Re: [squid-users] Help about ICAP ACL: ACL is used but there is no HTTP reply

-------- Message initial --------
De: Amos Jeffries <squid3_at_treenet.co.nz>
À: squid-users_at_squid-cache.org
Sujet: Re: [squid-users] Help about ICAP ACL: ACL is used but there is
no HTTP reply
Date: Sat, 06 Mar 2010 16:15:30 +1300

David Touzeau wrote:
> Dear,
>
> i would to use ICAP acls in order to not send some files to the ICAP
> server
>
> Squid Claim about these
> WARNING: '0.0.0.0/0.0.0.0' is a subnetwork of '0.0.0.0/0.0.0.0'
> WARNING: because of this '0.0.0.0/0.0.0.0' is ignored to keep splay tree
> searching predictable
> WARNING: You should probably remove '0.0.0.0/0.0.0.0' from the ACL named
> 'all'

The above means that you have entered "acl all ..." into your squid.conf.

Squid-3 defines it internally now to prevent people altering it and
breaking the basic security defaults of many settings.

>
> squid[22707]: ACL::checklistMatches WARNING: 'multimedia_rep' ACL is
> used but there is no HTTP reply -- not matching.
> squid[22707]: CACHEMGR: <unknown>@127.0.0.1 requesting 'info'
> squid[22707]: ACL::checklistMatches WARNING: 'multimedia_rep' ACL is
> used but there is no HTTP reply -- not matching.
> squid[22707]: CACHEMGR: <unknown>@127.0.0.1 requesting 'counters'
> squid[22707]: ACL::checklistMatches WARNING: 'multimedia_rep' ACL is
> used but there is no HTTP reply -- not matching.
> squid[22707]: CACHEMGR: <unknown>@127.0.0.1 requesting '5min'
> squid[22707]: ACL::checklistMatches WARNING: 'multimedia_rep' ACL is
> used but there is no HTTP reply -- not matching.
> squid[22707]: CACHEMGR: <unknown>@127.0.0.1 requesting 'diskd'
> squid[22707]: ACL::checklistMatches WARNING: 'multimedia_rep' ACL is
> used but there is no HTTP reply -- not matching.
> squid[22707]: CACHEMGR: <unknown>@127.0.0.1 requesting 'store_io'
> squid[22707]: ACL::checklistMatches WARNING: 'multimedia_rep' ACL is
> used but there is no HTTP reply -- not matching.
>
> What's wrong ? How this error means ?

Means you are checking an ACL which uses output data to determine what
inputs are going to happen to cause output to be generated...

>
>
> This is a part of my squid.conf
> best regards...
>
>
>
> #--------- acls
> acl blockedsites url_regex "/etc/squid3/squid-block.acl"
> acl localhost src 127.0.0.1/255.255.255.255

acl localhost src 127.0.0.1

> acl all src 0.0.0.0/0.0.0.0

delete the above.

> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80
> acl Safe_ports port 443
> acl Safe_ports port 1025-65535
> acl Safe_ports port 21
> acl QUERY urlpath_regex cgi-bin
> acl QUERY urlpath_regex \?

Probably a good choice to delete the above.

> acl CONNECT method CONNECT
> #--------- TIME RESTRICTON
> acl acl_kav_GET method GET
> acl multimedia_rep rep_mime_type -i ^video/x-ms-asf$
> acl multimedia_rep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
> acl multimedia_rep rep_mime_type -i ^application/x-mms-framed$
> acl multimedia_rep rep_mime_type -i ^image/.*
> acl multimedia_rep rep_mime_type -i ^.*video.*
> acl multimedia_rep rep_mime_type -i ^.*audio.*

The above three are all overly complicated. The pattern reduxes down to
actually doing this:
   acl multimedia_rep rep_mime_type -i ^image/
   acl multimedia_rep rep_mime_type -i video
   acl multimedia_rep rep_mime_type -i audio

> acl multimedia_rep rep_mime_type -i ^application/x-dvi$
> acl multimedia_rep rep_mime_type -i ^application/x-isoview
> acl multimedia_browsers browser -i ^.*Windows-Media-Player.* -i
> ^.*player.*

same overly complicated config here.

> acl bigfiles_types urlpath_regex -i \.deb$
> acl bigfiles_types urlpath_regex -i \.rpm$
> acl bigfiles_types urlpath_regex -i \.iso$
> acl bigfiles_types urlpath_regex -i \.tar\.gz$
> acl bigfiles_types urlpath_regex -i \.gz$
> acl bigfiles_types urlpath_regex -i \.bz$
> acl bigfiles_types urlpath_regex -i \.tar$
> acl bigfiles_types urlpath_regex -i \.cue$
> acl bigfiles_types urlpath_regex -i \.nrg$
> acl bigfiles_types urlpath_regex -i \.crf$
> acl bigfiles_types urlpath_regex -i \.bwi$
> acl bigfiles_types urlpath_regex -i \.bwt$
> acl bigfiles_types urlpath_regex -i \.lcd$
> acl bigfiles_types urlpath_regex -i \.ccd$
> acl bigfiles_types urlpath_regex -i \.mdf$
> acl bigfiles_types urlpath_regex -i \.mds$
> acl bigfiles_types urlpath_regex -i \.vcd$
> acl bigfiles_types urlpath_regex -i \.cif$
> acl bigfiles_types urlpath_regex -i \.vdi$
> acl bigfiles_types urlpath_regex -i \.img$
> acl office_network src 80.254.72.0/24
>
>
> #--------- MAIN RULES...
> http_access deny blockedsites
> http_access allow office_network
> http_access allow Safe_ports
> http_access allow SSL_ports

Uh oh. Unrestricted access to almost all ports from anyone on the
Internet vi your proxy? are you _really_ sure you want to be doing that?

The published defaults are:
   http_access deny !Safe_ports
   http_access deny CONNECT !SSL_ports

They are stated that way and ordered first to be fail-closed security
gates catching requests which have a dangerously high probability of
abuse and destruction to the Internet as a whole, your network as a
specific.

> http_access allow localhost
> http_access deny all
> # --------- icap_service KASPERSKY
> icap_enable on
> icap_send_client_ip on
> icap_service is_kav_resp respmod_precache 0
> icap://127.0.0.1:1344/av/respmod
> icap_service is_kav_req reqmod_precache 0
> icap://127.0.0.1:1344/av/reqmod
>
> # --------- icap_class
> icap_class ic_kav_resp is_kav_resp
> icap_class ic_kav_req is_kav_req
>
> # --------- icap_access
> icap_access ic_kav_resp deny multimedia_rep
> icap_access ic_kav_resp deny multimedia_browsers
> icap_access ic_kav_resp deny bigfiles_types
> icap_access ic_kav_resp allow all
>
> icap_access ic_kav_req deny multimedia_rep

    *** response type being checked before it exists to figure out if
the response is going to be asked for.

> icap_access ic_kav_req deny multimedia_browsers
> icap_access ic_kav_req deny bigfiles_types
> icap_access ic_kav_req allow all !acl_kav_GET

   "all" has no meaning unless its last on the line. In which case its
only useful in suppressing authentication popups or causing custom deny
pages to appear.

Amos

Many thanks for your precious informations.

you said :
*** response type being checked before it exists to figure out if
the response is going to be asked for.

You means that i must delete Acls :
icap_access ic_kav_resp deny multimedia_rep
icap_access ic_kav_resp deny multimedia_browsers
icap_access ic_kav_resp deny bigfiles_types

my goal is the ICAP server is an antivirus but send Big Files to ICAP server will reduce dramatically performances.
These ACL are used to deny SQUID to send some files to the ICAP server antivirus.
Received on Sat Mar 06 2010 - 13:46:49 MST