[squid-users] squid-3.0.STABLE7 ICAP [FinanzIT: Viruscheck]

From: <Juergen.Paulo_at_finanzit.com>
Date: Tue, 1 Jul 2008 14:40:50 +0200

hi ,

we have here a little problem with the squid above.

we have:

snip

acl NETZ_i001 src
"/opt/squid-3.0.STABLE7/etc/acl/netz_001"
# # User ACLs
#
# # default Profile
 acl USER_sehr_hoch proxy_auth
"/opt/squid-3.0.STABLE7/etc/acl/user_sehr_hoch"
 acl USER_hoch proxy_auth
"/opt/squid-3.0.STABLE7/etc/acl/user_hoch"
 acl USER_mittel proxy_auth
"/opt/squid-3.0.STABLE7/etc/acl/user_mittel"
 acl USER_niedrig proxy_auth
"/opt/squid-3.0.STABLE7/etc/acl/user_niedrig"
 acl USER_sehr_niedrig proxy_auth
"/opt/squid-3.0.STABLE7/etc/acl/user_sehr_niedrig"

icap_service res_default respmod_precache 0
icap://localhost:1344/wwrespmod?profile=default

# Default Request-Profile

icap_service req_default reqmod_precache 0
icap://localhost:1344/wwreqmod?profile=default

icap_service req_hoch reqmod_precache 0
icap://localhost:1344/wwreqmod?profile=hoch
icap_service req_mittel reqmod_precache 0
icap://localhost:1344/wwreqmod?profile=mittel
icap_service req_niedrig reqmod_precache 0
icap://localhost:1344/wwreqmod?profile=niedrig
icap_service req_sehr_hoch reqmod_precache 0
icap://localhost:1344/wwreqmod?profile=sehr_hoch
icap_service req_sehr_niedrig reqmod_precache 0
icap://localhost:1344/wwreqmod?profile=sehr_niedrig

# ICAP Klassen fuer das default profile
icap_class icap_default res_default

############################

icap_class icap_req_default req_default

icap_class icap_001netz req_default
icap_class icap_sehr_hoch req_sehr_hoch
icap_class icap_hoch req_hoch
icap_class icap_mittel req_mittel
icap_class icap_niedrig req_niedrig
icap_class icap_sehr_niedrig req_sehr_niedrig

# webwasher default Profile
icap_access icap_001netz deny !NETZ_i001

icap_access icap_sehr_hoch deny !USER_sehr_hoch
icap_access icap_hoch deny !USER_hoch
icap_access icap_mittel deny !USER_mittel
icap_access icap_niedrig deny !USER_niedrig
icap_access icap_sehr_niedrig deny !USER_sehr_niedrig

icap_access icap_default allow all

end. squid config.

if there is an ip accessing squid, which is not listed in NETZ_001 without
user-authentication, the client have
to go to the last line for icap response mode access. this works in
2.5.STABLE12.
now it matches in the second icap_access line for reqmod_profile
icap_sehr_hoch too:

2008/07/01 13:09:55.099| ICAPAccessCheckCallbackWrapper matchedClass =
icap_req_default
2008/07/01 13:09:55.099| ACLChecklist::preCheck: 0x87c0980 checking
'icap_access icap_001netz deny !NETZ_i001'
2008/07/01 13:09:55.099| ACLList::matches: checking !NETZ_i001
2008/07/01 13:09:55.099| ACL::checklistMatches: checking 'NETZ_i001'
2008/07/01 13:09:55.099| aclMatchIp: 'XX.XX.XX.XX' NOT found
2008/07/01 13:09:55.099| ACL::ChecklistMatches: result for 'NETZ_i001' is 0
2008/07/01 13:09:55.099| ACLList::matches: result is true
2008/07/01 13:09:55.099| aclmatchAclList: 0x87c0980 returning true (AND
list satisfied)
2008/07/01 13:09:55.099| ACLChecklist::markFinished: 0x87c0980 checklist
processing finished
2008/07/01 13:09:55.099| ACLChecklist::check: 0x87c0980 match found,
calling back with 0
2008/07/01 13:09:55.099| ACLChecklist::checkCallback: 0x87c0980 answer=0
2008/07/01 13:09:55.099| ICAPAccessCheckCallbackWrapper: answer=0
2008/07/01 13:09:55.100| ICAPAccessCheckCallbackWrapper matchedClass =
icap_001netz
2008/07/01 13:09:55.100| ACLChecklist::preCheck: 0x87c0aa8 checking
'icap_access icap_sehr_hoch deny !USER_sehr_hoch'
2008/07/01 13:09:55.100| ACLList::matches: checking !USER_sehr_hoch
2008/07/01 13:09:55.100| ACL::checklistMatches: checking 'USER_sehr_hoch'
2008/07/01 13:09:55.100| aclMatchAcl: returning 0 sending authentication
challenge.
2008/07/01 13:09:55.100| ACL::ChecklistMatches: result for 'USER_sehr_hoch'
is 0
2008/07/01 13:09:55.100| ACLList::matches: result is true
2008/07/01 13:09:55.100| aclmatchAclList: 0x87c0aa8 returning false (AND
list entry failed to match)
2008/07/01 13:09:55.100| ACLChecklist::checkForAsync: requiring Proxy Auth
header.
2008/07/01 13:09:55.100| ACLChecklist::markFinished: 0x87c0aa8 checklist
processing finished
2008/07/01 13:09:55.100| aclmatchAclList: async=1 nodeMatched=1
async_in_progress=0 lastACLResult() = 1 finished() = 1
2008/07/01 13:09:55.100| ACLChecklist::check: 0x87c0aa8 match found,
calling back with 2
2008/07/01 13:09:55.100| ACLChecklist::checkCallback: 0x87c0aa8 answer=2
2008/07/01 13:09:55.100| ICAPAccessCheckCallbackWrapper: answer=2
2008/07/01 13:09:55.100| ICAPAccessCheckCallbackWrapper matchedClass =
icap_sehr_hoch
2008/07/01 13:09:55.100| ACLChecklist::~ACLChecklist: destroyed 0x87c0aa8
2008/07/01 13:09:55.100| ACLChecklist::~ACLChecklist: destroyed 0x87c0980
2008/07/01 13:09:55.100| ACLChecklist::~ACLChecklist: destroyed 0x87c0a14
2008/07/01 13:09:55.112| ICAPAccessCheckCallbackEvent
2008/07/01 13:09:55.112| ICAPAccessCheck::do_callback
2008/07/01 13:09:55.112| ICAPAccessCheck::do_callback matchedClass =
icap_sehr_hoch
2008/07/01 13:09:55.112| ICAP/ICAPConfig.cc(311) cannot skip an essential
down service
2008/07/01 13:09:55.112| ICAP/ICAPConfig.cc(318) found first matching
down-but-essential service in class icap_sehr_hoch: req_sehr_hoch
2008/07/01 13:09:55.112| ICAP/ICAPConfig.cc(265) do_callback: with service
icap://localhost:1344/wwreqmod?profile=sehr_hoch
2008/07/01 13:09:55.112| client_side_request.cc(504) 0x87bc978
icapAclCheckDone called

why ?

JP
Received on Tue Jul 01 2008 - 12:41:33 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 01 2008 - 12:00:05 MDT