Re: [squid-users] ICAP - not sending Respmod

From: Thiago Cruz <thiagocruz@dont-contact.us>
Date: Tue, 9 Oct 2007 09:46:57 -0300

I had forgotten to negate ICP, but I've inserted it now.

I made a workaround for this ICAP problem but I must have another ICAP
server just for filtering theses no authentication sites and
unfortunately it isn't a good solution.

Any Idea?

[]'s
Thiago Cruz

On 10/8/07, Amos Jeffries <squid3@treenet.co.nz> wrote:
> > Of course not, here is it:
>
> Thank you. Everything look normal to me.
> What do you do to "negate ICP for some ACL"?
>
> Amos
>
> > +++++++++++++++++++++++++++++++++++
> > http_port 8080
> > icp_port 0
> > hierarchy_stoplist cgi-bin ?
> > acl QUERY urlpath_regex cgi-bin \?
> > cache deny QUERY
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern . 0 20% 4320
> > visible_hostname cacheteste.hm
> > cache_log /var/log/squid/cache.log
> > cache_store_log none
> > debug_options ALL,1
> >
> > memory_replacement_policy lru
> > logformat squidmime_extended %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %ul
> > %Sh/%<A %mt
> >
> > cache_access_log /var/log/squid/access.log squidmime_extended
> >
> > auth_param ntlm program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 80
> >
> > auth_param basic program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-basic
> > auth_param basic children 3
> > auth_param basic realm HM
> > auth_param basic credentialsttl 2 hours
> >
> > external_acl_type NTGroup children=80 ttl=3600 negative_ttl=300 %LOGIN
> > /usr/lib/squid/wbinfo_group.pl
> >
> > acl PURGE method PURGE
> >
> > acl all src 0.0.0.0/0.0.0.0
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl squid-stat src 172.17.6.126/255.255.255.255
> > acl to_localhost dst 127.0.0.0/8
> > acl SSL_ports port 443
> > acl Safe_ports port 80
> > acl Safe_ports port 21
> > acl Safe_ports port 443
> > acl Safe_ports port 70
> > acl Safe_ports port 210
> > acl Safe_ports port 1025-65535
> > acl Safe_ports port 280
> > acl Safe_ports port 488
> > acl Safe_ports port 591
> > acl Safe_ports port 777
> > acl CONNECT method CONNECT
> > acl INTRANET dstdomain .hm .hm.com.br
> > acl USERS_ALLOW external NTGroup @HM_USUARIOS
> > acl sites_no_authentication url_regex "/etc/squid/sites_no_authentication"
> > acl JAVA-SUN browser -i java
> >
> > http_access allow PURGE localhost
> > http_access deny PURGE
> >
> > http_access allow manager localhost
> > http_access deny manager
> > http_access deny !Safe_ports
> > deny_info BC_Safe_ports Safe_ports
> >
> > http_access deny CONNECT !SSL_ports
> > deny_info BC_not_SSL_ports SSL_ports
> >
> > http_access allow sites_no_authentication
> > http_access allow JAVA-SUN
> > http_access deny TERMO
> > deny_info BC_TERMO TERMO
> > http_access allow INTRANET
> > http_access allow all USERS_ALLOW
> > http_access deny all
> > deny_info BC_ACESSO_NEGADO all
> >
> > always_direct allow sites_no_authentication
> > always_direct allow JAVA-SUN
> > always_direct allow INTRANET
> > always_direct allow CONNECT
> >
> > never_direct allow all
> >
> > cache_effective_user squid
> > cache_effective_group squid
> >
> > err_html_text mailto:ti.inf@hm.com.br
> >
> > coredump_dir /usr/local/squid/var/cache
> > forwarded_for on
> >
> > icap_enable on
> > icap_preview_enable on
> > icap_send_client_ip on
> > icap_send_client_username on
> > icap_client_username_header X-Authenticated-User
> > icap_client_username_encode on
> > icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
> > icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod
> >
> > icap_class filtro_url service_1 service_2
> >
> > icap_access filtro_url deny sites_no_authentication
> > icap_access filtro_url allow USERS_ALLOW
> >
> > icap_access filtro_url deny all
> >
> > cache_peer 172.17.205.106 parent 8088 7 no-query no-delay no-digest
> > default
> > +++++++++++++++++++++++++++++++++++
> >
> > Although I have one server only for tests, the debug mode is too big.
> > But if it's necessary should I post it here?
> >
> > Thanks
> > Thiago Cruz
> >
> > On 10/8/07, Amos Jeffries <squid3@treenet.co.nz> wrote:
> >> Thiago Cruz wrote:
> >> > Hello H. Nordstrom,
> >> >
> >> > I had already read that but unfortunately it didn't work. For some
> >> > reason when I negate ICAP for some ACL it bypass cache_peer too.
> >>
> >> Most weird. Would you mind posting the related config both negated and
> >> non-negated for comparison?
> >>
> >>
> >> > Debug
> >> > all 9 could help us?
> >>
> >> Possibly. It will generate a LOT of data for even moderate server load.
> >> I'd suggest starting at 5-6 to peek where the problems might be, then
> >> raise a particular section.
> >>
> >> Amos
> >>
> >>
> >> >
> >> > On 10/6/07, Henrik Nordstrom <henrik@henriknordstrom.net> wrote:
> >> >> On fre, 2007-10-05 at 19:05 -0300, Thiago Cruz wrote:
> >> >>> I solved the problem which squid wasn't sending respmod using Squid3
> >> >>> RC1, but I have another problem, when I don't want to use ICAP (acl
> >> >>> sites_no_authentication), the squid bypass the cache peer too. Is
> >> >>> there some way to force it to use cache_peer?
> >> >> Squid FAQ How do I configure Squid forward all requests to another
> >> >> proxy?
> >> >>
> >>
> <url:http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-c050a0a0382c01fbfb9da7e9c18d58bafd4eb027>
> >> >>
> >> >> Regards
> >> >> Henrik
> >> >>
> >>
> >>
> >
>
>
>
Received on Tue Oct 09 2007 - 06:47:02 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT