Не хочет с-icap почему-то принимать соединения.
сквид 3.1.10 и c-icap-060708_2,1 из портов
конфиги
Код: Выделить всё
cat squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.84.0/24
acl localnet src 192.168.85.0/24
acl SSL_ports port 443
acl SSL_ports port 8443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
cache_dir ufs /storage/squidcache 4096 64 256
maximum_object_size 512 KB
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
icap_log /var/log/squid/icap.log
cache_store_log none
logfile_rotate 10
url_rewrite_program /usr/local/rejik/redirector /usr/local/etc/redirector.conf
url_rewrite_children 8
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname server.local
icp_port 3130
icap_enable on
icap_preview_enable on
icap_preview_size 128
icap_send_client_ip on
icap_service service_avi_req reqmod_precache 0 icap://192.168.84.253/srv_clamav
icap_service service_avi respmod_precache 1 icap://192.168.84.253/srv_clamav
adaptation_service_set service_avi service_avi_req
adaptation_access service_avi allow all
adaptation_access service_avi_req allow all
икап, разрешено всем намеренно, в процессе поиска
Код: Выделить всё
cat c-icap.conf | grep -v '^#' | sed '/^$/d'
cat: c-icap.conf: No such file or directory
niko-gw# cd /usr/local/etc
niko-gw# cat c-icap.conf | grep -v '^#' | sed '/^$/d'
PidFile /var/run/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
KeepAlive On
MaxKeepAliveRequests 600
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads 10
MaxSpareThreads 20
ThreadsPerChild 10
MaxRequestsPerChild 0
Port 1344
User cicap
Group cicap
TmpDir /tmp/
MaxMemObject 131072
ServerLog /var/log/c_icap/server.log
AccessLog /var/log/c_icap/access.log
DebugLevel 1
ModulesDir /usr/local/lib/c_icap
Module logger sys_logger.so
sys_logger.Prefix "C-ICAP:"
sys_logger.Facility local1
Logger sys_logger
acl squid_respmod src 192.168.84.0/255.255.255.0 type respmod
acl squid_options src 192.168.84.0/255.255.255.0 type options
acl any src 0.0.0.0/0.0.0.0
icap_access allow squid_respmod
icap_access allow squid_options
icap_access allow any
ServicesDir /usr/local/lib/c_icap
Service echo_module srv_echo.so
Service url_check_module srv_url_check.so
Service antivirus_module srv_clamav.so
ServiceAlias avscan srv_clamav?allow204=on&sizelimit=off&mode=simple
srv_clamav.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
srv_clamav.SendPercentData 5
srv_clamav.StartSendPercentDataAfter 2M
srv_clamav.MaxObjectSize 5M
srv_clamav.ClamAvTmpDir /tmp/
srv_clamav.ClamAvMaxFilesInArchive 0
srv_clamav.ClamAvMaxFileSizeInArchive 100M
srv_clamav.ClamAvMaxRecLevel 5
srv_clamav.VirSaveDir /var/infected
srv_clamav.VirHTTPServer "DUMMY"
srv_clamav.VirUpdateTime 15
srv_clamav.VirScanFileTypes ARCHIVE EXECUTABLE
tcpdump обмена прокси и с-icap
Код: Выделить всё
tcpdump -npi tap0 port 1344
tcpdump: WARNING: tap0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), capture size 96 bytes
12:32:31.157214 IP 192.168.84.254.34482 > 192.168.84.253.1344: Flags [S], seq 1466692851, win 65535, options [mss 1337,nop,wscale 3,sackOK,TS val 136294970 ecr 0], length 0
12:32:31.157389 IP 192.168.84.253.1344 > 192.168.84.254.34482: Flags [S.], seq 187600070, ack 1466692852, win 65535, options [mss 1337,nop,wscale 3,sackOK,TS val 2911239331 ecr 136294970], length 0
12:32:31.161123 IP 192.168.84.254.34482 > 192.168.84.253.1344: Flags [.], ack 1, win 8281, options [nop,nop,TS val 136294972 ecr 2911239331], length 0
12:32:31.161536 IP 192.168.84.254.34482 > 192.168.84.253.1344: Flags [F.], seq 1, ack 1, win 8281, options [nop,nop,TS val 136294972 ecr 2911239331], length 0
12:32:31.161681 IP 192.168.84.253.1344 > 192.168.84.254.34482: Flags [.], ack 2, win 8281, options [nop,nop,TS val 2911239336 ecr 136294972], length 0
12:32:31.162434 IP 192.168.84.253.1344 > 192.168.84.254.34482: Flags [F.], seq 1, ack 2, win 8281, options [nop,nop,TS val 2911239336 ecr 136294972], length 0
12:32:31.163591 IP 192.168.84.254.34482 > 192.168.84.253.1344: Flags [.], ack 2, win 8281, options [nop,nop,TS val 136294977 ecr 2911239336], length 0
Сквид в браузер пишет:
Код: Выделить всё
При получении URL http://dealextreme.com/ произошла следующая ошибка
Ошибка протокола ICAP.
Система вернула: [No Error]
Это означает, что какой-то этап связи по протоколу ICAP не удался.
Возможные проблемы:
Сервер ICAP недоступен
Получен недопустимый ответ от сервера ICAP.Запуска c-icap в отладке:
Код: Выделить всё
c-icap -D -N -d 10
Enabling parameter -D
Disabling parameter -N
Setting parameter :-d=10
Searching 0x805d02c for default value
Setting parameter :PidFile=/var/run/c-icap.pid
Searching 0x805d030 for default value
Setting parameter :CommandsSocket=/var/run/c-icap/c-icap.ctl
Searching 0x805d050 for default value
Setting parameter :Timeout=300
Searching 0x805d058 for default value
Setting parameter :MaxKeepAliveRequests=600
Searching 0x805d054 for default value
Setting parameter :KeepAliveTimeout=600
Searching 0x805d060 for default value
Setting parameter :StartServers=3
Searching 0x805d064 for default value
Setting parameter :MaxServers=10
Searching 0x805d06c for default value
Setting parameter :MinSpareThreads=10
Searching 0x805d070 for default value
Setting parameter :MaxSpareThreads=20
Searching 0x805d068 for default value
Setting parameter :ThreadsPerChild=10
Searching 0x805d864 for default value
Setting parameter :MaxRequestsPerChild=0
Searching 0x805d020 for default value
Setting parameter :Port=1344
Searching 0x805d034 for default value
Setting parameter :User=cicap
Searching 0x805d038 for default value
Setting parameter :Group=cicap
Searching 0x805d028 for default value
Setting parameter :TmpDir=/tmp/
Searching 0x805d844 for default value
Setting parameter :MaxMemObject=131072
Searching 0x805d3d0 for default value
Setting parameter :ServerLog=/var/log/c_icap/server.log
Searching 0x805d3d4 for default value
Setting parameter :AccessLog=/var/log/c_icap/access.log
Searching 0x805d85c for default value
Setting parameter :DebugLevel=1
Setting parameter :ModulesDir=/usr/local/lib/c_icap
Loading service :logger path sys_logger.so
Going to search variable Prefix in table sys_logger
Setting parameter :Prefix=C-ICAP:
Going to search variable Facility in table sys_logger
Setting parameter :Logger=sys_logger
Setting parameter :ServicesDir=/usr/local/lib/c_icap
Loading service :echo_module path srv_echo.so
Found handler C_handler for service with extension:.so
Loading service :url_check_module path srv_url_check.so
Found handler C_handler for service with extension:.so
Initialization of url_check module......
Loading service :antivirus_module path srv_clamav.so
Found handler C_handler for service with extension:.so
Alias:avscan of service srv_clamav
Going to search variable ScanFileTypes in table srv_clamav
Iam going to scan data for simple scanning of type:,GIF,JPEG,MSOFFICE,TEXT,DATA,EXECUTABLE,ARCHIVE
Going to search variable SendPercentData in table srv_clamav
Setting parameter :SendPercentData=5
Going to search variable StartSendPercentDataAfter in table srv_clamav
Setting parameter :StartSendPercentDataAfter=2097152
Going to search variable MaxObjectSize in table srv_clamav
Setting parameter :MaxObjectSize=5242880
Going to search variable ClamAvTmpDir in table srv_clamav
Setting parameter :ClamAvTmpDir=/tmp/
Going to search variable ClamAvMaxFilesInArchive in table srv_clamav
Setting parameter :ClamAvMaxFilesInArchive=0
Going to search variable ClamAvMaxFileSizeInArchive in table srv_clamav
Setting parameter :ClamAvMaxFileSizeInArchive=104857600
Going to search variable ClamAvMaxRecLevel in table srv_clamav
Setting parameter :ClamAvMaxRecLevel=5
Going to search variable VirSaveDir in table srv_clamav
Setting parameter :VirSaveDir=/var/infected
Going to search variable VirHTTPServer in table srv_clamav
Setting parameter :VirHTTPServer=DUMMY
Going to search variable VirUpdateTime in table srv_clamav
Setting parameter :VirUpdateTime=15
Going to search variable VirScanFileTypes in table srv_clamav
Iam going to scan data for vir_mode scanning of type:,EXECUTABLE,ARCHIVE
My hostname is:niko-gw.o56.ru
Вс это вываливается при запуске, в момент обращения к сквиду — ничо больше не пишет
Хотя си-икап виси и слушает порт:
Код: Выделить всё
cicap c-icap 95318 3 tcp4 *:1344 *:*
cicap c-icap 95318 4 dgram -> /var/run/logpriv
cicap c-icap 95317 3 tcp4 *:1344 *:*
cicap c-icap 95317 4 dgram -> /var/run/logpriv
cicap c-icap 95316 3 tcp4 *:1344 *:*
cicap c-icap 95316 4 dgram -> /var/run/logpriv
cicap c-icap 95315 3 tcp4 *:1344 *:*
cicap c-icap 95315 4 dgram -> /var/run/logpriv
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 *.1344 *.* LISTEN
This topic has been deleted. Only users with topic management privileges can see it.
-
After upgrading pfsense to v2.3, I’ve encountered a lot of problems and I’ve managed to fix a few, but I’m left with the following error every time I’m trying to access a page through my reverse proxy configuration which was working fine before the update:
The following error was encountered while trying to retrieve the URL: https://subdomain.domain.com/ ICAP protocol error. The system returned: [No Error] This means that some aspect of the ICAP communication failed. Some possible problems are: The ICAP server is not reachable. An Illegal response was received from the ICAP server.I’m assuming something didn’t go right with the ICAP installation included in the packages, but I’ve de-installed and re-installed it a bunch of time without success. I tried to manually delete the squid installation folders, but I don’t know where ICAP get’s installed and I haven’t managed to find it.
Any advice or hint on how to solve this problem would be very welcomed.
-
Hello.
Scenario: pfSense 2.3_1 amd64, squid 0.4.16_2, squidGuard 1.14_3
The same problem I had, the service c-icap and clamd (ClamAV Squid) going down and squid was a mistake and did not allow connect to pages
To fix this, I installed the package: Service Watchdog, and will configured to monitor clamd and c-icap . And now work fine to me.
