[squid-users] Re: VirusWall and Squid ACL from Norman Zhang on 2004-05-10 (squid-users)

From: Norman Zhang <norman.zhang@dont-contact.us>
Date: Mon, 10 May 2004 10:32:10 -0700

Henrik Nordstrom wrote:
> On Fri, 7 May 2004, Norman Zhang wrote:
>>I have no problem accessing the web directly using VirusWall as my proxy
>>(i.e., http://x.x.x.x:80). But going through Squid (http://x.x.x.x:3128)
>>won't scan the content in VirusWall. Squid will go directly to the
>>internet. This makes make think that Squid is not redirecting to
>>VirusWall as it should be.
>
>>cache_peer 127.0.0.1 parent 80 7 default no-query
>>acl binaries urlpath_regex -i \.exe$ \.zip$ \.vbs$ \.gz$
>>cache_peer_access 127.0.0.1 allow binaries
>>never_direct allow binaries
>
> Looks fine to me, even if it can be done slightly simpler via the
> always_direct/never_direct directives instead of cache_peer_access..
>
> always_direct deny binaries
> never_direct allow all
>
> in addition I find it more easy to understand if the icp port is specified
> as 0 when using no-query. This field is not really used then and
> mentioning the echo port can be confusing making one think (but not Squid)
> that the echo port is used...
>
> Have you run "squid -k reconfigure" or restarted Squid since making the
> configuration change?
>
> Is there any warnings on "squid -k parse"?

The 2 commands didn't issue any problems.

> What does Squid access.log say when you attempt to download some content
> which should have been sent to the scanner?

/var/log/squid/access.log saids

1084209947.484 1 192.168.22.7 TCP_DENIED/407 2281 GET
http://download.com.com/i/dl/fpp/winzip_CNETstatic_120x600.gif - NONE/-
text/html
1084209947.563 70 192.168.22.7 TCP_MISS/200 6034 GET
http://download.com.com/i/dl/fpp/winzip190x160fpp_02b.gif
arkondomain\nzhang DIRECT/216.239.115.131 image/gif
1084209947.669 176 192.168.22.7 TCP_MISS/200 12305 GET
http://download.com.com/i/dl/fpp/winzip_CNETstatic_120x600.gif
arkondomain\nzhang DIRECT/216.239.115.131 image/gif
1084209994.064 32748 192.168.22.7 TCP_MISS/200 2372978 GET
ftp://ftp.download.com/pub/win95/utilities/filecomp/winzip90.exe
arkondomain\nzhang DEFAULT_PARENT/127.0.0.1 application/octet-stream

/var/log/iscan/log.2004.05.10 saids,

[root@prnserver squid]# grep winzip /var/log/iscan/log.2004.05.10
05/10/2004 10:25:47 http[12656]: connection from 127.0.0.1, "GET
ftp://ftp.download.com/pub/win95/utilities/filecomp/winzip90.exe HTTP/1.0"
05/10/2004 10:26:01 http[12657]: connection from 127.0.0.1, "GET
ftp://ftp.download.com/pub/win95/utilities/filecomp/winzip90.exe HTTP/1.0"

I'm not if the data is being scanned.

Regards,
Norman
Received on Mon May 10 2004 - 11:32:25 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Jun 01 2004 - 12:00:01 MDT