Re: [squid-users] C-ICAP+SquidGard : ACls problems from Luis Daniel Lucio Quiroz on 2010-08-31 (squid-users)

From: Luis Daniel Lucio Quiroz <luis.daniel.lucio_at_gmail.com>
Date: Tue, 31 Aug 2010 09:27:08 -0500

Le mardi 31 août 2010 07:26:29, David Touzeau a écrit :
> Dear
>
> I would like to know if anyone using C-ICAP+squidGuard on squid 3.1.x
>
>
> I have created a rule match acl an IP address :
>
> acl 192_168_1_240 src 192.168.1.240
>
> it seems that always the first IP scanned by c-icap is the loopback ip
> (127.0.0.1)
>
> when the 192.168.1.240 IP pass trough c-icap, c-icap display :
> going to check addresses ip address: 127.0.0.1
> 192.168.1.240/255.255.255.255
>
> Why 127.0.0.1 has prefix ??
> According to this no rules match the acl and IP objects match always the
> default rule..
>
>
> I have added an acl specific to the loopback "acl loopback src
> 127.0.0.1" and c-icap says correctly :
>
> going to check addresses ip address: 127.0.0.1 127.0.0.1/255.255.255.255
> The ci_acl_spec_t:loopback matches
>
> Where i'm wrong ???? How to delete the 127.0.0.1 prefix in the
> connection link ??
> Is it a squid.conf problem ?? or specific changes to squid method
> ?(using the 3.1.4 version)
>
>
> Here it is the C-ICAP debug logs :
> ------------------------------------------------------------------
>
> Check request with an access entry
> Access control: ALLOW
> pool hits:2 allocations: 1
> Allocating from objects pool object 0
> Requested service: url_check
> URL to host www.freesexvideos2k.com
> URL page www.freesexvideos2k.com/style.css
> Check request with an access entry
> Check request with ci_acl_spec_t:loopback
> going to check addresses ip address: 127.0.0.1 127.0.0.1/255.255.255.255
> The ci_acl_spec_t:loopback matches
> Check request with ci_acl_spec_t:loopback
> going to check addresses ip address: 127.0.0.1 127.0.0.1/255.255.255.255
> The ci_acl_spec_t:loopback matches
> Check request with ci_acl_spec_t:192_168_1_240
> going to check addresses ip address: 127.0.0.1
> 192.168.1.240/255.255.255.255
> Going to check the db W-1 for BLOCK
> sg_db W-1 is not open?
> Going to check the db F-1 for PASS
> sg_db: checking domain www.freesexvideos2k.com
> db_entry_exists does not exists: DB_NOTFOUND: No matching key/data pair
> found
> sg_db: checking url www.freesexvideos2k.com/style.css
> Going to check the db W-1 for BLOCK
> sg_db W-1 is not open?
