[squid-users] C-ICAP+SquidGard : ACls problems

From: David Touzeau <david_at_touzeau.eu>
Date: Tue, 31 Aug 2010 14:26:29 +0200

Dear

I would like to know if anyone using C-ICAP+squidGuard on squid 3.1.x

I have created a rule match acl an IP address :

acl 192_168_1_240 src 192.168.1.240

it seems that always the first IP scanned by c-icap is the loopback ip
(127.0.0.1)

when the 192.168.1.240 IP pass trough c-icap, c-icap display :
going to check addresses ip address: 127.0.0.1
192.168.1.240/255.255.255.255

Why 127.0.0.1 has prefix ??
According to this no rules match the acl and IP objects match always the
default rule..

I have added an acl specific to the loopback "acl loopback src
127.0.0.1" and c-icap says correctly :

going to check addresses ip address: 127.0.0.1 127.0.0.1/255.255.255.255
The ci_acl_spec_t:loopback matches

Where i'm wrong ???? How to delete the 127.0.0.1 prefix in the
connection link ??
Is it a squid.conf problem ?? or specific changes to squid method
?(using the 3.1.4 version)

Here it is the C-ICAP debug logs :
------------------------------------------------------------------

Check request with an access entry
Access control: ALLOW
pool hits:2 allocations: 1
Allocating from objects pool object 0
Requested service: url_check
URL to host www.freesexvideos2k.com
URL page www.freesexvideos2k.com/style.css
Check request with an access entry
Check request with ci_acl_spec_t:loopback
going to check addresses ip address: 127.0.0.1 127.0.0.1/255.255.255.255
The ci_acl_spec_t:loopback matches
Check request with ci_acl_spec_t:loopback
going to check addresses ip address: 127.0.0.1 127.0.0.1/255.255.255.255
The ci_acl_spec_t:loopback matches
Check request with ci_acl_spec_t:192_168_1_240
going to check addresses ip address: 127.0.0.1
192.168.1.240/255.255.255.255
Going to check the db W-1 for BLOCK
sg_db W-1 is not open?
Going to check the db F-1 for PASS
sg_db: checking domain www.freesexvideos2k.com
db_entry_exists does not exists: DB_NOTFOUND: No matching key/data pair
found
sg_db: checking url www.freesexvideos2k.com/style.css
Going to check the db W-1 for BLOCK
sg_db W-1 is not open?
Going to check the db F-1 for PASS
sg_db: checking domain www.freesexvideos2k.com
db_entry_exists does not exists: DB_NOTFOUND: No matching key/data pair
found
sg_db: checking url www.freesexvideos2k.com/style.css
Storing to objects pool object 0
Check request with an access entry
Check request with ci_acl_spec_t:all
going to check addresses ip address: 127.0.0.1 0.0.0.0/0.0.0.0
The ci_acl_spec_t:all matches
Check request with ci_acl_spec_t:all
going to check addresses ip address: 127.0.0.1 0.0.0.0/0.0.0.0
The ci_acl_spec_t:all matches
Log request to access log file /var/log/c-icap/access.log

c-icap.conf
-----------------------------------------------------------------

PidFile /var/run/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads 10
MaxSpareThreads 20
ThreadsPerChild 10
MaxRequestsPerChild 0
MaxMemObject 131072
Port 1345
User squid
Group squid
ServerAdmin you_at_your.address
ServerName debian
TmpDir /var/lib/c_icap/temporary
DebugLevel 11
ModulesDir /usr/lib/c_icap
ServicesDir /usr/lib/c_icap
TemplateDir /usr/share/c_icap/templates/
LoadMagicFile /etc/c-icap.magic
TemplateDefaultLanguage en
#TemplateReloadTime 360
#TemplateCacheSize 20
#TemplateMemBufSize 8192

acl all src 0.0.0.0/0.0.0.0
acl loopback src 127.0.0.1

RemoteProxyUsers on
RemoteProxyUserHeader X-Authenticated-User
RemoteProxyUserHeaderEncoded on
LogFormat allFormat "%tl;%a;%un;%iu;%is;%huo"
ServerLog /var/log/c-icap/server.log
AccessLog /var/log/c-icap/access.log allFormat all

GroupSourceByGroup hash:/etc/c-icap/c-icap-groups.txt
GroupSourceByUser hash:/etc/c-icap/c-icap-user-groups.txt

#ACLS FOR SQUIDGUARD RULE interne

#IP Addresses
acl 192_168_1_240 src 192.168.1.240

#Groups and users
#no groups set

#Sysloger
Module logger sys_logger.so

sys_logger.server_priority alert|crit|debug|emerg|err|info|notice|warning

sys_logger.Prefix "C-ICAP:"
sys_logger.Facility local1

Module common bdb_tables.so
Module common dnsbl_tables.so
Service url_check_module srv_url_check.so

#Preload squidGuard databases#
url_check.LoadSquidGuardDB W-1 /var/lib/squidguard/personal-categories/W-1/
url_check.LoadSquidGuardDB F-1
/var/lib/squidguard/personal-categories/filesblock-default/
url_check.LoadSquidGuardDB W-2 /var/lib/squidguard/personal-categories/W-2/
url_check.LoadSquidGuardDB F-2
/var/lib/squidguard/personal-categories/filesblock-interne/
url_check.LoadSquidGuardDB adult /var/lib/squidguard/adult/
url_check.LoadSquidGuardDB plus-adult-artica
/var/lib/squidguard/blacklist-artica/adult/
url_check.LoadSquidGuardDB mixed_adult /var/lib/squidguard/mixed_adult/
url_check.LoadSquidGuardDB sexual_education
/var/lib/squidguard/sexual_education/
url_check.LoadSquidGuardDB plus-sexual_education-artica
/var/lib/squidguard/blacklist-artica/sexual_education/
url_check.LoadSquidGuardDB agressif /var/lib/squidguard/agressif/

#Define profiles for rule 2 (interne)
url_check.Profile interne pass W-2
url_check.Profile interne block F-2
url_check.Profile interne block adult
url_check.Profile interne block plus-adult-artica
url_check.Profile interne block mixed_adult
url_check.Profile interne block sexual_education
url_check.Profile interne block plus-sexual_education-artica
url_check.Profile interne block agressif

#Maps access groups and IP from profiles
url_check.ProfileAccess interne 192_168_1_240

#Define profiles for rule 1 (default)
url_check.Profile default pass W-1
url_check.Profile default block F-1
url_check.Profile default pass W-1
url_check.Profile default block F-1

#Clamav
Service antivirus_module srv_clamav.so srv_url_check.so
ServiceAlias avscan srv_clamav?allow204=off&sizelimit=off&mode=simple
srv_clamav.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE MSOFFICE
srv_clamav.VirScanFileTypes ARCHIVE EXECUTABLE
srv_clamav.TransferIgnore flv, f4v, f4p, f4a, f4b, mpeg, mp2, mp3
srv_clamav.SendPercentData 5
srv_clamav.StartSendPercentDataAfter 2M
srv_clamav.Allow204Responces off
srv_clamav.MaxObjectSize 5M
srv_clamav.ClamAvTmpDir /var/tmp
srv_clamav.ClamAvMaxFilesInArchive 0
srv_clamav.ClamAvMaxFileSizeInArchive 100M
srv_clamav.ClamAvMaxRecLevel 5
srv_clamav.VirSaveDir /opt/artica/share/www/squid-attachments
srv_clamav.VirHTTPServer
"https:///exec.cicap.php?usename=%f&remove=1&file="
srv_clamav.VirUpdateTime 15

squid.conf
-----------------------------------------------------------------

auth_param basic credentialsttl 2 hour
authenticate_ttl 1 hour
authenticate_ip_ttl 60 seconds
cache_effective_user squid
cache_effective_group squid
#--------- TWEEKS PERFORMANCES
# http://blog.last.fm/2007/08/30/squid-optimization-guide
memory_pools off
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off

#--------- squidGuard
#transfered to C-ICAP

#--------- acls
acl blockedsites url_regex "/etc/squid3/squid-block.acl"
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst ::1/128
acl CONNECT method CONNECT
acl manager proto cache_object
acl FTP proto FTP
acl multimedia_rep rep_mime_type -i ^video/x-ms-asf$
acl multimedia_rep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl multimedia_rep rep_mime_type -i ^application/x-mms-framed$
acl multimedia_rep rep_mime_type -i ^image/
acl multimedia_rep rep_mime_type -i ^video
acl multimedia_rep rep_mime_type -i ^audio
acl multimedia_rep rep_mime_type -i ^application/x-dvi$
acl multimedia_rep rep_mime_type -i ^application/x-isoview
acl multimedia_browsers browser -i ^Windows-Media-Player.* -i ^.*player.*
acl bigfiles_types urlpath_regex -i \.deb$
acl bigfiles_types urlpath_regex -i \.rpm$
acl bigfiles_types urlpath_regex -i \.iso$
acl bigfiles_types urlpath_regex -i \.tar\.gz$
acl bigfiles_types urlpath_regex -i \.gz$
acl bigfiles_types urlpath_regex -i \.bz$
acl bigfiles_types urlpath_regex -i \.tar$
acl bigfiles_types urlpath_regex -i \.cue$
acl bigfiles_types urlpath_regex -i \.nrg$
acl bigfiles_types urlpath_regex -i \.crf$
acl bigfiles_types urlpath_regex -i \.bwi$
acl bigfiles_types urlpath_regex -i \.bwt$
acl bigfiles_types urlpath_regex -i \.lcd$
acl bigfiles_types urlpath_regex -i \.ccd$
acl bigfiles_types urlpath_regex -i \.mdf$
acl bigfiles_types urlpath_regex -i \.mds$
acl bigfiles_types urlpath_regex -i \.vcd$
acl bigfiles_types urlpath_regex -i \.cif$
acl bigfiles_types urlpath_regex -i \.vdi$
acl bigfiles_types urlpath_regex -i \.img$
acl office_network src 192.168.1.0/24

#--------- MAIN RULES...
# --------- SAFE ports
acl Safe_ports port 80 #http
acl Safe_ports port 20 #ftp-data
acl Safe_ports port 21 #ftp
acl Safe_ports port 22 #ssh
acl Safe_ports port 443 563 #https, snews
acl Safe_ports port 1863 #msn
acl Safe_ports port 70 #gopher
acl Safe_ports port 210 #wais
acl Safe_ports port 1025-65535 #unregistered ports
acl Safe_ports port 280 #http-mgmt
acl Safe_ports port 488 #gss-http
acl Safe_ports port 591 #filemaker
acl Safe_ports port 777 #multiling http
acl Safe_ports port 631 #cups
acl Safe_ports port 873 #rsync
acl Safe_ports port 901 #SWAT#
http_access allow localhost
http_access allow manager localhost
http_access deny blockedsites
acl MULTIMEDIA rep_mime_type -i
^(audio\/x-mpegurl|audio\/mpeg|video\/flv|video\/x-flv|application\/x-shockwave-flash|audio\/ogg|video\/ogg|application\/ogg)$
http_access allow office_network
acl SSL_ports port 443 563 6667 9000 2
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny all

# --------- ICAP Services.(1 service(s))
# --------- icap_service C-ICAP mode 3.1.x
# --------- icap_service C-ICAP + SquidGuard

icap_service service_url_check reqmod_precache 0 bypass=on
icap://127.0.0.1:1345/url_check
icap_service service_antivir respmod_precache bypass=on
icap://127.0.0.1:1345/srv_clamav

# --------- adaptation for C-ICAP service
adaptation_service_set class_url_check service_url_check
adaptation_access class_url_check allow all
adaptation_service_set class_antivirus service_antivir
adaptation_access class_antivirus deny MULTIMEDIA
adaptation_access class_antivirus allow all

icap_enable on
icap_preview_size 128
icap_service_failure_limit -1
icap_preview_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode on

# --------- ident_lookup_access
hierarchy_stoplist cgi-bin ?

# --------- General settings
visible_hostname proxyweb

# --------- time-out
dead_peer_timeout 10 seconds
dns_timeout 2 minutes
connect_timeout 1600 seconds
persistent_request_timeout 3 minutes
pconn_timeout 1600 seconds

# --------- Objects limits
request_body_max_size 5 MB
request_header_max_size 64 KB
maximum_object_size 300 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB

#http/https ports
http_port 3128 transparent

always_direct allow all

# --------- Caches
#cache_replacement_policy heap LFUDA
cache_mem 8 MB
cache_swap_high 90
cache_swap_low 95
# --------- DNS and ip caches
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024

# --------- SPECIFIC DNS SERVERS

#--------- FTP specific parameters
ftp_list_width 32
ftp_passive yes

debug_options ALL,1
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
icp_port 3130

#Logs-------------------------------------------------
emulate_httpd_log on
#fqdn is disabled to provide IP addresses to filters
log_fqdn off
coredump_dir /var/squid/cache
cache_store_log /var/log/squid/store.log
cache_log /var/log/squid/cache.log
pid_filename /var/run/squid.pid
access_log /var/log/squid/access.log
icap_log /var/log/squid/icap_access.log

cache_dir ufs /var/cache/squid 2000 16 256
# --------- OTHER CACHES
Received on Tue Aug 31 2010 - 12:26:40 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 31 2010 - 12:00:03 MDT