[squid-users] Cache_peer problems

From: Adam Clark <Adam.Clark@dont-contact.us>
Date: Wed, 16 Feb 2005 14:35:30 +1100

We are using squid in conjunction with trend micro's IWSS.

The documentation outlines how to do this, clients contact IWSS and
IWSS uses squid as an upstream proxy server. For reporting reasons,
We want to do it the other way around, IWSS are to general for us,
Authentication is done vie NTLM.

IWSS is running on 8080 and squid on 3128, same box.
IWSS is not an ICP proxy and thus the squid doco led me to the following
Cach_peer statement:
cache_peer 127.0.0.1 parent 8080 7 no-query default

Without the no-query and default statements I end up with TIMEOUT_DIRECT
warnings.

Now all this works ok, except when IWSS detects a virus, in which case,
squid
Ignore the 403 returned and goes direct instead of displaying the error
message

1108522791.283 59 172.16.8.59 TCP_MISS/200 886 GET
http://www.trendmicro.com/global/en/images/topnav/tn-partners-over.gif
aclark DEFAULT_PARENT/127.0.0.1 image/gif
1108522791.287 57 172.16.8.59 TCP_MISS/200 754 GET
http://www.trendmicro.com/global/en/images/topnav/tn-about-over.gif
aclark DEFAULT_PARENT/127.0.0.1 image/gif
1108522825.301 141 172.16.8.59 TCP_MISS/200 391 GET
http://www.trendmicro.com/ftp/products/eicar-file/eicar.com aclark
DIRECT/61.9.129.152 application/octet-stream

I know it is getting a 403 from the IWSS as a packet trace has this in
its data segment:

HTTP/1.1 403 OK
Connection: close
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache
Date: Wed, 16 Feb 2005 01:49:15 GMT
<html><head><title>IWSS Security Event</title></head>
<body><script> if( typeof( window.innerWidth ) == 'number' ) {if
(window.innerWidth < 10 || window.innerHeight < 10)
{self.resizeTo(700,600);}}else if (document.body &&
(document.body.clientWidth < 10 || document.body.clientHeight < 10))
{self.resizeTo(700, 600);}</script><h1><h1>IWSS Security Event
(pthalo.ngv.vic.gov.au)</h1></h1>
Access to this URL is currently restricted due to a blocking
rule.<BR><BR>URL:
<B>http://www.trendmicro.com/ftp/products/eicar-file/eicar.com</B><BR>Ru
le: Block URLs of type <B>Virus infected temporary block</B><P>If you
feel you have reached this message in error, please contact your network
administrator.
</body></html>

Is this the appropriate method for what we need out of our caching/virus
system?

Adam
Received on Tue Feb 15 2005 - 20:35:29 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST