Re: [squid-users] squid-3.0.STABLE7 ICAP [FinanzIT: Viruscheck]

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 02 Jul 2008 01:10:45 +1200

Juergen.Paulo_at_finanzit.com wrote:
> hi ,
>
> we have here a little problem with the squid above.
>
> we have:
>
> snip
>
> acl NETZ_i001 src
> "/opt/squid-3.0.STABLE7/etc/acl/netz_001"
> # # User ACLs
> #
> # # default Profile
> acl USER_sehr_hoch proxy_auth
> "/opt/squid-3.0.STABLE7/etc/acl/user_sehr_hoch"
> acl USER_hoch proxy_auth
> "/opt/squid-3.0.STABLE7/etc/acl/user_hoch"
> acl USER_mittel proxy_auth
> "/opt/squid-3.0.STABLE7/etc/acl/user_mittel"
> acl USER_niedrig proxy_auth
> "/opt/squid-3.0.STABLE7/etc/acl/user_niedrig"
> acl USER_sehr_niedrig proxy_auth
> "/opt/squid-3.0.STABLE7/etc/acl/user_sehr_niedrig"
>
>
> icap_service res_default respmod_precache 0
> icap://localhost:1344/wwrespmod?profile=default
>
> # Default Request-Profile
>
> icap_service req_default reqmod_precache 0
> icap://localhost:1344/wwreqmod?profile=default
>
> icap_service req_hoch reqmod_precache 0
> icap://localhost:1344/wwreqmod?profile=hoch
> icap_service req_mittel reqmod_precache 0
> icap://localhost:1344/wwreqmod?profile=mittel
> icap_service req_niedrig reqmod_precache 0
> icap://localhost:1344/wwreqmod?profile=niedrig
> icap_service req_sehr_hoch reqmod_precache 0
> icap://localhost:1344/wwreqmod?profile=sehr_hoch
> icap_service req_sehr_niedrig reqmod_precache 0
> icap://localhost:1344/wwreqmod?profile=sehr_niedrig
>
>
> # ICAP Klassen fuer das default profile
> icap_class icap_default res_default
>
> ############################
>
> icap_class icap_req_default req_default
>
>
> icap_class icap_001netz req_default
> icap_class icap_sehr_hoch req_sehr_hoch
> icap_class icap_hoch req_hoch
> icap_class icap_mittel req_mittel
> icap_class icap_niedrig req_niedrig
> icap_class icap_sehr_niedrig req_sehr_niedrig
>
>
>
> # webwasher default Profile
> icap_access icap_001netz deny !NETZ_i001
>
> icap_access icap_sehr_hoch deny !USER_sehr_hoch
> icap_access icap_hoch deny !USER_hoch
> icap_access icap_mittel deny !USER_mittel
> icap_access icap_niedrig deny !USER_niedrig
> icap_access icap_sehr_niedrig deny !USER_sehr_niedrig
>
> icap_access icap_default allow all
>
> end. squid config.
>
> if there is an ip accessing squid, which is not listed in NETZ_001 without
> user-authentication, the client have
> to go to the last line for icap response mode access. this works in
> 2.5.STABLE12.
> now it matches in the second icap_access line for reqmod_profile
> icap_sehr_hoch too:
>
> <snip>
>
> why ?

It should be working the same.

Looks like a bug to me. The second line tries to send of an
auth-required message. But the ICAP accept mechanism assumes it's an
'okay' result.

Can you please check bugzilla and if its not already there report a bug.

Amos

-- 
Please use Squid 2.7.STABLE3 or 3.0.STABLE7
Received on Tue Jul 01 2008 - 13:10:55 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 01 2008 - 12:00:05 MDT