way to force it to use cache_peer?
>> >> Squid FAQ How do I configure Squid forward all requests to another
>> >> proxy?
>> >>
>> <url:http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-c050a0a0382c01fbfb9da7e9c18d58bafd4eb027>
>> >>
>> >> Regards
>> >> Henrik
>> >>
>>
>>
>
Received on Mon Oct 08 2007 - 17:28:19 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT