Re: [squid-users] Help about ICAP ACL: ACL is used but there is no HTTP reply

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 06 Mar 2010 16:15:30 +1300

David Touzeau wrote:
> Dear,
>
> i would to use ICAP acls in order to not send some files to the ICAP
> server
>
> Squid Claim about these
> WARNING: '0.0.0.0/0.0.0.0' is a subnetwork of '0.0.0.0/0.0.0.0'
> WARNING: because of this '0.0.0.0/0.0.0.0' is ignored to keep splay tree
> searching predictable
> WARNING: You should probably remove '0.0.0.0/0.0.0.0' from the ACL named
> 'all'

The above means that you have entered "acl all ..." into your squid.conf.

Squid-3 defines it internally now to prevent people altering it and
breaking the basic security defaults of many settings.

>
> squid[22707]: ACL::checklistMatches WARNING: 'multimedia_rep' ACL is
> used but there is no HTTP reply -- not matching.
> squid[22707]: CACHEMGR: <unknown>@127.0.0.1 requesting 'info'
> squid[22707]: ACL::checklistMatches WARNING: 'multimedia_rep' ACL is
> used but there is no HTTP reply -- not matching.
> squid[22707]: CACHEMGR: <unknown>@127.0.0.1 requesting 'counters'
> squid[22707]: ACL::checklistMatches WARNING: 'multimedia_rep' ACL is
> used but there is no HTTP reply -- not matching.
> squid[22707]: CACHEMGR: <unknown>@127.0.0.1 requesting '5min'
> squid[22707]: ACL::checklistMatches WARNING: 'multimedia_rep' ACL is
> used but there is no HTTP reply -- not matching.
> squid[22707]: CACHEMGR: <unknown>@127.0.0.1 requesting 'diskd'
> squid[22707]: ACL::checklistMatches WARNING: 'multimedia_rep' ACL is
> used but there is no HTTP reply -- not matching.
> squid[22707]: CACHEMGR: <unknown>@127.0.0.1 requesting 'store_io'
> squid[22707]: ACL::checklistMatches WARNING: 'multimedia_rep' ACL is
> used but there is no HTTP reply -- not matching.
>
> What's wrong ? How this error means ?

Means you are checking an ACL which uses output data to determine what
inputs are going to happen to cause output to be generated...

>
>
> This is a part of my squid.conf
> best regards...
>
>
>
> #--------- acls
> acl blockedsites url_regex "/etc/squid3/squid-block.acl"
> acl localhost src 127.0.0.1/255.255.255.255

acl localhost src 127.0.0.1

> acl all src 0.0.0.0/0.0.0.0

delete the above.

> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80
> acl Safe_ports port 443
> acl Safe_ports port 1025-65535
> acl Safe_ports port 21
> acl QUERY urlpath_regex cgi-bin
> acl QUERY urlpath_regex \?

Probably a good choice to delete the above.

> acl CONNECT method CONNECT
> #--------- TIME RESTRICTON
> acl acl_kav_GET method GET
> acl multimedia_rep rep_mime_type -i ^video/x-ms-asf$
> acl multimedia_rep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
> acl multimedia_rep rep_mime_type -i ^application/x-mms-framed$
> acl multimedia_rep rep_mime_type -i ^image/.*
> acl multimedia_rep rep_mime_type -i ^.*video.*
> acl multimedia_rep rep_mime_type -i ^.*audio.*

The above three are all overly complicated. The pattern reduxes down to
actually doing this:
   acl multimedia_rep rep_mime_type -i ^image/
   acl multimedia_rep rep_mime_type -i video
   acl multimedia_rep rep_mime_type -i audio

> acl multimedia_rep rep_mime_type -i ^application/x-dvi$
> acl multimedia_rep rep_mime_type -i ^application/x-isoview
> acl multimedia_browsers browser -i ^.*Windows-Media-Player.* -i
> ^.*player.*

same overly complicated config here.

> acl bigfiles_types urlpath_regex -i \.deb$
> acl bigfiles_types urlpath_regex -i \.rpm$
> acl bigfiles_types urlpath_regex -i \.iso$
> acl bigfiles_types urlpath_regex -i \.tar\.gz$
> acl bigfiles_types urlpath_regex -i \.gz$
> acl bigfiles_types urlpath_regex -i \.bz$
> acl bigfiles_types urlpath_regex -i \.tar$
> acl bigfiles_types urlpath_regex -i \.cue$
> acl bigfiles_types urlpath_regex -i \.nrg$
> acl bigfiles_types urlpath_regex -i \.crf$
> acl bigfiles_types urlpath_regex -i \.bwi$
> acl bigfiles_types urlpath_regex -i \.bwt$
> acl bigfiles_types urlpath_regex -i \.lcd$
> acl bigfiles_types urlpath_regex -i \.ccd$
> acl bigfiles_types urlpath_regex -i \.mdf$
> acl bigfiles_types urlpath_regex -i \.mds$
> acl bigfiles_types urlpath_regex -i \.vcd$
> acl bigfiles_types urlpath_regex -i \.cif$
> acl bigfiles_types urlpath_regex -i \.vdi$
> acl bigfiles_types urlpath_regex -i \.img$
> acl office_network src 80.254.72.0/24
>
>
> #--------- MAIN RULES...
> http_access deny blockedsites
> http_access allow office_network
> http_access allow Safe_ports
> http_access allow SSL_ports

Uh oh. Unrestricted access to almost all ports from anyone on the
Internet vi your proxy? are you _really_ sure you want to be doing that?

The published defaults are:
   http_access deny !Safe_ports
   http_access deny CONNECT !SSL_ports

They are stated that way and ordered first to be fail-closed security
gates catching requests which have a dangerously high probability of
abuse and destruction to the Internet as a whole, your network as a
specific.

> http_access allow localhost
> http_access deny all
> # --------- icap_service KASPERSKY
> icap_enable on
> icap_send_client_ip on
> icap_service is_kav_resp respmod_precache 0
> icap://127.0.0.1:1344/av/respmod
> icap_service is_kav_req reqmod_precache 0
> icap://127.0.0.1:1344/av/reqmod
>
> # --------- icap_class
> icap_class ic_kav_resp is_kav_resp
> icap_class ic_kav_req is_kav_req
>
> # --------- icap_access
> icap_access ic_kav_resp deny multimedia_rep
> icap_access ic_kav_resp deny multimedia_browsers
> icap_access ic_kav_resp deny bigfiles_types
> icap_access ic_kav_resp allow all
>
> icap_access ic_kav_req deny multimedia_rep

    *** response type being checked before it exists to figure out if
the response is going to be asked for.

> icap_access ic_kav_req deny multimedia_browsers
> icap_access ic_kav_req deny bigfiles_types
> icap_access ic_kav_req allow all !acl_kav_GET

   "all" has no meaning unless its last on the line. In which case its
only useful in suppressing authentication popups or causing custom deny
pages to appear.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
   Current Beta Squid 3.1.0.17
Received on Sat Mar 06 2010 - 03:15:38 MST

This archive was generated by hypermail 2.2.0 : Sat Mar 06 2010 - 12:00:02 MST