Regards
-
Thanks for the suggestion, but both services are always running according to pfsense interface on mine. I’ll give it a try anyway, just in case the status doesn’t get reported properly.
I’m using pfsense 2.3-RELEASE (amd64) and the squid package version is 0.4.16_2 and I don’t have squidguard installed.
Edit: Same problem with service watchdog configured to watch clamd and C-ICAP
-
Hello.
There is a new Upgrade: pfSense 2.3.1
https://blog.pfsense.org/?p=2050
Maybe this is the solution.
Regards
-
No such luck sadly.
-
Hello.
I try a upgrade to 2.3.1 and if the problem persists, maybe with reinstall of package squid fixed it.
Regards.
-
Reinstalling the squid package after the upgrade also didn’t help, I still get the same error page.
-
Hello.
You would try this:
(Backup/copy squid.conf, and squidGuard config, in another files)
Remove squid (and squidGuard) config:
Diagnostics > Command Prompt > Execute PHP Commands
foreach (array_keys($config['installedpackages']) as $sec) { if (strpos($sec, "squid") !== false) unset($config['installedpackages'][$sec]); } write_config("Removed all squid-related settings");Reinstall squid package, and config again, …
Regards
-
Thank you so much, that finally did the trick.
-
Thanks.
It helps me too.
i have mnake a clean reinstall with 2.31 and it donrt works. after i killed all files and reinstall it works fine.
thanks!
-
Turns out it doesn’t quite work after all, but I can at least easily make the reverse proxy work alone which was the main thing I needed.
I did some more testing today and noticed that the antivirus option was disabled in squid and when I activate it, I get the ICAP error again.
If I disable the antivirus again, then the reverse proxy works properly.
Здравствуйте!
Кто-нибудь настраивал свежую версию c-icap 1.3 ?
Squid-3.1.8-2.fc13
Clamav-0.96.1-1300.fc13
В конфиге сквида добавил вот эти строчки:
Код: Выделить всё
icap_enable on
# включить icap
icap_preview_enable on
icap_preview_size 128
icap_send_client_ip on
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344
icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344
adaptation_access service_req allow all
adaptation_access service_resp allow all
# всех проверяем на вирусыВот конфиг c-icap:
Код: Выделить всё
# # This file contains the default settings for c-icap # # # TAG: PidFile # Format: PidFile pid_file # Description: # The file to store the pid of the main process of the c-icap server. # Default: # PidFile /var/run/c-icap/c-icap.pid PidFile /var/run/c-icap/c-icap.pid # TAG: CommandsSocket # Format: CommandsSocket socket_file # Description: # The path of file to use as control socket for c-icap # Default: # CommandsSocket /var/run/c-icap/c-icap.ctl CommandsSocket /var/run/c-icap/c-icap.ctl # TAG: Timeout # Format: Timeout seconds # Description: # The time in seconds after which a connection without activity # can be cancelled. # Default: # Timeout 300 Timeout 300 # TAG: MaxKeepAliveRequests # Format: MaxKeepAliveRequests number # Description: # The maximum number of requests can be served by one connection # Set it to -1 for no limit # Default: # MaxKeepAliveRequests 100 MaxKeepAliveRequests 100 # TAG: KeepAliveTimeout # Format: KeepAliveTimeout seconds # Description: # The maximum time in seconds waiting for a new requests before a # connection will be closed. # If the value is set to -1, there is no timeout. # Default: # KeepAliveTimeout 600 KeepAliveTimeout 600 # TAG: StartServers # Format: StartServers number # Description: # The initial number of server processes. Each server process # generates a number of threads, which serve the requests. # Default: # StartServers 3 StartServers 3 # TAG: MaxServers # Format: MaxServers number # Description: # The maximum allowed number of server processes. # Default: # MaxServers 10 MaxServers 10 # TAG: MinSpareThreads # Format: MinSpareThreads number # Description: # If the number of the available threads is less than number, # the c-icap server starts a new child. # Default: # MinSpareThreads 10 MinSpareThreads 10 # TAG: MaxSpareThreads # Format: MaxSpareThreads number # Description: # If the number of the available threads is more than number then # the c-icap server kills a child. # Default: # MaxSpareThreads 20 MaxSpareThreads 20 # TAG: ThreadsPerChild # Format: ThreadsPerChild number # Description: # The number of threads per child process. # Default: # ThreadsPerChild 10 ThreadsPerChild 10 # TAG: MaxRequestsPerChild # Format: MaxRequestsPerChild number # Description: # The maximum number of requests that a child process can serve. # After this number has been reached, process dies. The goal of this # parameter is to minimize the risk of memory leaks and increase the # stability of c-icap. It can be disabled by setting its value to 0. # Default: # MaxRequestsPerChild 0 MaxRequestsPerChild 0 # TAG: Port # Format: Port port # Description: # The port number that the c-icap server uses to listen to requests. # Default: # Port 1344 Port 1344 # TAG: User # Format: User username # Description: # The user owning c-icap's processes. By default, the owner is the # user who runs the program. # Default: # No value # Example: User nobody # TAG: Group # Format: Group groupname # Description: # The group of users owning c-icap's processes, which, by default # is the group of the current user. # Default: # No value # Example: Group nobody # TAG: ServerAdmin # Format: ServerAdmin admin_mail # Description: # The Administrator of this server. Used when displaying information # about this server (logs, info service, etc) # Default: # No value ServerAdmin you@your.address # TAG: ServerName # Format: ServerName aServerName # Description: # A name for this server. Used when displaying information about this # server (logs, info service, etc) # Default: # No value ServerName YourServerName # TAG: TmpDir # Format: TmpDir dir # Description: # dir is the location of temporary files. # Default: # TmpDir /var/tmp TmpDir /var/tmp # TAG: MaxMemObject # Format: MaxMemObject bytes # Description: # The maximum memory size in bytes taken by an object which # is processed by c-icap . If the size of an object's body is # larger than the maximum size a temporary file is used. # Default: # MaxMemObject 131072 MaxMemObject 131072 # TAG: DebugLevel # Format: DebugLevel level # Description: # The level of debugging information to be logged. # The acceptable range of levels is between 0 and 10. # Default: # DebugLevel 1 DebugLevel 5 # TAG: ModulesDir # Format: ModulesDir dir # Description: # The location of modules # Default: # ModulesDir /usr/local/c-icap/lib/c_icap ModulesDir /usr/local/c-icap/lib/c_icap # TAG: ServicesDir # Format: ServicesDir dir # Description: # The location of services # Default: # ServicesDir /usr/local/c-icap/lib/c_icap ServicesDir /usr/local/c-icap/lib/c_icap # TAG: TemplateDir # Format: TemplateDir dir # Description: # The location of the text templates used by c-icap and its services, # categorized by language and services/modules # Default: # No value # Example: TemplateDir /usr/local/c-icap/share/c_icap/templates/ # TAG: TemplateDefaultLanguage # Format: TemplateDefaultLanguage lang # Description: # Sets the default language to use for text templates # Default: # TemplateDefaultLanguage en TemplateDefaultLanguage en #TemplateReloadTime 360 #TemplateCacheSize 20 #TemplateMemBufSize 8192 # TAG: LoadMagicFile # Format: LoadMagicFile path # Description: # Load a c-icap magic file. A magic file contains various # data type definitions. Look inside default c-icap.magic file # for more informations. # It can be used more than once to use multiple magic files. # Default: # LoadMagicFile /usr/local/c-icap/etc/c-icap.magic LoadMagicFile /usr/local/c-icap/etc/c-icap.magic # TAG: RemoteProxyUsers # Format: RemoteProxyUsers onoff # Description: # Set it to on if you want to use username provided by the proxy server. # This is the recomended way to use users in c-icap. # If the RemoteProxyUsers is off and c-icap configured to use users or # groups the internal authentication mechanism will be used. # Default: # RemoteProxyUsers off RemoteProxyUsers off # TAG: RemoteProxyUserHeader # Format: RemoteProxyUserHeader Header # Description: # Used to specify the icap header used by the proxy server to send # the authenticated client username to c-icap server # Default: # RemoteProxyUserHeader X-Authenticated-User RemoteProxyUserHeader X-Authenticated-User # TAG: RemoteProxyUserHeaderEncoded # Format: RemoteProxyUserHeaderEncoded onoff # Description: # Set it to off if the RemoteProxyUserHeader is not base64 encoded # Default: # RemoteProxyUserHeaderEncoded on RemoteProxyUserHeaderEncoded on # TAG: AuthMethod # Format: AuthMethod Method Authenticator # Description: # Used to define the internal authentication mechanism to use. This # feature is not well tested and may cause problems. It is better to use # RemoteProxyUser configuration. # Method is the authentication method to use (basic, digest, etc). # Currently only basic authentication method is implemented as build in # module # Authenticator currently can only be "basic_simple_db" # It can be considered as a user/password store and can be # implemented as external module. The basic_simple_db is implemented as # build it module # Default: # No set # Example: # AuthMethod basic basic_simple_db # TAG: basic.Realm # Format: basic.Realm ARealm # Description: # Specify the basic method realm # Default: # basic.Realm "Basic authentication" # Example: # basic.Realm "c-icap server authentication" # TAG: basic_simple_db.UsersDB # Format: basic_simple_db.UsersDB LookupTable # Description: # Specify the lookup table where the usernames/passwords pairs # are stored. The paswords must be unencrypted # For more information about c-icap lookup tables read c-icap server # manual page # Default: # No value # Example: # basic_simple_db.UsersDB hash:/usr/local/c-icap/etc/c-icap-users.txt # TAG: GroupSourceByGroup # Format: GroupSourceByGroup LookupTable # Description: # Defines a lookup table where the groups of users are stored indexed # by group. It can be used more than once. # For more information about c-icap lookup tables read c-icap server # manual page # Default: # No set # Example: # GroupSourceByGroup hash:/usr/local/c-icap/etc/c-icap-groups.txt # TAG: GroupSourceByUser # Format: GroupSourceByUser LookupTable # Description: # Defines a lookup table where the groups of users are stored indexed # by user. It can be used more than once. # For more information about c-icap lookup tables read c-icap server # manual page # Default: # No set # Example: # GroupSourceByUser hash:/usr/local/c-icap/etc/c-icap-user-groups.txt # TAG: acl # Format: acl name type[{param}] value1 [value2] [...] # Description: # Supported acl types are: # acl aclname service service1 ... # The servicename # acl aclname type OPTIONS|RESPMOD|REQMOD ... # The icap method # acl aclname port port1 ... # The icap server port # acl aclname src ip1/netmask1 ... # The client ip address # acl aclname srvip ip1/netmask1 ... # The c-icap server ip address # acl aclname icap_header{HeaderName} value1 ... # Matches the icap header HeaderName with value1 ... # The values are in regex form: /avalue/ # acl aclname icap_resp_header{HeaderName} value1 ... # The icap response header # The values are in regex form: /avalue/ # acl aclname http_req_header{HeaderName} value1 ... # The http request header # The values are in regex form: /avalue/ # acl aclname http_resp_header{HeaderName} value1 ... # The http response header # The values are in regex form: /avalue/ # acl aclname data_type type1 ... # The data type as recognized by the internal data type # recognizer. The types are defined in c-icap.magic file # acl aclname auth username|* ... # The authenticated users. Using * instead of username means # all users. # acl aclname group group1 ... # if the user of request belongs to given groups # Default: # None set # Examples: # acl OPTIONS type OPTIONS # acl RESPMOD type RESPMOD # acl REQMOD type REQMOD # acl ALLREQUESTS type OPTIONS RESPMOD REQMOD # acl XHEAD icap_header{X-Test} /value/ # acl ECHO service echo # acl localnet src 192.168.1.0/255.255.255.0 # acl localhost src 127.0.0.1/255.255.255.255 # acl all src 0.0.0.0/0.0.0.0 acl ALLREQUESTS type OPTIONS RESPMOD REQMOD acl localsquid src 127.0.0.1 acl externalnet src 0.0.0.0/0.0.0.0 # TAG: icap_access # Format: icap_access allow|deny [!]acl1 ... # Description: # Allowing or denying ICAP access based on defined access lists # Default: # None set # Example: # icap_access deny XHEAD # #Allow OPTIONS method for all: # icap_access allow localnet OPTIONS # #Require authentication for all users from local network: # icap_access allow AUTH localnet # icap_access deny all icap_access allow localsquid ALLREQUESTS icap_access allow localsquid icap_access allow AUTH localsquid icap_access allow externalnet ALLREQUESTS icap_access allow externalnet # icap_access deny externalnet # TAG: client_access # Format: client_access allow|deny acl1 [acl2] [...] # Description: # Allowing or denying connections on c-icap based on # defined access lists. Only the acl types src, srvip and port # can be used. # Default: # None set # Example: # client_access allow all # TAG: LogFormat # Format: LogFormat Name Format # Description: # Name is a name for this log format. # Format is a string with embedded % format codes. % format codes # has the following form: # % [-] [width] [{argument}] formatcode # if - is specified then the output is left aligned # if width specified then the field is exactly width size # some formatcodes support arguments given as {argument} # # Format codes: # %a: Remote IP-Address # %la: Local IP Address # %lp: Local port # %>a: Http Client IP Address. Only supported if the proxy # client supports the "X-Client-IP" header # %<A: Http Server IP Address. Only supported if the proxy # client supports the "X-Server-IP" header # %ts: Seconds since epoch # %tl: Local time. Supports optional strftime format argument # %tg: GMT time. Supports optional strftime format argument # %>ho: Modified Http request header. Supports header name # as argument # %huo: Modified Http request url # %<ho: Modified Http reply header. Supports header name # as argument # %iu: Icap request url # %im: Icap method # %is: Icap status code # %>ih: Icap request header. Supports header name # as argument # %<ih: Icap response header. Supports header name # as argument # %Ih: Http bytes received # %Oh: Http bytes sent # %Ib: Http body bytes received # %Ob: Http body bytes sent # %I: Bytes received # %O: Bytes sent # %bph: The first 5 bytes of the body preview data. Non # printable characters printed in hex form. # Supports the number of bytes to output as argument. # %un: Username # Default: # None set # Example: # LogFormat myFormat "%tl, %a %im %iu %is %I %O %Ib %Ob %{10}bph" # TAG: ServerLog # Format: ServerLog LogFile # Description: # the file used by the build-in logger file_logger to # store debugging information, errors and other # information about the c-icap server. # Default: # ServerLog /usr/local/c-icap/var/log/server.log ServerLog /usr/local/c-icap/var/log/server.log # TAG: AccessLog # Format: AccessLog LogFile [LogFormat] [[!]acl1] [[!]acl2] [...] # Description: # LogFile is a file where to log access information. # LogFormat is the log format to use. If ommited c-icap uses: # "%tl, %la %a %im %iu %is" # Also acls can be used to select certain requests to be logged. # This directive can be used more than once to specify more than # one access log files # Default: # AccessLog /usr/local/c-icap/var/log/access.log # Example: # AccessLog /usr/local/c-icap/var/log/access.log MyFormat all AccessLog /usr/local/c-icap/var/log/access.log # TAG: Logger # Format: Logger LoggerName # Description: # Specify wich logger to use. By default uses the build in "file_logger" which # uses files for access and server logging. # Default: # Logger file_logger # Example: Logger file_logger # TAG: Module # Format: Module Type ModuleFile # Description: # Load an external module/plugin to c-icap. # ModuleFile is the filename of the module. If no full path given then c-icap # searche in path defined by the ModulesDir configuration parameter. # Type is the type of the external module and can be one of the following: # - "logger" for modules implement a logger # - "common" for general purpose modules # Default: # # Example: Module logger sys_logger.so # TAG: Service # Format: Service aName ServiceFile # Description: # It loads the service ServiceFile. The argument aName used # as alias name for the service # Default: # # Example: Service echo_service srv_echo.so # TAG: ServiceAlias # Format: ServiceAlias AliasName ServiceName[?param1=value1¶m2=value2...] # Description: # Used to define an alias name for a service. # Default: # # Example: ServiceAlias avscan srv_clamav?allow204=on&sizelimit=off&mode=simple # # TAG: General configuration parameters for all services # Description: # PreviewSize: The preview data size to advertise to the icap client # MaxConnections: The client should not use more than MaxConnections # for this service. # TransferPreview: The list of file extensions, seperated by commas, # for which the client should send preview data. # TransferIgnore: The list of file extensions that should not be sent # to the icap server # TransferComplete: The list of file extensions that should be sent # in their entirety, without preview, to the icap server # Example: # echo.PreviewSize 512 # echo.TransferIgnore gif, jpeg ###################################################### # External modules comming with core c-icap server # # Module: echo # Description: # Simple test service # Example: # Service echo srv_echo.so #Service echo srv_echo.so # Module: sys_logger # Description: # Add support for logging access and server events to syslog server # Use "Module" configuration parameter to load this module and "Logger" # to make it default logger for the c-icap. # Example: # Module logger sys_logger.so # Logger sys_logger # TAG: sys_logger.Prefix # Format: sys_logger.Prefix string # Description: # string is be presented in every syslog message. # Default: # sys_logger.Prefix "C-ICAP:" # TAG: sys_logger.Facility # Format: sys_logger.Facility daemon|user|local1|local2|local3|local4|local5|local6|local7 # Description: # specifies the facility type of syslog. # Default: # sys_logger.Facility daemon # TAG: sys_logger.access_priority # Format: sys_logger.access_priority alert|crit|debug|emerg|err|info|notice|warning # Description: # determines the importance of the access log message # Default: # sys_logger.access_priority info # TAG: sys_logger.server_priority # Format: sys_logger.server_priority alert|crit|debug|emerg|err|info|notice|warning # Description: # determines the importance of the server log message # Default: # sys_logger.server_priority crit # TAG: sys_logger.LogFormat # Format: sys_logger.LogFormat LOGFORMAT # Description: # The log format to use. If no log format defined then # the following will be used: # "%la %a %im %iu %is" # Default: # None set # Example: # Logformat BasicFormat "%la %a %im %iu %is" # sys_logger.LogFormat BasicFormat # TAG: sys_logger.access # Format: sys_logger.access [!]acl1 ... # Description: # Allow selecting ICAP requests to be logged using acls. # By default all requests will be logged. # Default: # None set # Example: # sys_logger.access all # End module: sys_logger # Module: bdb_tables # Description: # Add support for Berkeley DB based lookup tables. The format for # bdb path of the lookup table is: # bdb:/path/to/bdb # Use the c-icap-mkbdb utility to build Berkeley DB c-icap lookup tables # Example: # Module common bdb_tables.so # End module: bdb_tables # Module: dnsbl_tables # Description: # Add support for dns lookup tables. Can be used to access # dns block lists. The dnsbl lookup table path definition is: # dnsbl:domainname # For example the lookup table for accessing the black.uribl.com # dns black list is: # dnsbl:black.uribl.com # Example: # Module common dnsbl_tables.so # End module: dnsbl_tables # Module: ldap_module # Description: # Add LDAP support to c-icap. The user can use LDAP based lookup tables # using the following lookup table path: # ldap://[username:password@]ldapserver?base?attr1,attr2?filter # The filter can contain the "%s" formating code which will be replaced by # the search key # Examples of supported ldap urls: # ldap://ldap.chtsanti.net?o=chtsanti?cn,uid?uid=%s # ldap://cn=Directory Manager:Apassword@ldap.chtsanti.net?o=chtsanti?mermberUid?(&(objectClass=posixGroup)(cn=%s)) # # WARNING: is not enough tested it may contain bugs! # Example: # Module common ldap_module.so # End module: ldap_moduleПри запуске клиента вроде всё нормально:
Код: Выделить всё
# ./c-icap-client ICAP server:localhost, ip:127.0.0.1, port:1344 OPTIONS: Allow 204: Yes Preview: 1024 Keep alive: Yes ICAP HEADERS: ICAP/1.0 200 OK Methods: RESPMOD, REQMOD Service: C-ICAP/0.1.3 server - Echo demo service ISTag: CI0001-XXXXXXXXX Transfer-Preview: * Options-TTL: 3600 Date: Mon, 08 Nov 2010 07:39:17 GMT Preview: 1024 Allow: 204 X-Include: X-Authenticated-User, X-Authenticated-Groups Encapsulated: null-body=0И даже вроде как виря ловит, если дать такую команду:
Код: Выделить всё
# ./c-icap-client -f /mnt/my_configs/clamav/test-virus/eicar.com ICAP server:localhost, ip:127.0.0.1, port:1344 X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*[root@linrouter1 bin]#Хоть и крокозябрами отображает…
А вот squid не видит c-icap и всё тут…
Ошибка протокола ICAP.
Система вернула: [No Error]
Это означает, что какой-то этап связи по протоколу ICAP не удался.
Возможные проблемы:
Сервер ICAP недоступен
Получен недопустимый ответ от сервера ICAP.
Помогите, пожалуйста, найти ошибку….
Permalink
Cannot retrieve contributors at this time
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html PUBLIC «-//W3C//DTD HTML 4.01//EN» «http://www.w3.org/TR/html4/strict.dtd»> | |
| <html><head> | |
| <meta type=»copyright» content=»Copyright (C) 1996-2021 The Squid Software Foundation and contributors»> | |
| <meta http-equiv=»Content-Type» content=»text/html; charset=utf-8″> | |
| <title>ОШИБКА: Запрошенный URL не может быть получен</title> | |
| <style type=»text/css»><!— | |
| %l | |
| body | |
| :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } | |
| :lang(he) { direction: rtl; } | |
| —></style> | |
| </head><body id=»%c»> | |
| <div id=»titles»> | |
| <h1>ОШИБКА</h1> | |
| <h2>Запрошенный URL не может быть получен</h2> | |
| </div> | |
| <hr> | |
| <div id=»content»> | |
| <p>При получении URL <a href=»%U»>%U</a> произошла следующая ошибка</p> | |
| <blockquote id=»error»> | |
| <p><b>Ошибка протокола ICAP.</b></p> | |
| </blockquote> | |
| <p id=»sysmsg»>Система вернула: <i>%E</i></p> | |
| <p>Это означает, что какой-то этап связи по протоколу ICAP не удался.</p> | |
| <p>Возможные проблемы:</p> | |
| <ul> | |
| <li><p>Сервер ICAP недоступен</p></li> | |
| <li><p>Получен недопустимый ответ от сервера ICAP.</p></li> | |
| </ul> | |
| <br> | |
| </div> | |
| <hr> | |
| <div id=»footer»> | |
| <p>Создано %T на %h (%s)</p> | |
| <!— %c —> | |
| </div> | |
| </body></html> |
Topic: [SOLVED] ICAP protocol error (Read 3407 times)
It seems that I messed the installation. I checked by error something (icap) in the Web proxy configuration and now I can’t enter the GUI and slowly more and more inet pages show the «ICAP protocol error.» page.
Is there anything I can change in the console so I can stop icap and bring back the system?
Help, please.
Edit: In console I see repeating «[bin/mongod] Preventing execution due to repeated segfaults» and the disk is continuously accessed. I dunno if that has relation.
« Last Edit: September 24, 2018, 09:59:21 pm by MultiCubic »
Logged
I solved it by accesing the system through a vlan not filtered and fixed the configuration.
The segfault errors still are there though and the ssd access is continuous.
Logged
Не хочет с-icap почему-то принимать соединения.
сквид 3.1.10 и c-icap-060708_2,1 из портов
конфиги
Код: Выделить всё
cat squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.84.0/24
acl localnet src 192.168.85.0/24
acl SSL_ports port 443
acl SSL_ports port 8443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
cache_dir ufs /storage/squidcache 4096 64 256
maximum_object_size 512 KB
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
icap_log /var/log/squid/icap.log
cache_store_log none
logfile_rotate 10
url_rewrite_program /usr/local/rejik/redirector /usr/local/etc/redirector.conf
url_rewrite_children 8
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname server.local
icp_port 3130
icap_enable on
icap_preview_enable on
icap_preview_size 128
icap_send_client_ip on
icap_service service_avi_req reqmod_precache 0 icap://192.168.84.253/srv_clamav
icap_service service_avi respmod_precache 1 icap://192.168.84.253/srv_clamav
adaptation_service_set service_avi service_avi_req
adaptation_access service_avi allow all
adaptation_access service_avi_req allow all
икап, разрешено всем намеренно, в процессе поиска
Код: Выделить всё
cat c-icap.conf | grep -v '^#' | sed '/^$/d'
cat: c-icap.conf: No such file or directory
niko-gw# cd /usr/local/etc
niko-gw# cat c-icap.conf | grep -v '^#' | sed '/^$/d'
PidFile /var/run/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
KeepAlive On
MaxKeepAliveRequests 600
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads 10
MaxSpareThreads 20
ThreadsPerChild 10
MaxRequestsPerChild 0
Port 1344
User cicap
Group cicap
TmpDir /tmp/
MaxMemObject 131072
ServerLog /var/log/c_icap/server.log
AccessLog /var/log/c_icap/access.log
DebugLevel 1
ModulesDir /usr/local/lib/c_icap
Module logger sys_logger.so
sys_logger.Prefix "C-ICAP:"
sys_logger.Facility local1
Logger sys_logger
acl squid_respmod src 192.168.84.0/255.255.255.0 type respmod
acl squid_options src 192.168.84.0/255.255.255.0 type options
acl any src 0.0.0.0/0.0.0.0
icap_access allow squid_respmod
icap_access allow squid_options
icap_access allow any
ServicesDir /usr/local/lib/c_icap
Service echo_module srv_echo.so
Service url_check_module srv_url_check.so
Service antivirus_module srv_clamav.so
ServiceAlias avscan srv_clamav?allow204=on&sizelimit=off&mode=simple
srv_clamav.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
srv_clamav.SendPercentData 5
srv_clamav.StartSendPercentDataAfter 2M
srv_clamav.MaxObjectSize 5M
srv_clamav.ClamAvTmpDir /tmp/
srv_clamav.ClamAvMaxFilesInArchive 0
srv_clamav.ClamAvMaxFileSizeInArchive 100M
srv_clamav.ClamAvMaxRecLevel 5
srv_clamav.VirSaveDir /var/infected
srv_clamav.VirHTTPServer "DUMMY"
srv_clamav.VirUpdateTime 15
srv_clamav.VirScanFileTypes ARCHIVE EXECUTABLE
tcpdump обмена прокси и с-icap
Код: Выделить всё
tcpdump -npi tap0 port 1344
tcpdump: WARNING: tap0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), capture size 96 bytes
12:32:31.157214 IP 192.168.84.254.34482 > 192.168.84.253.1344: Flags [S], seq 1466692851, win 65535, options [mss 1337,nop,wscale 3,sackOK,TS val 136294970 ecr 0], length 0
12:32:31.157389 IP 192.168.84.253.1344 > 192.168.84.254.34482: Flags [S.], seq 187600070, ack 1466692852, win 65535, options [mss 1337,nop,wscale 3,sackOK,TS val 2911239331 ecr 136294970], length 0
12:32:31.161123 IP 192.168.84.254.34482 > 192.168.84.253.1344: Flags [.], ack 1, win 8281, options [nop,nop,TS val 136294972 ecr 2911239331], length 0
12:32:31.161536 IP 192.168.84.254.34482 > 192.168.84.253.1344: Flags [F.], seq 1, ack 1, win 8281, options [nop,nop,TS val 136294972 ecr 2911239331], length 0
12:32:31.161681 IP 192.168.84.253.1344 > 192.168.84.254.34482: Flags [.], ack 2, win 8281, options [nop,nop,TS val 2911239336 ecr 136294972], length 0
12:32:31.162434 IP 192.168.84.253.1344 > 192.168.84.254.34482: Flags [F.], seq 1, ack 2, win 8281, options [nop,nop,TS val 2911239336 ecr 136294972], length 0
12:32:31.163591 IP 192.168.84.254.34482 > 192.168.84.253.1344: Flags [.], ack 2, win 8281, options [nop,nop,TS val 136294977 ecr 2911239336], length 0
Сквид в браузер пишет:
Код: Выделить всё
При получении URL http://dealextreme.com/ произошла следующая ошибка
Ошибка протокола ICAP.
Система вернула: [No Error]
Это означает, что какой-то этап связи по протоколу ICAP не удался.
Возможные проблемы:
Сервер ICAP недоступен
Получен недопустимый ответ от сервера ICAP.Запуска c-icap в отладке:
Код: Выделить всё
c-icap -D -N -d 10
Enabling parameter -D
Disabling parameter -N
Setting parameter :-d=10
Searching 0x805d02c for default value
Setting parameter :PidFile=/var/run/c-icap.pid
Searching 0x805d030 for default value
Setting parameter :CommandsSocket=/var/run/c-icap/c-icap.ctl
Searching 0x805d050 for default value
Setting parameter :Timeout=300
Searching 0x805d058 for default value
Setting parameter :MaxKeepAliveRequests=600
Searching 0x805d054 for default value
Setting parameter :KeepAliveTimeout=600
Searching 0x805d060 for default value
Setting parameter :StartServers=3
Searching 0x805d064 for default value
Setting parameter :MaxServers=10
Searching 0x805d06c for default value
Setting parameter :MinSpareThreads=10
Searching 0x805d070 for default value
Setting parameter :MaxSpareThreads=20
Searching 0x805d068 for default value
Setting parameter :ThreadsPerChild=10
Searching 0x805d864 for default value
Setting parameter :MaxRequestsPerChild=0
Searching 0x805d020 for default value
Setting parameter :Port=1344
Searching 0x805d034 for default value
Setting parameter :User=cicap
Searching 0x805d038 for default value
Setting parameter :Group=cicap
Searching 0x805d028 for default value
Setting parameter :TmpDir=/tmp/
Searching 0x805d844 for default value
Setting parameter :MaxMemObject=131072
Searching 0x805d3d0 for default value
Setting parameter :ServerLog=/var/log/c_icap/server.log
Searching 0x805d3d4 for default value
Setting parameter :AccessLog=/var/log/c_icap/access.log
Searching 0x805d85c for default value
Setting parameter :DebugLevel=1
Setting parameter :ModulesDir=/usr/local/lib/c_icap
Loading service :logger path sys_logger.so
Going to search variable Prefix in table sys_logger
Setting parameter :Prefix=C-ICAP:
Going to search variable Facility in table sys_logger
Setting parameter :Logger=sys_logger
Setting parameter :ServicesDir=/usr/local/lib/c_icap
Loading service :echo_module path srv_echo.so
Found handler C_handler for service with extension:.so
Loading service :url_check_module path srv_url_check.so
Found handler C_handler for service with extension:.so
Initialization of url_check module......
Loading service :antivirus_module path srv_clamav.so
Found handler C_handler for service with extension:.so
Alias:avscan of service srv_clamav
Going to search variable ScanFileTypes in table srv_clamav
Iam going to scan data for simple scanning of type:,GIF,JPEG,MSOFFICE,TEXT,DATA,EXECUTABLE,ARCHIVE
Going to search variable SendPercentData in table srv_clamav
Setting parameter :SendPercentData=5
Going to search variable StartSendPercentDataAfter in table srv_clamav
Setting parameter :StartSendPercentDataAfter=2097152
Going to search variable MaxObjectSize in table srv_clamav
Setting parameter :MaxObjectSize=5242880
Going to search variable ClamAvTmpDir in table srv_clamav
Setting parameter :ClamAvTmpDir=/tmp/
Going to search variable ClamAvMaxFilesInArchive in table srv_clamav
Setting parameter :ClamAvMaxFilesInArchive=0
Going to search variable ClamAvMaxFileSizeInArchive in table srv_clamav
Setting parameter :ClamAvMaxFileSizeInArchive=104857600
Going to search variable ClamAvMaxRecLevel in table srv_clamav
Setting parameter :ClamAvMaxRecLevel=5
Going to search variable VirSaveDir in table srv_clamav
Setting parameter :VirSaveDir=/var/infected
Going to search variable VirHTTPServer in table srv_clamav
Setting parameter :VirHTTPServer=DUMMY
Going to search variable VirUpdateTime in table srv_clamav
Setting parameter :VirUpdateTime=15
Going to search variable VirScanFileTypes in table srv_clamav
Iam going to scan data for vir_mode scanning of type:,EXECUTABLE,ARCHIVE
My hostname is:niko-gw.o56.ru
Вс это вываливается при запуске, в момент обращения к сквиду — ничо больше не пишет
Хотя си-икап виси и слушает порт:
Код: Выделить всё
cicap c-icap 95318 3 tcp4 *:1344 *:*
cicap c-icap 95318 4 dgram -> /var/run/logpriv
cicap c-icap 95317 3 tcp4 *:1344 *:*
cicap c-icap 95317 4 dgram -> /var/run/logpriv
cicap c-icap 95316 3 tcp4 *:1344 *:*
cicap c-icap 95316 4 dgram -> /var/run/logpriv
cicap c-icap 95315 3 tcp4 *:1344 *:*
cicap c-icap 95315 4 dgram -> /var/run/logpriv
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 *.1344 *.* LISTEN
Topic: [SOLVED] ICAP protocol error (Read 3409 times)
It seems that I messed the installation. I checked by error something (icap) in the Web proxy configuration and now I can’t enter the GUI and slowly more and more inet pages show the «ICAP protocol error.» page.
Is there anything I can change in the console so I can stop icap and bring back the system?
Help, please.
Edit: In console I see repeating «[bin/mongod] Preventing execution due to repeated segfaults» and the disk is continuously accessed. I dunno if that has relation.
« Last Edit: September 24, 2018, 09:59:21 pm by MultiCubic »
Logged
I solved it by accesing the system through a vlan not filtered and fixed the configuration.
The segfault errors still are there though and the ssd access is continuous.
Logged
Permalink
Cannot retrieve contributors at this time
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html PUBLIC «-//W3C//DTD HTML 4.01//EN» «http://www.w3.org/TR/html4/strict.dtd»> | |
| <html><head> | |
| <meta type=»copyright» content=»Copyright (C) 1996-2021 The Squid Software Foundation and contributors»> | |
| <meta http-equiv=»Content-Type» content=»text/html; charset=utf-8″> | |
| <title>ОШИБКА: Запрошенный URL не может быть получен</title> | |
| <style type=»text/css»><!— | |
| %l | |
| body | |
| :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } | |
| :lang(he) { direction: rtl; } | |
| —></style> | |
| </head><body id=»%c»> | |
| <div id=»titles»> | |
| <h1>ОШИБКА</h1> | |
| <h2>Запрошенный URL не может быть получен</h2> | |
| </div> | |
| <hr> | |
| <div id=»content»> | |
| <p>При получении URL <a href=»%U»>%U</a> произошла следующая ошибка</p> | |
| <blockquote id=»error»> | |
| <p><b>Ошибка протокола ICAP.</b></p> | |
| </blockquote> | |
| <p id=»sysmsg»>Система вернула: <i>%E</i></p> | |
| <p>Это означает, что какой-то этап связи по протоколу ICAP не удался.</p> | |
| <p>Возможные проблемы:</p> | |
| <ul> | |
| <li><p>Сервер ICAP недоступен</p></li> | |
| <li><p>Получен недопустимый ответ от сервера ICAP.</p></li> | |
| </ul> | |
| <br> | |
| </div> | |
| <hr> | |
| <div id=»footer»> | |
| <p>Создано %T на %h (%s)</p> | |
| <!— %c —> | |
| </div> | |
| </body></html> |
This topic has been deleted. Only users with topic management privileges can see it.
-
Hi There
I’m running pfSense since very long time, and now the subjected issue started since a month.I’ve tried multiple options, but no luck, the following is my configuration:
pfSense Version 2.3.4-RELEASE-p1
Intel Core i5 — 3 GHz
4 GB RAM (and it’s not even crossing 50%)
500 GB HDDSquid 0.4.37 with C-ICAP and CalmAV enabled
- Transparent Proxy (only on HTTP)
- No Remote Cache
Kindly help me in this regard.
Thanx in Advance. -
Same problem here, the issue started since a month as well.
Nothing to find in the logs, it just happens at random times.
2.3.4-RELEASE-p1 (amd64)
built on Fri Jul 14 14:52:43 CDT 2017
FreeBSD 10.3-RELEASE-p19Squid Version 3.5.26, ClamAV 0.99.2_3, C-ICAP 0.4.4,2 + SquidClamav 6.16
2x Intel(R) Xeon(R) CPU X5570 @ 2.93GHz
32 GB ECC RAM
600 GB HDD Raid 10Temporary workaround is to set bypass=on, so at least the users don’t get annoyed by the «ICAP Protocol Error» message.
-
Same here, randomly happened to me tonight. Updating SquidAV seemed to have resolved the issue. From some quick Googling, it looks like a number of people have experienced this issue but there isn’t a real solution nor a reason why this occurs.
-
Here’s a «me too».
However, I can sort of duplicate the problem or pinpoint at least one cause of it. I recently changed the proxy configuration of our email security gateway from our previous proxy to squid on PfSense, and since then the issue happens at least every second day, and apparently when the email gateway updates it’s AV definition files via the proxy.
Interestingly, restarting clamav or ICAP doesn’t help solving the issue, the only way to get it up again is to restart squid as a whole.
-
@ccdmas:
and apparently when the email gateway updates it’s AV definition files via the proxy.
Ugh. You should NOT download antivirus defs via the proxy with ClamAV in the first place. It will trigger false positives and cause other issues.
-
Quite seriously: You need to see more of the real world out there. LOading AV defs through a http proxy is absolutely normal every day business everywhere. Are you saying to die until restart is acceptable behaviour? ::)
-
I also have the same issue, where do you turn on ByPass?
-
Same issue here, squid at random times can no longer connect to ICAP. Any ideas what could it be?
-
Same here, re-appearing in 2.4.3-RELEASE-p1 on a Netgate SG-3100. Looks to me too high i/o(???)
- PFSense installed on ‘thrid party’ pc hardware works normally.
- Restarting ClamAV works for some hours and then protocol errors appear again.
- Updating ClamAV once a day lowered to once a week -> no difference
- Bypassing will prevent this ICAP protocol error but is not really a solution.
Thanks,
Imp
Не хочет с-icap почему-то принимать соединения.
сквид 3.1.10 и c-icap-060708_2,1 из портов
конфиги
Код: Выделить всё
cat squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.84.0/24
acl localnet src 192.168.85.0/24
acl SSL_ports port 443
acl SSL_ports port 8443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
cache_dir ufs /storage/squidcache 4096 64 256
maximum_object_size 512 KB
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
icap_log /var/log/squid/icap.log
cache_store_log none
logfile_rotate 10
url_rewrite_program /usr/local/rejik/redirector /usr/local/etc/redirector.conf
url_rewrite_children 8
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname server.local
icp_port 3130
icap_enable on
icap_preview_enable on
icap_preview_size 128
icap_send_client_ip on
icap_service service_avi_req reqmod_precache 0 icap://192.168.84.253/srv_clamav
icap_service service_avi respmod_precache 1 icap://192.168.84.253/srv_clamav
adaptation_service_set service_avi service_avi_req
adaptation_access service_avi allow all
adaptation_access service_avi_req allow all
икап, разрешено всем намеренно, в процессе поиска
Код: Выделить всё
cat c-icap.conf | grep -v '^#' | sed '/^$/d'
cat: c-icap.conf: No such file or directory
niko-gw# cd /usr/local/etc
niko-gw# cat c-icap.conf | grep -v '^#' | sed '/^$/d'
PidFile /var/run/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
KeepAlive On
MaxKeepAliveRequests 600
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads 10
MaxSpareThreads 20
ThreadsPerChild 10
MaxRequestsPerChild 0
Port 1344
User cicap
Group cicap
TmpDir /tmp/
MaxMemObject 131072
ServerLog /var/log/c_icap/server.log
AccessLog /var/log/c_icap/access.log
DebugLevel 1
ModulesDir /usr/local/lib/c_icap
Module logger sys_logger.so
sys_logger.Prefix "C-ICAP:"
sys_logger.Facility local1
Logger sys_logger
acl squid_respmod src 192.168.84.0/255.255.255.0 type respmod
acl squid_options src 192.168.84.0/255.255.255.0 type options
acl any src 0.0.0.0/0.0.0.0
icap_access allow squid_respmod
icap_access allow squid_options
icap_access allow any
ServicesDir /usr/local/lib/c_icap
Service echo_module srv_echo.so
Service url_check_module srv_url_check.so
Service antivirus_module srv_clamav.so
ServiceAlias avscan srv_clamav?allow204=on&sizelimit=off&mode=simple
srv_clamav.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
srv_clamav.SendPercentData 5
srv_clamav.StartSendPercentDataAfter 2M
srv_clamav.MaxObjectSize 5M
srv_clamav.ClamAvTmpDir /tmp/
srv_clamav.ClamAvMaxFilesInArchive 0
srv_clamav.ClamAvMaxFileSizeInArchive 100M
srv_clamav.ClamAvMaxRecLevel 5
srv_clamav.VirSaveDir /var/infected
srv_clamav.VirHTTPServer "DUMMY"
srv_clamav.VirUpdateTime 15
srv_clamav.VirScanFileTypes ARCHIVE EXECUTABLE
tcpdump обмена прокси и с-icap
Код: Выделить всё
tcpdump -npi tap0 port 1344
tcpdump: WARNING: tap0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), capture size 96 bytes
12:32:31.157214 IP 192.168.84.254.34482 > 192.168.84.253.1344: Flags [S], seq 1466692851, win 65535, options [mss 1337,nop,wscale 3,sackOK,TS val 136294970 ecr 0], length 0
12:32:31.157389 IP 192.168.84.253.1344 > 192.168.84.254.34482: Flags [S.], seq 187600070, ack 1466692852, win 65535, options [mss 1337,nop,wscale 3,sackOK,TS val 2911239331 ecr 136294970], length 0
12:32:31.161123 IP 192.168.84.254.34482 > 192.168.84.253.1344: Flags [.], ack 1, win 8281, options [nop,nop,TS val 136294972 ecr 2911239331], length 0
12:32:31.161536 IP 192.168.84.254.34482 > 192.168.84.253.1344: Flags [F.], seq 1, ack 1, win 8281, options [nop,nop,TS val 136294972 ecr 2911239331], length 0
12:32:31.161681 IP 192.168.84.253.1344 > 192.168.84.254.34482: Flags [.], ack 2, win 8281, options [nop,nop,TS val 2911239336 ecr 136294972], length 0
12:32:31.162434 IP 192.168.84.253.1344 > 192.168.84.254.34482: Flags [F.], seq 1, ack 2, win 8281, options [nop,nop,TS val 2911239336 ecr 136294972], length 0
12:32:31.163591 IP 192.168.84.254.34482 > 192.168.84.253.1344: Flags [.], ack 2, win 8281, options [nop,nop,TS val 136294977 ecr 2911239336], length 0
Сквид в браузер пишет:
Код: Выделить всё
При получении URL http://dealextreme.com/ произошла следующая ошибка
Ошибка протокола ICAP.
Система вернула: [No Error]
Это означает, что какой-то этап связи по протоколу ICAP не удался.
Возможные проблемы:
Сервер ICAP недоступен
Получен недопустимый ответ от сервера ICAP.Запуска c-icap в отладке:
Код: Выделить всё
c-icap -D -N -d 10
Enabling parameter -D
Disabling parameter -N
Setting parameter :-d=10
Searching 0x805d02c for default value
Setting parameter :PidFile=/var/run/c-icap.pid
Searching 0x805d030 for default value
Setting parameter :CommandsSocket=/var/run/c-icap/c-icap.ctl
Searching 0x805d050 for default value
Setting parameter :Timeout=300
Searching 0x805d058 for default value
Setting parameter :MaxKeepAliveRequests=600
Searching 0x805d054 for default value
Setting parameter :KeepAliveTimeout=600
Searching 0x805d060 for default value
Setting parameter :StartServers=3
Searching 0x805d064 for default value
Setting parameter :MaxServers=10
Searching 0x805d06c for default value
Setting parameter :MinSpareThreads=10
Searching 0x805d070 for default value
Setting parameter :MaxSpareThreads=20
Searching 0x805d068 for default value
Setting parameter :ThreadsPerChild=10
Searching 0x805d864 for default value
Setting parameter :MaxRequestsPerChild=0
Searching 0x805d020 for default value
Setting parameter :Port=1344
Searching 0x805d034 for default value
Setting parameter :User=cicap
Searching 0x805d038 for default value
Setting parameter :Group=cicap
Searching 0x805d028 for default value
Setting parameter :TmpDir=/tmp/
Searching 0x805d844 for default value
Setting parameter :MaxMemObject=131072
Searching 0x805d3d0 for default value
Setting parameter :ServerLog=/var/log/c_icap/server.log
Searching 0x805d3d4 for default value
Setting parameter :AccessLog=/var/log/c_icap/access.log
Searching 0x805d85c for default value
Setting parameter :DebugLevel=1
Setting parameter :ModulesDir=/usr/local/lib/c_icap
Loading service :logger path sys_logger.so
Going to search variable Prefix in table sys_logger
Setting parameter :Prefix=C-ICAP:
Going to search variable Facility in table sys_logger
Setting parameter :Logger=sys_logger
Setting parameter :ServicesDir=/usr/local/lib/c_icap
Loading service :echo_module path srv_echo.so
Found handler C_handler for service with extension:.so
Loading service :url_check_module path srv_url_check.so
Found handler C_handler for service with extension:.so
Initialization of url_check module......
Loading service :antivirus_module path srv_clamav.so
Found handler C_handler for service with extension:.so
Alias:avscan of service srv_clamav
Going to search variable ScanFileTypes in table srv_clamav
Iam going to scan data for simple scanning of type:,GIF,JPEG,MSOFFICE,TEXT,DATA,EXECUTABLE,ARCHIVE
Going to search variable SendPercentData in table srv_clamav
Setting parameter :SendPercentData=5
Going to search variable StartSendPercentDataAfter in table srv_clamav
Setting parameter :StartSendPercentDataAfter=2097152
Going to search variable MaxObjectSize in table srv_clamav
Setting parameter :MaxObjectSize=5242880
Going to search variable ClamAvTmpDir in table srv_clamav
Setting parameter :ClamAvTmpDir=/tmp/
Going to search variable ClamAvMaxFilesInArchive in table srv_clamav
Setting parameter :ClamAvMaxFilesInArchive=0
Going to search variable ClamAvMaxFileSizeInArchive in table srv_clamav
Setting parameter :ClamAvMaxFileSizeInArchive=104857600
Going to search variable ClamAvMaxRecLevel in table srv_clamav
Setting parameter :ClamAvMaxRecLevel=5
Going to search variable VirSaveDir in table srv_clamav
Setting parameter :VirSaveDir=/var/infected
Going to search variable VirHTTPServer in table srv_clamav
Setting parameter :VirHTTPServer=DUMMY
Going to search variable VirUpdateTime in table srv_clamav
Setting parameter :VirUpdateTime=15
Going to search variable VirScanFileTypes in table srv_clamav
Iam going to scan data for vir_mode scanning of type:,EXECUTABLE,ARCHIVE
My hostname is:niko-gw.o56.ru
Вс это вываливается при запуске, в момент обращения к сквиду — ничо больше не пишет
Хотя си-икап виси и слушает порт:
Код: Выделить всё
cicap c-icap 95318 3 tcp4 *:1344 *:*
cicap c-icap 95318 4 dgram -> /var/run/logpriv
cicap c-icap 95317 3 tcp4 *:1344 *:*
cicap c-icap 95317 4 dgram -> /var/run/logpriv
cicap c-icap 95316 3 tcp4 *:1344 *:*
cicap c-icap 95316 4 dgram -> /var/run/logpriv
cicap c-icap 95315 3 tcp4 *:1344 *:*
cicap c-icap 95315 4 dgram -> /var/run/logpriv
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 *.1344 *.* LISTEN
#41
Igorn
-
- Dr.Web Staff
-
- 477 Сообщений:
Member
Отправлено 03 Октябрь 2013 — 15:00
Почему при загрузке тестового трояна c расширением .exe он дает его скачать ?
В логе смотрели?
- Наверх
#42
Igorn
Igorn
-
- Dr.Web Staff
-
- 477 Сообщений:
Member
Отправлено 03 Октябрь 2013 — 15:18
Как вариант — может быть, он закешировался у сквида, когда Вы защиту отключали
- Наверх
#43
parel77
parel77
-
- Posters
- 111 Сообщений:
Member
Отправлено 03 Октябрь 2013 — 15:21
не успел нарадоваться как он снова отрубился последний кусок в логе messages
[root@proxy log]# tail -f /var/log/messages
Oct 3 16:14:46 proxy drweb-icapd [13094]: DEBUG drw_get_virus_num: loaded virus base /var/drweb/bases/dwn70002.vdb with 1729 viruses
Oct 3 16:14:46 proxy drweb-icapd [13094]: DEBUG drw_get_virus_num: loaded virus base /var/drweb/bases/dwn70001.vdb with 1523 viruses
Oct 3 16:14:46 proxy drweb-icapd [13094]: DEBUG drw_get_virus_num: loaded virus base /var/drweb/bases/dwn70000.vdb with 1805 viruses
Oct 3 16:14:46 proxy drweb-icapd [13094]: DEBUG drw_get_virus_num: loaded virus base /var/drweb/bases/drwrisky.vdb with 26456 viruses
Oct 3 16:14:46 proxy drweb-icapd [13094]: DEBUG drw_get_virus_num: loaded virus base /var/drweb/bases/drwnasty.vdb with 74279 viruses
Oct 3 16:14:46 proxy drweb-icapd [13094]: DEBUG drw_get_virus_num: loaded virus base /var/drweb/bases/dwp70000.vdb with 1 viruses
Oct 3 16:14:46 proxy drweb-icapd [13094]: DEBUG drw_get_virus_num: total viruses: 4522716
Oct 3 16:14:46 proxy drweb-icapd [13094]: DEBUG Closing fd 5
Oct 3 16:14:46 proxy drweb-icapd [13094]: DEBUG fcntl: successfully set O_NONBLOCK for fd 3
Oct 3 16:14:46 proxy drweb-icapd [13094]: INFO Start Dr.Web ® icapd ver 6.0.2.3
странно но сейчас он процессах висит , но squid уже ошибку вываливает что icap сервер недоступен
drweb 13094 0.0 0.0 93296 1088 ? Ss 16:14 0:00 /opt/drweb/drweb-icapd.real
сама ошибка вот такая
Сообщение было изменено parel77: 03 Октябрь 2013 — 15:25
- Наверх
#44
Igorn
Igorn
-
- Dr.Web Staff
-
- 477 Сообщений:
Member
Отправлено 03 Октябрь 2013 — 15:25
Давайте целиком лог (можно теперь не с 29 сентября, а только сегодняшний)
- Наверх
#45
parel77
parel77
-
- Posters
- 111 Сообщений:
Member
Отправлено 03 Октябрь 2013 — 15:53
Давайте целиком лог (можно теперь не с 29 сентября, а только сегодняшний)
блин лог огроменный не могу даже открыть и отредактировать
- Наверх
#46
parel77
parel77
-
- Posters
- 111 Сообщений:
Member
Отправлено 03 Октябрь 2013 — 15:58
- Наверх
#47
Igorn
Igorn
-
- Dr.Web Staff
-
- 477 Сообщений:
Member
Отправлено 04 Октябрь 2013 — 12:13
Судя по этому логу, теперь изначальной проблемы (Oct 1 12:44:23 proxy drweb-icapd [20657]: ERROR pselect: Нет дочерних процессов) нет:
root@igorn-Ubuntu:/!LOG# grep pselect messages
Oct 1 09:22:57 proxy drweb-icapd [1384]: ERROR pselect: Нет дочерних процессов
Oct 1 12:44:23 proxy drweb-icapd [20657]: ERROR pselect: Нет дочерних процессов
Oct 2 15:35:31 proxy drweb-icapd [13300]: ERROR pselect: Нет дочерних процессов
- Наверх
#48
parel77
parel77
-
- Posters
- 111 Сообщений:
Member
Отправлено 04 Октябрь 2013 — 14:14
Судя по этому логу, теперь изначальной проблемы (Oct 1 12:44:23 proxy drweb-icapd [20657]: ERROR pselect: Нет дочерних процессов) нет:
root@igorn-Ubuntu:/!LOG# grep pselect messages
Oct 1 09:22:57 proxy drweb-icapd [1384]: ERROR pselect: Нет дочерних процессов
Oct 1 12:44:23 proxy drweb-icapd [20657]: ERROR pselect: Нет дочерних процессов
Oct 2 15:35:31 proxy drweb-icapd [13300]: ERROR pselect: Нет дочерних процессов
если так , у меня такое ощущение что апдейтер gjcksftn сигнал hup icapd процессу
я все поставил с репозитариев
- Наверх
#49
parel77
parel77
-
- Posters
- 111 Сообщений:
Member
Отправлено 04 Октябрь 2013 — 14:29
симпотомы такие .. Я запускаю весь комплекс все работает . Но спустя некоторое время выпадает
- Наверх
#50
Igorn
Igorn
-
- Dr.Web Staff
-
- 477 Сообщений:
Member
Отправлено 04 Октябрь 2013 — 14:34
А можете временно перевести proxy в standalone-режим ( отключить от ЕС-сервера) и понаблюдать? Судя по логу, у Вас там до сих пор присутствует и локальный ключ (drweb32.key). В ЕС-режиме этот ключ не требуется.
- Наверх
#51
parel77
parel77
-
- Posters
- 111 Сообщений:
Member
Отправлено 04 Октябрь 2013 — 15:40
А можете временно перевести proxy в standalone-режим ( отключить от ЕС-сервера) и понаблюдать? Судя по логу, у Вас там до сих пор присутствует и локальный ключ (drweb32.key). В ЕС-режиме этот ключ не требуется.
хорошо отключу от ЕС сервера
- Наверх
#52
volcano
volcano
-
- Posters
- 7 Сообщений:
Newbie
Отправлено 08 Апрель 2015 — 16:50
не нашлось решение этой проблемы? столкнулся с тем же самым, кто-то может подсказать как поправить?
- Наверх
#53
maxic
maxic
-
- Moderators
- 12 687 Сообщений:
Keep yourself alive
Отправлено 08 Апрель 2015 — 18:49
volcano, некропостинг — зло. Создавайте свою тему.
- Наверх
This topic has been deleted. Only users with topic management privileges can see it.
-
Hi There
I’m running pfSense since very long time, and now the subjected issue started since a month.I’ve tried multiple options, but no luck, the following is my configuration:
pfSense Version 2.3.4-RELEASE-p1
Intel Core i5 — 3 GHz
4 GB RAM (and it’s not even crossing 50%)
500 GB HDDSquid 0.4.37 with C-ICAP and CalmAV enabled
- Transparent Proxy (only on HTTP)
- No Remote Cache
Kindly help me in this regard.
Thanx in Advance. -
Same problem here, the issue started since a month as well.
Nothing to find in the logs, it just happens at random times.
2.3.4-RELEASE-p1 (amd64)
built on Fri Jul 14 14:52:43 CDT 2017
FreeBSD 10.3-RELEASE-p19Squid Version 3.5.26, ClamAV 0.99.2_3, C-ICAP 0.4.4,2 + SquidClamav 6.16
2x Intel(R) Xeon(R) CPU X5570 @ 2.93GHz
32 GB ECC RAM
600 GB HDD Raid 10Temporary workaround is to set bypass=on, so at least the users don’t get annoyed by the «ICAP Protocol Error» message.
-
Same here, randomly happened to me tonight. Updating SquidAV seemed to have resolved the issue. From some quick Googling, it looks like a number of people have experienced this issue but there isn’t a real solution nor a reason why this occurs.
-
Here’s a «me too».
However, I can sort of duplicate the problem or pinpoint at least one cause of it. I recently changed the proxy configuration of our email security gateway from our previous proxy to squid on PfSense, and since then the issue happens at least every second day, and apparently when the email gateway updates it’s AV definition files via the proxy.
Interestingly, restarting clamav or ICAP doesn’t help solving the issue, the only way to get it up again is to restart squid as a whole.
-
@ccdmas:
and apparently when the email gateway updates it’s AV definition files via the proxy.
Ugh. You should NOT download antivirus defs via the proxy with ClamAV in the first place. It will trigger false positives and cause other issues.
-
Quite seriously: You need to see more of the real world out there. LOading AV defs through a http proxy is absolutely normal every day business everywhere. Are you saying to die until restart is acceptable behaviour? ::)
-
I also have the same issue, where do you turn on ByPass?
-
Same issue here, squid at random times can no longer connect to ICAP. Any ideas what could it be?
-
Same here, re-appearing in 2.4.3-RELEASE-p1 on a Netgate SG-3100. Looks to me too high i/o(???)
- PFSense installed on ‘thrid party’ pc hardware works normally.
- Restarting ClamAV works for some hours and then protocol errors appear again.
- Updating ClamAV once a day lowered to once a week -> no difference
- Bypassing will prevent this ICAP protocol error but is not really a solution.
Thanks,
Imp
I have the problem with e2g 5.5.0 and squid 4.13 (sslbump + interception), both on the same machine.
ICAP protocol error.
The system returned: [No Error]
This means that some aspect of the ICAP communication failed.
I’ve found that flags out_res/req_body_flag are not cleared (reseted to false) in reset() method in ICAPHeader.cpp.
So this sometimes randomly produce such strange behaviour: Encapsulated header can be wrong in some cases in such way:
In ICAP response: Encapsulated: req_hdr:0, res_body=1234, but res_body is set errorneously due-to out_res_body_flag is true and not cleaded in reset().
In such case squid thinks that response body present in the response for ICAP-Reqmod, but only HTTP-headers are in response packet.
Correct Encapsulated must be : Encapsulated: req_hdr:0,nul_body=1234.
I considered case when no modifications are made to HTTP-request .
Здравствуйте, уважаемые!
Необходимо настроить проверку трафика http и ftp шлюза squid на вирусы. Выбрал протокол ICAP. Настроил по руководствам разработчиков ICAP и описаниям на нескольких сайтах. В результате браузер пишет следующее:
* ICAP protocol error.
Some aspect of the ICAP communication failed. Possible problems:
* ICAP server is not reachable.
* Illegal response from ICAP server.
Your cache administrator is root.
Generated Wed, 15 Aug 2007 13:58:15 GMT by adminserver (squid/2.6.STABLE1)
Далее привожу все мои настройки. Посмотрите, пожалуйста, в чем может крыться ошибка.
Версия c_icap: c_icap-030606rc1
Конфигурировал с параметрами: —prefix=/usr/local/c_icap —with=/usr/lib (так как читал, что icap не может существовать без библиотек clamav).
Squid поддерживает ICAP
Это конфмгурация squid:
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin ?
cache deny QUERY
acl Apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 64 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
cache_dir ufs /var/spool/squid 1000 32 512
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
debug_options ALL,1
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl mynet src 192.168.0.0/24
http_access allow mynet
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_user squid
cache_effective_group squid
visible_hostname adminserver
icap_enable on
icap_preview_enable on
icap_preview_size 128
icap_send_client_ip on
icap_service service_1 reqmod_precache 0 icap://localhost:1344/reqmod
icap_service service_2 respmod_precache 0 icap://localhost:1344/respmod
icap_class class_1 service_1 service_2
icap_access class_1 allow all
logfile_rotate 12
error_directory /usr/lib/squid/errors/English
coredump_dir /var/spool/squid
Запуск icap в нормальном режиме:
[root@shluz bin]# ./c-icap
Initialization of echo module……
Initialization of url_check module……
LibClamAV Warning: ********************************************************
LibClamAV Warning: * This version of the ClamAV engine is outdated. *
LibClamAV Warning: * DON’T PANIC! Read http://www.clamav.net/faq.html *
LibClamAV Warning: ********************************************************
LibClamAV Warning: **************************************************
LibClamAV Warning: * The virus database is older than 7 days. *
LibClamAV Warning: * Please update it IMMEDIATELY! *
LibClamAV Warning: **************************************************
LibClamAV Warning: ********************************************************
LibClamAV Warning: * This version of the ClamAV engine is outdated. *
LibClamAV Warning: * DON’T PANIC! Read http://www.clamav.net/faq.html *
LibClamAV Warning: ********************************************************
LibClamAV Warning: Signature for Trojan.Small-3108 requires new ClamAV version. Please update!
LibClamAV Warning: Signature for W32.Cervan requires new ClamAV version. Please update!
LibClamAV Warning: Signature for Trojan.Small-3169 requires new ClamAV version. Please update!
LibClamAV Warning: Signature for Trojan.Small-3171 requires new ClamAV version. Please update!
LibClamAV Warning: Signature for W32.Dwee-1 requires new ClamAV version. Please update!
LibClamAV Warning: Signature for Trojan.Small-3184 requires new ClamAV version. Please update!
LibClamAV Warning: Signature for Trojan.Small-3204 requires new ClamAV version. Please update!
LibClamAV Warning: Signature for Trojan.Crypted-4 requires new ClamAV version. Please update!
LibClamAV Warning: Signature for Trojan.Packed-75 requires new ClamAV version. Please update!
Проверка результатов запуска:
[root@shluz bin]# netstat -apn | grep 1344
tcp 0 0 0.0.0.0:1344 0.0.0.0:* LISTEN 6315/c-icap
[root@shluz bin]# netstat -apn | grep 1344
tcp 0 0 0.0.0.0:1344 0.0.0.0:* LISTEN 6315/c-icap
tcp 0 0 127.0.0.1:42004 127.0.0.1:1344 TIME_WAIT —
tcp 0 0 127.0.0.1:34943 127.0.0.1:1344 TIME_WAIT —
tcp 0 1 59.109.39.117:51640 69.25.27.173:1344 SYN_SENT 6482/(squid).
[root@shluz bin]# netstat -apn | grep c-icap
tcp 0 0 0.0.0.0:1344 0.0.0.0:* LISTEN 11381/c-icap
unix 2 [ ] DGRAM 85200 11381/c-icap
Это файл конфигурации c_icap:
PidFile /var/run/c-icap.pid
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads 10
MaxSpareThreads 20
ThreadsPerChild 10
MaxRequestsPerChild 0
Port 1344
User squid
Group squid
TmpDir /var/tmp
MaxMemObject 131072
ServerLog /usr/local/c_icap/var/log/server.log
AccessLog /usr/local/c_icap/var/log/access.log
ModulesDir /usr/local/c_icap/lib/c_icap
Module logger sys_logger.so
Module perl_handler perl_handler.so
sys_logger.Prefix «C-ICAP:»
sys_logger.Facility local1
Logger /usr/local/c_icap/var/log
acl localnet_respmod src 127.0.0.1 type respmod
acl localnet src 127.0.0.1
acl externalnet src 0.0.0.0/0.0.0.0
icap_access allow localnet_respmod
icap_access allow localnet
icap_access deny externalnet
ServicesDir /usr/local/c_icap/lib/c_icap
Service echo_module srv_echo.so
Service url_check_module srv_url_check.so
Service antivirus_module srv_clamav.so
srv_clamav.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
srv_clamav.SendPercentData 5
srv_clamav.StartSendPercentDataAfter 2M
srv_clamav.MaxObjectSize 5M
srv_clamav.ClamAvTmpDir /var/tmp
srv_clamav.ClamAvMaxFilesInArchive 0
srv_clamav.ClamAvMaxFileSizeInArchive 100M
srv_clamav.ClamAvMaxRecLevel 5
srv_clamav.VirSaveDir /tmp/virusstor/
srv_clamav.VirHTTPServer «http://fortune/cgi-bin/get_file.pl?usename=%f&remove=1&file=»;
srv_clamav.VirUpdateTime 15
srv_clamav.VirScanFileTypes ARCHIVE EXECUTABLE
Что пишет лог c_icap (фрагмент):
/usr/local/c_icap/var/log/server.log:
Fri Aug 17 10:41:01 2007, general, Service not found
Fri Aug 17 10:41:01 2007, general, Service not found
Fri Aug 17 10:41:06 2007, general, Service not found
Fri Aug 17 10:41:06 2007, general, Service not found
/usr/local/c_icap/var/log/access.log- пустой
С правами доступа кажется все нормально, хотя…
Возможно что-то упустил в описании проблемы. Может быть у кого-то успешно работает сервис ICAP, посмотрите, пожалуйста, в чем моя ошибка.
Буду очень признателен за посильную помощь!
Спасибо!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html PUBLIC «-//W3C//DTD HTML 4.01//EN» «http://www.w3.org/TR/html4/strict.dtd»> | |
| <html><head> | |
| <meta type=»copyright» content=»Copyright (C) 1996-2021 The Squid Software Foundation and contributors»> | |
| <meta http-equiv=»Content-Type» content=»text/html; charset=utf-8″> | |
| <title>ОШИБКА: Запрошенный URL не может быть получен</title> | |
| <style type=»text/css»><!— | |
| %l | |
| body | |
| :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } | |
| :lang(he) { direction: rtl; } | |
| —></style> | |
| </head><body id=»%c»> | |
| <div id=»titles»> | |
| <h1>ОШИБКА</h1> | |
| <h2>Запрошенный URL не может быть получен</h2> | |
| </div> | |
| <hr> | |
| <div id=»content»> | |
| <p>При получении URL <a href=»%U»>%U</a> произошла следующая ошибка</p> | |
| <blockquote id=»error»> | |
| <p><b>Ошибка протокола ICAP.</b></p> | |
| </blockquote> | |
| <p id=»sysmsg»>Система вернула: <i>%E</i></p> | |
| <p>Это означает, что какой-то этап связи по протоколу ICAP не удался.</p> | |
| <p>Возможные проблемы:</p> | |
| <ul> | |
| <li><p>Сервер ICAP недоступен</p></li> | |
| <li><p>Получен недопустимый ответ от сервера ICAP.</p></li> | |
| </ul> | |
| <br> | |
| </div> | |
| <hr> | |
| <div id=»footer»> | |
| <p>Создано %T на %h (%s)</p> | |
| <!— %c —> | |
| </div> | |
| </body></html> |
#41
Igorn
-
- Dr.Web Staff
-
- 488 Сообщений:
Member
Отправлено 03 Октябрь 2013 — 15:00
Почему при загрузке тестового трояна c расширением .exe он дает его скачать ?
В логе смотрели?
- Наверх
#42
Igorn
Igorn
-
- Dr.Web Staff
-
- 488 Сообщений:
Member
Отправлено 03 Октябрь 2013 — 15:18
Как вариант — может быть, он закешировался у сквида, когда Вы защиту отключали
- Наверх
#43
parel77
parel77
-
- Posters
- 111 Сообщений:
Member
Отправлено 03 Октябрь 2013 — 15:21
не успел нарадоваться как он снова отрубился последний кусок в логе messages
[root@proxy log]# tail -f /var/log/messages
Oct 3 16:14:46 proxy drweb-icapd [13094]: DEBUG drw_get_virus_num: loaded virus base /var/drweb/bases/dwn70002.vdb with 1729 viruses
Oct 3 16:14:46 proxy drweb-icapd [13094]: DEBUG drw_get_virus_num: loaded virus base /var/drweb/bases/dwn70001.vdb with 1523 viruses
Oct 3 16:14:46 proxy drweb-icapd [13094]: DEBUG drw_get_virus_num: loaded virus base /var/drweb/bases/dwn70000.vdb with 1805 viruses
Oct 3 16:14:46 proxy drweb-icapd [13094]: DEBUG drw_get_virus_num: loaded virus base /var/drweb/bases/drwrisky.vdb with 26456 viruses
Oct 3 16:14:46 proxy drweb-icapd [13094]: DEBUG drw_get_virus_num: loaded virus base /var/drweb/bases/drwnasty.vdb with 74279 viruses
Oct 3 16:14:46 proxy drweb-icapd [13094]: DEBUG drw_get_virus_num: loaded virus base /var/drweb/bases/dwp70000.vdb with 1 viruses
Oct 3 16:14:46 proxy drweb-icapd [13094]: DEBUG drw_get_virus_num: total viruses: 4522716
Oct 3 16:14:46 proxy drweb-icapd [13094]: DEBUG Closing fd 5
Oct 3 16:14:46 proxy drweb-icapd [13094]: DEBUG fcntl: successfully set O_NONBLOCK for fd 3
Oct 3 16:14:46 proxy drweb-icapd [13094]: INFO Start Dr.Web ® icapd ver 6.0.2.3
странно но сейчас он процессах висит , но squid уже ошибку вываливает что icap сервер недоступен
drweb 13094 0.0 0.0 93296 1088 ? Ss 16:14 0:00 /opt/drweb/drweb-icapd.real
сама ошибка вот такая
Сообщение было изменено parel77: 03 Октябрь 2013 — 15:25
- Наверх
#44
Igorn
Igorn
-
- Dr.Web Staff
-
- 488 Сообщений:
Member
Отправлено 03 Октябрь 2013 — 15:25
Давайте целиком лог (можно теперь не с 29 сентября, а только сегодняшний)
- Наверх
#45
parel77
parel77
-
- Posters
- 111 Сообщений:
Member
Отправлено 03 Октябрь 2013 — 15:53
Давайте целиком лог (можно теперь не с 29 сентября, а только сегодняшний)
блин лог огроменный не могу даже открыть и отредактировать
- Наверх
#46
parel77
parel77
-
- Posters
- 111 Сообщений:
Member
Отправлено 03 Октябрь 2013 — 15:58
- Наверх
#47
Igorn
Igorn
-
- Dr.Web Staff
-
- 488 Сообщений:
Member
Отправлено 04 Октябрь 2013 — 12:13
Судя по этому логу, теперь изначальной проблемы (Oct 1 12:44:23 proxy drweb-icapd [20657]: ERROR pselect: Нет дочерних процессов) нет:
root@igorn-Ubuntu:/!LOG# grep pselect messages
Oct 1 09:22:57 proxy drweb-icapd [1384]: ERROR pselect: Нет дочерних процессов
Oct 1 12:44:23 proxy drweb-icapd [20657]: ERROR pselect: Нет дочерних процессов
Oct 2 15:35:31 proxy drweb-icapd [13300]: ERROR pselect: Нет дочерних процессов
- Наверх
#48
parel77
parel77
-
- Posters
- 111 Сообщений:
Member
Отправлено 04 Октябрь 2013 — 14:14
Судя по этому логу, теперь изначальной проблемы (Oct 1 12:44:23 proxy drweb-icapd [20657]: ERROR pselect: Нет дочерних процессов) нет:
root@igorn-Ubuntu:/!LOG# grep pselect messages
Oct 1 09:22:57 proxy drweb-icapd [1384]: ERROR pselect: Нет дочерних процессов
Oct 1 12:44:23 proxy drweb-icapd [20657]: ERROR pselect: Нет дочерних процессов
Oct 2 15:35:31 proxy drweb-icapd [13300]: ERROR pselect: Нет дочерних процессов
если так , у меня такое ощущение что апдейтер gjcksftn сигнал hup icapd процессу
я все поставил с репозитариев
- Наверх
#49
parel77
parel77
-
- Posters
- 111 Сообщений:
Member
Отправлено 04 Октябрь 2013 — 14:29
симпотомы такие .. Я запускаю весь комплекс все работает . Но спустя некоторое время выпадает
- Наверх
#50
Igorn
Igorn
-
- Dr.Web Staff
-
- 488 Сообщений:
Member
Отправлено 04 Октябрь 2013 — 14:34
А можете временно перевести proxy в standalone-режим ( отключить от ЕС-сервера) и понаблюдать? Судя по логу, у Вас там до сих пор присутствует и локальный ключ (drweb32.key). В ЕС-режиме этот ключ не требуется.
- Наверх
#51
parel77
parel77
-
- Posters
- 111 Сообщений:
Member
Отправлено 04 Октябрь 2013 — 15:40
А можете временно перевести proxy в standalone-режим ( отключить от ЕС-сервера) и понаблюдать? Судя по логу, у Вас там до сих пор присутствует и локальный ключ (drweb32.key). В ЕС-режиме этот ключ не требуется.
хорошо отключу от ЕС сервера
- Наверх
#52
volcano
volcano
-
- Posters
- 7 Сообщений:
Newbie
Отправлено 08 Апрель 2015 — 16:50
не нашлось решение этой проблемы? столкнулся с тем же самым, кто-то может подсказать как поправить?
- Наверх
#53
maxic
maxic
-
- Moderators
- 12 720 Сообщений:
Keep yourself alive
Отправлено 08 Апрель 2015 — 18:49
volcano, некропостинг — зло. Создавайте свою тему.
- Наверх
Если видите ошибку «Запрошенный URL не может быть получен», то, скорее всего, возникла проблема на этапе подключения к сайту. Первое, что нужно сделать, — это обновить страницу совместным нажатием на Ctrl+ F5 или попытаться открыть ее в другом браузере. Если ошибка остается, выполните следующие шаги.
Временное отключение антивирусной программы
Иногда антивирус может заблокировать определенные сайты и сбрасывать соединение. Чтобы этого избежать, попробуйте отключить защиту в реальном времени.
В правом нижнем углу на панели задач щелкните правой кнопкой мыши на значок антивируса. Найдите пункт, который связан с приостановкой защиты. В зависимости от установленного антивируса этот пункт может отсутствовать, поэтому поищите его в настройках.
После отключения проверьте, работает ли это решение. Если нет, включите защиту обратно и перейдите к следующему решению.
Отключение Брандмауэра Защитника Windows
Запустите Брандмауэр Windows командой control firewall.cpl из окна Win + R.
На панели слева выберите вкладку Включение и отключение брандмауэра Защитника Windows.
В параметрах для частной и общественной сети отметьте флажками опции «Отключить брандмауэр Windows (не рекомендуется)». Сохраните изменения нажатием на «ОК».
Перезагрузите компьютер и попробуйте открыть адрес URL сайта. Если доступ к нему получен, снова включите брандмауэр и посмотрите, какие именно настройки вызвали проблему.
Отключение прокси-сервера
Если используете Firefox, щелкните на значок меню в правом верхнем углу экрана и выберите Настройки.
Перейдите на вкладку Основные и прокрутите правую часть страницы до раздела Параметры сети. Затем нажмите на кнопку «Настроить».
Выберите опцию «Без прокси» или «Использовать системные настройки прокси». Сохраните изменения на «ОК».
Теперь проверьте, не включен ли прокси-сервер в системе. Запустите команду ms-settings:network-proxy из окна Win + R.
В правой части экрана отключите опции «Определять параметры автоматически» и «Использовать сценарий настройки».
С этими изменениями прокси-сервер будет полностью выключен в системе. Проверьте, удается ли получить доступ к запрашиваемому URL адресу.
Перезагрузка роутера
Иногда ошибка возникает из-за нестабильности сети. В этом случае попробуйте перезагрузить роутер и модем.
Выключите питание на обоих устройствах. Подождите около минуты, затем снова их включите. Кода установится подключение к интернету проверьте, открывается ли сайт.
Обновление IP-адреса
Ошибку получения доступа к запрашиваемому URL можно исправить обновлением IP-адреса.
Откройте командную строку с помощью системного поиска, предоставив ей доступ администратора.
В консоли по очереди запустите следующие команды:
- ipconfig /release
- ipconfig /renew
После успешного выполнения IP-адрес будет обновлен. Перезагрузите систему и проверьте, устранена ли проблема.
Чистая загрузка Windows
Откройте Конфигурацию системы командой msconfig, запущенной из окна Win + R.
Перейдите на вкладку Службы. Отметьте флажком опцию «Не отображать службы Майкрософт» и щелкните на кнопку «Отключить все». Сохраните настройки на «ОК»
Затем перейдите в меню Автозагрузка и щелкните на ссылку «Открыть диспетчер задач».
Откроется список программ, которые запускаются вместе с Windows. Отключите их все, примените изменения и перезагрузите компьютер.
Если удалось получить доступ к URL сайта, это значит, что одна из служб или программ была причастна к возникновению ошибки. Чтобы обнаружить проблемную, включайте по несколько служб и программ, периодически перезагружая компьютер. Когда найдете проблемную программу, удалите ее из системы.