> Going to check the db F-1 for PASS
> sg_db: checking domain www.freesexvideos2k.com
> db_entry_exists does not exists: DB_NOTFOUND: No matching key/data pair
> found
> sg_db: checking url www.freesexvideos2k.com/style.css
> Storing to objects pool object 0
> Check request with an access entry
> Check request with ci_acl_spec_t:all
> going to check addresses ip address: 127.0.0.1 0.0.0.0/0.0.0.0
> The ci_acl_spec_t:all matches
> Check request with ci_acl_spec_t:all
> going to check addresses ip address: 127.0.0.1 0.0.0.0/0.0.0.0
> The ci_acl_spec_t:all matches
> Log request to access log file /var/log/c-icap/access.log
>
>
> c-icap.conf
> -----------------------------------------------------------------
>
> PidFile /var/run/c-icap.pid
> CommandsSocket /var/run/c-icap/c-icap.ctl
> Timeout 300
> MaxKeepAliveRequests 100
> KeepAliveTimeout 600
> StartServers 3
> MaxServers 10
> MinSpareThreads 10
> MaxSpareThreads 20
> ThreadsPerChild 10
> MaxRequestsPerChild 0
> MaxMemObject 131072
> Port 1345
> User squid
> Group squid
> ServerAdmin you_at_your.address
> ServerName debian
> TmpDir /var/lib/c_icap/temporary
> DebugLevel 11
> ModulesDir /usr/lib/c_icap
> ServicesDir /usr/lib/c_icap
> TemplateDir /usr/share/c_icap/templates/
> LoadMagicFile /etc/c-icap.magic
> TemplateDefaultLanguage en
> #TemplateReloadTime 360
> #TemplateCacheSize 20
> #TemplateMemBufSize 8192
>
> acl all src 0.0.0.0/0.0.0.0
> acl loopback src 127.0.0.1
>
> RemoteProxyUsers on
> RemoteProxyUserHeader X-Authenticated-User
> RemoteProxyUserHeaderEncoded on
> LogFormat allFormat "%tl;%a;%un;%iu;%is;%huo"
> ServerLog /var/log/c-icap/server.log
> AccessLog /var/log/c-icap/access.log allFormat all
>
> GroupSourceByGroup hash:/etc/c-icap/c-icap-groups.txt
> GroupSourceByUser hash:/etc/c-icap/c-icap-user-groups.txt
>
>
> #ACLS FOR SQUIDGUARD RULE interne
>
> #IP Addresses
> acl 192_168_1_240 src 192.168.1.240
>
> #Groups and users
> #no groups set
>
> #Sysloger
> Module logger sys_logger.so
>
> sys_logger.server_priority alert|crit|debug|emerg|err|info|notice|warning
>
> sys_logger.Prefix "C-ICAP:"
> sys_logger.Facility local1
>
> Module common bdb_tables.so
> Module common dnsbl_tables.so
> Service url_check_module srv_url_check.so
>
>
> #Preload squidGuard databases#
> url_check.LoadSquidGuardDB W-1 /var/lib/squidguard/personal-categories/W-1/
> url_check.LoadSquidGuardDB F-1
> /var/lib/squidguard/personal-categories/filesblock-default/
> url_check.LoadSquidGuardDB W-2 /var/lib/squidguard/personal-categories/W-2/
> url_check.LoadSquidGuardDB F-2
> /var/lib/squidguard/personal-categories/filesblock-interne/
> url_check.LoadSquidGuardDB adult /var/lib/squidguard/adult/
> url_check.LoadSquidGuardDB plus-adult-artica
> /var/lib/squidguard/blacklist-artica/adult/
> url_check.LoadSquidGuardDB mixed_adult /var/lib/squidguard/mixed_adult/
> url_check.LoadSquidGuardDB sexual_education
> /var/lib/squidguard/sexual_education/
> url_check.LoadSquidGuardDB plus-sexual_education-artica
> /var/lib/squidguard/blacklist-artica/sexual_education/
> url_check.LoadSquidGuardDB agressif /var/lib/squidguard/agressif/
>
> #Define profiles for rule 2 (interne)
> url_check.Profile interne pass W-2
> url_check.Profile interne block F-2
> url_check.Profile interne block adult
> url_check.Profile interne block plus-adult-artica
> url_check.Profile interne block mixed_adult
> url_check.Profile interne block sexual_education
> url_check.Profile interne block plus-sexual_education-artica
> url_check.Profile interne block agressif
>
>
> #Maps access groups and IP from profiles
> url_check.ProfileAccess interne 192_168_1_240
>
>
> #Define profiles for rule 1 (default)
> url_check.Profile default pass W-1
> url_check.Profile default block F-1
> url_check.Profile default pass W-1
> url_check.Profile default block F-1
>
>
> #Clamav
> Service antivirus_module srv_clamav.so srv_url_check.so
> ServiceAlias avscan srv_clamav?allow204=off&sizelimit=off&mode=simple
> srv_clamav.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE MSOFFICE
> srv_clamav.VirScanFileTypes ARCHIVE EXECUTABLE
> srv_clamav.TransferIgnore flv, f4v, f4p, f4a, f4b, mpeg, mp2, mp3
> srv_clamav.SendPercentData 5
> srv_clamav.StartSendPercentDataAfter 2M
> srv_clamav.Allow204Responces off
> srv_clamav.MaxObjectSize 5M
> srv_clamav.ClamAvTmpDir /var/tmp
> srv_clamav.ClamAvMaxFilesInArchive 0
> srv_clamav.ClamAvMaxFileSizeInArchive 100M
> srv_clamav.ClamAvMaxRecLevel 5
> srv_clamav.VirSaveDir /opt/artica/share/www/squid-attachments
> srv_clamav.VirHTTPServer
> "https:///exec.cicap.php?usename=%f&remove=1&file="
> srv_clamav.VirUpdateTime 15
>
>
>
> squid.conf
> -----------------------------------------------------------------
>
>
> auth_param basic credentialsttl 2 hour
> authenticate_ttl 1 hour
> authenticate_ip_ttl 60 seconds
> cache_effective_user squid
> cache_effective_group squid
> #--------- TWEEKS PERFORMANCES
> # http://blog.last.fm/2007/08/30/squid-optimization-guide
> memory_pools off
> quick_abort_min 0 KB
> quick_abort_max 0 KB
> log_icp_queries off
> client_db off
> buffered_logs on
> half_closed_clients off
>
> #--------- squidGuard
> #transfered to C-ICAP
>
>
> #--------- acls
> acl blockedsites url_regex "/etc/squid3/squid-block.acl"
> acl localhost src 127.0.0.1/32
> acl localhost src ::1/128
> acl to_localhost dst ::1/128
> acl CONNECT method CONNECT
> acl manager proto cache_object
> acl FTP proto FTP
> acl multimedia_rep rep_mime_type -i ^video/x-ms-asf$
> acl multimedia_rep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
> acl multimedia_rep rep_mime_type -i ^application/x-mms-framed$
> acl multimedia_rep rep_mime_type -i ^image/
> acl multimedia_rep rep_mime_type -i ^video
> acl multimedia_rep rep_mime_type -i ^audio
> acl multimedia_rep rep_mime_type -i ^application/x-dvi$
> acl multimedia_rep rep_mime_type -i ^application/x-isoview
> acl multimedia_browsers browser -i ^Windows-Media-Player.* -i ^.*player.*
> acl bigfiles_types urlpath_regex -i \.deb$
> acl bigfiles_types urlpath_regex -i \.rpm$
> acl bigfiles_types urlpath_regex -i \.iso$
> acl bigfiles_types urlpath_regex -i \.tar\.gz$
> acl bigfiles_types urlpath_regex -i \.gz$
> acl bigfiles_types urlpath_regex -i \.bz$
> acl bigfiles_types urlpath_regex -i \.tar$
> acl bigfiles_types urlpath_regex -i \.cue$
> acl bigfiles_types urlpath_regex -i \.nrg$
> acl bigfiles_types urlpath_regex -i \.crf$
> acl bigfiles_types urlpath_regex -i \.bwi$
> acl bigfiles_types urlpath_regex -i \.bwt$
> acl bigfiles_types urlpath_regex -i \.lcd$
> acl bigfiles_types urlpath_regex -i \.ccd$
> acl bigfiles_types urlpath_regex -i \.mdf$
> acl bigfiles_types urlpath_regex -i \.mds$
> acl bigfiles_types urlpath_regex -i \.vcd$
> acl bigfiles_types urlpath_regex -i \.cif$
> acl bigfiles_types urlpath_regex -i \.vdi$
> acl bigfiles_types urlpath_regex -i \.img$
> acl office_network src 192.168.1.0/24
>
>
> #--------- MAIN RULES...
> # --------- SAFE ports
> acl Safe_ports port 80 #http
> acl Safe_ports port 20 #ftp-data
> acl Safe_ports port 21 #ftp
> acl Safe_ports port 22 #ssh
> acl Safe_ports port 443 563 #https, snews
> acl Safe_ports port 1863 #msn
> acl Safe_ports port 70 #gopher
> acl Safe_ports port 210 #wais
> acl Safe_ports port 1025-65535 #unregistered ports
> acl Safe_ports port 280 #http-mgmt
> acl Safe_ports port 488 #gss-http
> acl Safe_ports port 591 #filemaker
> acl Safe_ports port 777 #multiling http
> acl Safe_ports port 631 #cups
> acl Safe_ports port 873 #rsync
> acl Safe_ports port 901 #SWAT#
> http_access allow localhost
> http_access allow manager localhost
> http_access deny blockedsites
> acl MULTIMEDIA rep_mime_type -i
> ^(audio\/x-mpegurl|audio\/mpeg|video\/flv|video\/x-flv|application\/x-shock
> wave-flash|audio\/ogg|video\/ogg|application\/ogg)$ http_access allow
> office_network
> acl SSL_ports port 443 563 6667 9000 2
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> http_access deny all
>
> # --------- ICAP Services.(1 service(s))
> # --------- icap_service C-ICAP mode 3.1.x
> # --------- icap_service C-ICAP + SquidGuard
>
> icap_service service_url_check reqmod_precache 0 bypass=on
> icap://127.0.0.1:1345/url_check
> icap_service service_antivir respmod_precache bypass=on
> icap://127.0.0.1:1345/srv_clamav
>
>
>
> # --------- adaptation for C-ICAP service
> adaptation_service_set class_url_check service_url_check
> adaptation_access class_url_check allow all
> adaptation_service_set class_antivirus service_antivir
> adaptation_access class_antivirus deny MULTIMEDIA
> adaptation_access class_antivirus allow all
>
>
> icap_enable on
> icap_preview_size 128
> icap_service_failure_limit -1
> icap_preview_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_header X-Authenticated-User
> icap_client_username_encode on
>
>
>
>
> # --------- ident_lookup_access
> hierarchy_stoplist cgi-bin ?
>
> # --------- General settings
> visible_hostname proxyweb
>
>
> # --------- time-out
> dead_peer_timeout 10 seconds
> dns_timeout 2 minutes
> connect_timeout 1600 seconds
> persistent_request_timeout 3 minutes
> pconn_timeout 1600 seconds
>
>
> # --------- Objects limits
> request_body_max_size 5 MB
> request_header_max_size 64 KB
> maximum_object_size 300 MB
> minimum_object_size 0 KB
> maximum_object_size_in_memory 8 KB
>
>
> #http/https ports
> http_port 3128 transparent
>
> always_direct allow all
>
>
> # --------- Caches
> #cache_replacement_policy heap LFUDA
> cache_mem 8 MB
> cache_swap_high 90
> cache_swap_low 95
> # --------- DNS and ip caches
> ipcache_size 1024
> ipcache_low 90
> ipcache_high 95
> fqdncache_size 1024
>
>
> # --------- SPECIFIC DNS SERVERS
>
> #--------- FTP specific parameters
> ftp_list_width 32
> ftp_passive yes
>
> debug_options ALL,1
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> icp_port 3130
>
>
> #Logs-------------------------------------------------
> emulate_httpd_log on
> #fqdn is disabled to provide IP addresses to filters
> log_fqdn off
> coredump_dir /var/squid/cache
> cache_store_log /var/log/squid/store.log
> cache_log /var/log/squid/cache.log
> pid_filename /var/run/squid.pid
> access_log /var/log/squid/access.log
> icap_log /var/log/squid/icap_access.log
>
> cache_dir ufs /var/cache/squid 2000 16 256
> # --------- OTHER CACHES

C-icap will report the ip of the source that connects to it, in this case
127.0.0.1 because they are in same box. That is normal.
Received on Tue Aug 31 2010 - 14:27:18 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 31 2010 - 12:00:03 MDT