[squid-users] Problems with ICAP and parent-child configuration

From: daniele.piaggesi <daniele.piaggesi_at_pro-netics.com>
Date: Thu, 24 Jul 2008 12:33:04 +0200

Hi guys

i'm quite new in Squid but I have a little problem. This is my situation

I have one parent installation of Squid on one machine on my DMZ net-zone
who will be connected on internet (now it doesn't).
I have one child installation of Squid on another machine on my workgroup
net-zone (different zone connected to DMZ).
Obviously the client users will use the proxy inserting in their browsers
as proxy the workgroup machine address in which is installed the child
squid.
The parent-child configuration seems to work properly.

In the workgroup zone, on another machine, I've installed Symantec
Antiviral Engine to scan webcontent and i've used icap connection to
integrated it with Child Squid.
Also this integration seems to work properly (I've tested trying to
download eicar.com file: the symantec block downloading and respond to
squid a courtesy page) but when I start or stop or restart squid i notice
this warning (or error I don't know...but it seems not blocker at all)

2008/07/24 12:46:49.549| essential ICAP service is invalidated by
reconfigure: icap://172.16.55.40:1344/avscan [down,gone,!opt]

I googled a bit but I didn't find anything interesting. D'you have some
ideas?

The softwares versions are
Squid 3.0-STABLE1 (built with icap-client enabled)
Symantec Scan Engine/5.1.7.33

Thanx in advance

I print in this mail the configuration files:

CHILD squid.conf
===================
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl savse_server dst 172.16.55.40/32
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_reply_access allow localnet
icp_access deny all
http_port 172.16.55.30:8080
cache_peer 172.16.50.30 parent 3128 0 no-query no-digest
never_direct allow all
hierarchy_stoplist cgi-bin ?
access_log /opt/squid-3.0-STABLE/var/logs/access.log squid
debug_options 93,9 0,9
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
icap_enable on
icap_preview_enable on
icap_send_client_ip on
icap_send_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode on
icap_service avscan respmod_precache 0 icap://172.16.55.40:1344/avscan
icap_class avclass avscan
icap_access avclass deny savse_server
icap_access avclass allow all
hosts_file /etc/hosts
coredump_dir /opt/squid-3.0-STABLE/var/cache

