RE: [squid-users] Cache_peer problems

From: Elsen Marc <elsen@dont-contact.us>
Date: Wed, 16 Feb 2005 07:46:26 +0100

 
>
> We are using squid in conjunction with trend micro's IWSS.
>
> The documentation outlines how to do this, clients contact IWSS and
> IWSS uses squid as an upstream proxy server. For reporting reasons,
> We want to do it the other way around, IWSS are to general for us,
> Authentication is done vie NTLM.
>
> IWSS is running on 8080 and squid on 3128, same box.
> IWSS is not an ICP proxy and thus the squid doco led me to
> the following
> Cach_peer statement:
> cache_peer 127.0.0.1 parent 8080 7 no-query default
>
> Without the no-query and default statements I end up with
> TIMEOUT_DIRECT
> warnings.
>
> Now all this works ok, except when IWSS detects a virus, in
> which case,
> squid
> Ignore the 403 returned and goes direct instead of displaying
> the error
> message
>
> 1108522791.283 59 172.16.8.59 TCP_MISS/200 886 GET
> http://www.trendmicro.com/global/en/images/topnav/tn-partners-over.gif
> aclark DEFAULT_PARENT/127.0.0.1 image/gif
> 1108522791.287 57 172.16.8.59 TCP_MISS/200 754 GET
> http://www.trendmicro.com/global/en/images/topnav/tn-about-over.gif
> aclark DEFAULT_PARENT/127.0.0.1 image/gif
> 1108522825.301 141 172.16.8.59 TCP_MISS/200 391 GET
> http://www.trendmicro.com/ftp/products/eicar-file/eicar.com aclark
> DIRECT/61.9.129.152 application/octet-stream
>
> I know it is getting a 403 from the IWSS as a packet trace has this in
> its data segment:
>
> HTTP/1.1 403 OK
> Connection: close
> Content-Type: text/html; charset=UTF-8
> Cache-Control: no-cache
> Date: Wed, 16 Feb 2005 01:49:15 GMT
> <html><head><title>IWSS Security Event</title></head>
> <body><script> if( typeof( window.innerWidth ) == 'number' ) {if
> (window.innerWidth < 10 || window.innerHeight < 10)
> {self.resizeTo(700,600);}}else if (document.body &&
> (document.body.clientWidth < 10 || document.body.clientHeight < 10))
> {self.resizeTo(700, 600);}</script><h1><h1>IWSS Security Event
> (pthalo.ngv.vic.gov.au)</h1></h1>
> Access to this URL is currently restricted due to a blocking
> rule.<BR><BR>URL:
> <B>http://www.trendmicro.com/ftp/products/eicar-file/eicar.com
> </B><BR>Ru
> le: Block URLs of type <B>Virus infected temporary block</B><P>If you
> feel you have reached this message in error, please contact
> your network
> administrator.
> </body></html>
>
> Is this the appropriate method for what we need out of our
> caching/virus
> system?
>

You may try :

      never_direct allow all

in squid.conf. To prevent squid from 'direct going attempts'.

M.
Received on Tue Feb 15 2005 - 23:48:12 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST