RE: [squid-users] Cache_peer problems

mark,

we have the same problem because we're trying to migrate from VirusWall
to IWSS

configuration (squid 2.5):

cache_peer antivirus1 parent 3128 3128 proxy-only no-query
connect-timeout=2 default
cache_peer antivirus2 parent 3128 3128 proxy-only no-query default
never_direct allow all

antivirus 1 is a IWSS 2.0, antivirus2 is an old VirusWall

when I'm trying to download an infected file IWSS replay with ant http
403 (Error), squid seems not handling the enclosed message and start
contact the second cache peer, which instead reply with an http 200 (OK)
with an informative error message enclosed (and the virus will be
blocked)

we also made another try, we replaced antivirus 2 with antivirus3 (IWSSS
again)
download the infected file we discovered that squid contact 2 times
antivirus1 (receiving error 403 2 times) than swap the comunication to
antivirus3 again receiving error 403 2 times but finally the last time
it correctly pass over the erro page to the client
this increase the network traffic of both antivirus

contacting TrendMicro they replied that the big difference from VW and
IWSS is the message reply in case of a 'virused' page

we'd like to keep two cache peer for fault tolerance

bye

Alberto

On Wed, 2005-02-16 at 07:46, Elsen Marc wrote:
>
> >
> > We are using squid in conjunction with trend micro's IWSS.
> >
> > The documentation outlines how to do this, clients contact IWSS and
> > IWSS uses squid as an upstream proxy server. For reporting reasons,
> > We want to do it the other way around, IWSS are to general for us,
> > Authentication is done vie NTLM.
> >
> > IWSS is running on 8080 and squid on 3128, same box.
> > IWSS is not an ICP proxy and thus the squid doco led me to
> > the following
> > Cach_peer statement:
> > cache_peer 127.0.0.1 parent 8080 7 no-query default
> >
> > Without the no-query and default statements I end up with
> > TIMEOUT_DIRECT
> > warnings.
> >
> > Now all this works ok, except when IWSS detects a virus, in
> > which case,
> > squid
> > Ignore the 403 returned and goes direct instead of displaying
> > the error
> > message
> >
> > 1108522791.283 59 172.16.8.59 TCP_MISS/200 886 GET
> > http://www.trendmicro.com/global/en/images/topnav/tn-partners-over.gif
> > aclark DEFAULT_PARENT/127.0.0.1 image/gif
> > 1108522791.287 57 172.16.8.59 TCP_MISS/200 754 GET
> > http://www.trendmicro.com/global/en/images/topnav/tn-about-over.gif
> > aclark DEFAULT_PARENT/127.0.0.1 image/gif
> > 1108522825.301 141 172.16.8.59 TCP_MISS/200 391 GET
> > http://www.trendmicro.com/ftp/products/eicar-file/eicar.com aclark
> > DIRECT/61.9.129.152 application/octet-stream
> >
> > I know it is getting a 403 from the IWSS as a packet trace has this in
> > its data segment:
> >
> > HTTP/1.1 403 OK
> > Connection: close
> > Content-Type: text/html; charset=UTF-8
> > Cache-Control: no-cache
> > Date: Wed, 16 Feb 2005 01:49:15 GMT
> > <html><head><title>IWSS Security Event</title></head>
> > <body><script> if( typeof( window.innerWidth ) == 'number' ) {if
> > (window.innerWidth < 10 || window.innerHeight < 10)
> > {self.resizeTo(700,600);}}else if (document.body &&
> > (document.body.clientWidth < 10 || document.body.clientHeight < 10))
> > {self.resizeTo(700, 600);}</script><h1><h1>IWSS Security Event
> > (pthalo.ngv.vic.gov.au)</h1></h1>
> > Access to this URL is currently restricted due to a blocking
> > rule.<BR><BR>URL:
> > <B>http://www.trendmicro.com/ftp/products/eicar-file/eicar.com
> > </B><BR>Ru
> > le: Block URLs of type <B>Virus infected temporary block</B><P>If you
> > feel you have reached this message in error, please contact
> > your network
> > administrator.
> > </body></html>
> >
> > Is this the appropriate method for what we need out of our
> > caching/virus
> > system?
> >
>
>
> You may try :
>
> never_direct allow all
>
> in squid.conf. To prevent squid from 'direct going attempts'.
>
> M.
Received on Tue Feb 22 2005 - 02:21:23 MST