ERROR in cache.log with high debug
===================================
2008/07/24 12:56:33.359| ICAPAccessCheck constructed for REQMOD PRECACHE
2008/07/24 12:56:33.359| ICAPAccessCheck::check
2008/07/24 12:56:33.359| ICAP/ICAPConfig.cc(277) looking for the first
matching service in class avclass
2008/07/24 12:56:33.359| ICAP/ICAPConfig.cc(329) found no matching services
in class avclass
2008/07/24 12:56:33.359| ICAPAccessCheck::check: NO candidates or matches
found
2008/07/24 12:56:33.359| ICAPAccessCheckCallbackWrapper: answer=1
2008/07/24 12:56:33.369| ICAPAccessCheckCallbackEvent
2008/07/24 12:56:33.369| ICAPAccessCheck::do_callback
2008/07/24 12:56:33.369| ICAP/ICAPConfig.cc(266) do_callback: no
2008/07/24 12:56:33.369| client_side_request.cc(504) 0x8ab8b58
icapAclCheckDone called
2008/07/24 12:56:33.379| ICAPAccessCheck constructed for REQMOD PRECACHE
2008/07/24 12:56:33.379| ICAPAccessCheck::check
2008/07/24 12:56:33.379| ICAP/ICAPConfig.cc(277) looking for the first
matching service in class avclass
2008/07/24 12:56:33.379| ICAP/ICAPConfig.cc(329) found no matching services
in class avclass
2008/07/24 12:56:33.379| ICAPAccessCheck::check: NO candidates or matches
found
2008/07/24 12:56:33.379| ICAPAccessCheckCallbackWrapper: answer=1
2008/07/24 12:56:33.389| ICAPAccessCheckCallbackEvent
2008/07/24 12:56:33.389| ICAPAccessCheck::do_callback
2008/07/24 12:56:33.389| ICAP/ICAPConfig.cc(266) do_callback: no
2008/07/24 12:56:33.389| client_side_request.cc(504) 0x8ab8b58
icapAclCheckDone called
2008/07/24 12:56:33.390| ICAPAccessCheck constructed for RESPMOD PRECACHE
2008/07/24 12:56:33.390| ICAPAccessCheck::check
2008/07/24 12:56:33.390| ICAP/ICAPConfig.cc(277) looking for the first
matching service in class avclass
2008/07/24 12:56:33.390| ICAPOptions url
http://172.16.50.40/icons/apache_pb2.gif matches no Transfer-Preview
extensions
2008/07/24 12:56:33.390| ICAPOptions url
http://172.16.50.40/icons/apache_pb2.gif matches no Transfer-Complete
extensions
2008/07/24 12:56:33.390| ICAPOptions url
http://172.16.50.40/icons/apache_pb2.gif matches no Transfer-Ignore
extensions
2008/07/24 12:56:33.390| ICAPOptions url
http://172.16.50.40/icons/apache_pb2.gif matches no extensions; using
default: Transfer-Preview
2008/07/24 12:56:33.390| ICAP/ICAPConfig.cc(315) found first matching
service in class avclass: avscan
2008/07/24 12:56:33.390| ICAPAccessCheck::check: class 'avclass' has
candidate service 'avscan'
2008/07/24 12:56:33.390| ICAPAccessCheckCallbackWrapper: answer=1
2008/07/24 12:56:33.390| ICAPAccessCheckCallbackWrapper matchedClass =
avclass
2008/07/24 12:56:33.401| ICAPAccessCheckCallbackEvent
2008/07/24 12:56:33.401| ICAPAccessCheck::do_callback
2008/07/24 12:56:33.401| ICAPAccessCheck::do_callback matchedClass =
avclass
2008/07/24 12:56:33.401| ICAP/ICAPConfig.cc(277) looking for the first
matching up service in class avclass
2008/07/24 12:56:33.401| ICAPOptions url
http://172.16.50.40/icons/apache_pb2.gif matches no Transfer-Preview
extensions
2008/07/24 12:56:33.401| ICAPOptions url
http://172.16.50.40/icons/apache_pb2.gif matches no Transfer-Complete
extensions
2008/07/24 12:56:33.401| ICAPOptions url
http://172.16.50.40/icons/apache_pb2.gif matches no Transfer-Ignore
extensions
2008/07/24 12:56:33.401| ICAPOptions url
http://172.16.50.40/icons/apache_pb2.gif matches no extensions; using
default: Transfer-Preview
2008/07/24 12:56:33.401| ICAP/ICAPConfig.cc(315) found first matching up
service in class avclass: avscan
2008/07/24 12:56:33.401| ICAP/ICAPConfig.cc(262) do_callback: with service
icap://172.16.55.40:1344/avscan
2008/07/24 12:56:33.401| ICAP/AsyncJob.cc(14) will call
AsyncJob::noteStart(0x8aecdd8)
2008/07/24 12:56:33.410| entering AsyncJob::noteStart(0x8aecdd8)
2008/07/24 12:56:33.410| ICAPModXactLauncher::noteStart called
2008/07/24 12:56:33.410| ICAP/ICAPLauncher.cc(35) launching xaction #1
2008/07/24 12:56:33.410| ICAPModXact constructed, this=0x8af0ef8 [icapx5]
2008/07/24 12:56:33.410| ICAPModXact initialized. [/R icapx5]
2008/07/24 12:56:33.410| ICAP/AsyncJob.cc(14) will call
AsyncJob::noteStart(0x8af0ef8)
2008/07/24 12:56:33.410| ICAPModXactLauncher::noteStart ended
2008/07/24 12:56:33.410| exiting AsyncJob::noteStart(0x8aecdd8)
2008/07/24 12:56:33.410| entering AsyncJob::noteStart(0x8af0ef8)
2008/07/24 12:56:33.410| ICAPModXact::noteStart called [/R icapx5]
2008/07/24 12:56:33.410| ICAPModXact does not expect virgin body
2008/07/24 12:56:33.410| ICAPOptions url /icons/apache_pb2.gif matches no
Transfer-Preview extensions
2008/07/24 12:56:33.410| ICAPOptions url /icons/apache_pb2.gif matches no
Transfer-Complete extensions
2008/07/24 12:56:33.410| ICAPOptions url /icons/apache_pb2.gif matches no
Transfer-Ignore extensions
2008/07/24 12:56:33.410| ICAPOptions url /icons/apache_pb2.gif matches no
extensions; using default: Transfer-Preview
2008/07/24 12:56:33.410| ICAPModXact should offer 0-byte preview (service
wanted 4)
2008/07/24 12:56:33.410| ICAP/ICAPXaction.cc(113) reused pconn FD 19
2008/07/24 12:56:33.410| ICAPModXact::noteStart ended [FD 19;rw(1)P(0)/R
icapx5]
2008/07/24 12:56:33.410| exiting AsyncJob::noteStart(0x8af0ef8)
2008/07/24 12:56:33.410| ICAPXaction::reusedConnection
2008/07/24 12:56:33.410| ICAPModXact::noteCommConnected called [FD
19;rw(1)P(0)/R icapx5]
2008/07/24 12:56:33.410| ICAP/ICAPModXact.cc(1135) will allow 204s outside
of preview
2008/07/24 12:56:33.410| ICAPModXact ICAP will write [FD 19r;rw(1)/RP(ieof)
icapx5]:
RESPMOD icap://172.16.55.40:1344/avscan ICAP/1.0
Host: 172.16.55.40:1344
Date: Thu, 24 Jul 2008 09:56:33 GMT
Encapsulated: req-hdr=0, res-hdr=541, null-body=859
Preview: 0
Allow: 204
X-Client-IP: 172.16.54.80

GET http://172.16.50.40/icons/apache_pb2.gif HTTP/1.1
Host: 172.16.50.40
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.3)
Gecko/20060526 Red Hat/1.5.0.3-0.2.EL4 Firefox/1.5.0.3 pango-text
Accept: image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://172.16.50.40/
If-Modified-Since: Thu, 03 May 2001 04:30:36 GMT
If-None-Match: "1ad7a8-96e-e5849300"
Cache-Control: max-age=0

HTTP/1.0 304 Not Modified
Date: Thu, 24 Jul 2008 09:55:57 GMT
Server: Apache/2.0.52 (Red Hat)
ETag: "1ad7a8-96e-e5849300"
Age: 7
X-Cache: HIT from ho_dmz_srv03.bdl.gov.lb
X-Cache-Lookup: HIT from ho_dmz_srv03.bdl.gov.lb:3128
Via: 1.0 ho_dmz_srv03.bdl.gov.lb (squid/3.0.STABLE1)
Proxy-Connection: keep-alive

2008/07/24 12:56:33.410| ICAPModXact::noteCommConnected ended [FD
19wr;rw(2)/RP(ieof) icapx5]
2008/07/24 12:56:33.410| ICAPModXact::noteCommWrote called [FD
19wr;rw(2)/RP(ieof) icapx5]
2008/07/24 12:56:33.410| ICAP/ICAPModXact.cc(154) Wrote 1077 bytes
2008/07/24 12:56:33.410| ICAP/ICAPModXact.cc(182) checking whether to write
more [FD 19r;rw(4)/RP(ieof) icapx5]
2008/07/24 12:56:33.410| ICAPModXact::noteCommWrote ended [FD
19r;rw(4)/RP(ieof) icapx5]
2008/07/24 12:56:33.410| ICAP/ICAPXaction.cc(59) 0x8af0ef8 read returned
185
2008/07/24 12:56:33.411| ICAPModXact::noteCommRead called [FD
19r;rw(4)/RP(ieof) icapx5]
2008/07/24 12:56:33.411| ICAP/ICAPXaction.cc(339) read 185 bytes
2008/07/24 12:56:33.411| ICAPModXact becomes final [FD 19;rw(4)/RP(ieof)
icapx5]
2008/07/24 12:56:33.411| ICAP/ICAPModXact.cc(574) have 185 bytes to parse
[FD 19;rw(4)/RP(ieof) icapx5]
2008/07/24 12:56:33.411| ICAP/ICAPModXact.cc(575)
ICAP/1.0 204 No Content Necessary
ISTag: "3D6FE806DD2A2993532142224B7D5411"
Date: Thu Jul 24 09:57:23 2008 GMT
Service: Symantec Scan Engine/5.1.7.33
Service-ID: Respmod AV Scan

2008/07/24 12:56:33.411| ICAP/ICAPModXact.cc(653) parse ICAP headers
2008/07/24 12:56:33.411| ICAP/ICAPModXact.cc(882) have 185 head bytes to
parse; state: 0
2008/07/24 12:56:33.411| ICAP/ICAPModXact.cc(894) parse success, consume
185 bytes, return true
2008/07/24 12:56:33.411| ICAPModXact will no longer parse [FD
19;rw(4)/RP(ieof) icapx5]
2008/07/24 12:56:33.411| ICAPModXact cloning virgin message 0x8a772a0
2008/07/24 12:56:33.411| ICAPModXact cloned virgin message 0x8a772a0 to
0x8a78308
2008/07/24 12:56:33.411| ICAP/ICAPModXact.cc(840) no virgin body to echo
2008/07/24 12:56:33.411| ICAPModXact will not start sending [FD
19;w(4)/RP(ieof)rp icapx5]
2008/07/24 12:56:33.411| ICAP/ICAPModXact.cc(434) will no longer write [FD
19;w(4)/RP(ieof)rpS icapx5]
2008/07/24 12:56:33.411| ICAP/ICAPInitiate.cc(176) will call
0x8aecdf4->ICAPInitiator::noteIcapAnswer(0x8a78308)
2008/07/24 12:56:33.411| ICAP/ICAPModXact.cc(474) returning from readMore
because reader or doneReading()
2008/07/24 12:56:33.411| ICAP/ICAPXaction.cc(285) ICAPModXact done with I/O
[FD 19;/RwP(ieof)rpS icapx5]
2008/07/24 12:56:33.411| ICAP/ICAPXaction.cc(174) pushing pconn [FD
19;/RwP(ieof)rpS icapx5]
2008/07/24 12:56:33.411| ICAPModXact remains final [FD 19;/RwP(ieof)rpS
icapx5]
2008/07/24 12:56:33.411| ICAPModXact::noteCommRead ends job [/RwP(ieof)rpS
icapx5]
2008/07/24 12:56:33.411| ICAP/ICAPModXact.cc(1062) swan sings
[/RwP(ieof)rpS icapx5]
2008/07/24 12:56:33.411| ICAP/ICAPInitiate.cc(82) swan sings [/RwP(ieof)rpS
icapx5]
2008/07/24 12:56:33.411| ICAP/ICAPInitiate.cc(89) swan sang [/RwP(ieof)rpS
icapx5]
2008/07/24 12:56:33.411| ICAPModXact destructed, this=0x8af0ef8 [icapx5]
2008/07/24 12:56:33.411| ICAP/AsyncJob.cc(106) ICAPModXact::noteCommRead
ended 0x8af0ef8
2008/07/24 12:56:33.411| entering
0x8aecdf4->ICAPInitiator::noteIcapAnswer(0x8a78308)
2008/07/24 12:56:33.411| ICAPModXactLauncher::noteIcapAnswer called
2008/07/24 12:56:33.411| ICAP/ICAPInitiate.cc(176) will call
0x8ae4bb0->ICAPInitiator::noteIcapAnswer(0x8a78308)
2008/07/24 12:56:33.411| ICAPModXactLauncher::noteIcapAnswer ends job
2008/07/24 12:56:33.411| ICAP/ICAPInitiate.cc(82) swan sings
2008/07/24 12:56:33.411| ICAP/ICAPInitiate.cc(89) swan sang
2008/07/24 12:56:33.411| ICAP/AsyncJob.cc(106)
ICAPModXactLauncher::noteIcapAnswer ended 0x8aecdd8
2008/07/24 12:56:33.411| exiting
0x8aecdf4->ICAPInitiator::noteIcapAnswer(0x8a78308)
2008/07/24 12:56:33.411| entering
0x8ae4bb0->ICAPInitiator::noteIcapAnswer(0x8a78308)
2008/07/24 12:56:33.411| exiting
0x8ae4bb0->ICAPInitiator::noteIcapAnswer(0x8a78308)

cache.log ERROR when i try to restart
========================================
2008/07/24 12:58:56.369| essential ICAP service is invalidated by
reconfigure: icap://172.16.55.40:1344/avscan [down,gone]
2008/07/24 12:58:56.374| essential ICAP service is invalidated by
reconfigure: icap://172.16.55.40:1344/avscan [down,gone,!opt]
2008/07/24 12:58:57.402| essential ICAP service is invalidated by
reconfigure: icap://172.16.55.40:1344/avscan [down,gone,!opt]

PARENT squid.conf
===================
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl child_proxy src 172.16.55.30 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl connectmethod method CONNECT
http_access allow manager localhost child_proxy
http_access deny manager
http_access deny !Safe_ports
http_access deny connectmethod !SSL_ports
http_access allow child_proxy
http_access deny all
icp_access deny all
icp_access allow child_proxy
icp_access deny all
htcp_access deny all
htcp_access allow child_proxy
htcp_access deny all
http_port 172.16.50.30:3128 transparent
hierarchy_stoplist cgi-bin ?
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /opt/squid-3.0-STABLE/var/logs/access.log squid
cache_log /opt/squid-3.0-STABLE/var/logs/cache.log
debug_options 93,9 0,9
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
cache_mgr [EMAIL PROTECTED]
mail_from [EMAIL PROTECTED]
mail_program mail
hosts_file /etc/hosts
coredump_dir /opt/squid-3.0-STABLE/var/cache

Thanks again for your help

Bye
Daniele
Received on Thu Jul 24 2008 - 10:33:07 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 28 2008 - 12:00:04 MDT