An icap error was encountered while handling the request

ICAP не доступен Все новые темы Список форумов SYSAdmins.RU -> UNIX Автор brig77 Новичок Зарегистрирован: 11.12.2006Пользователь #: 48,071Сообщения: 23 Добавлено: Ср 15 Авг, 2007 20:02 Заголовок сообщения: ICAP не доступен Вернуться к началу Зарегистрируйтесь и реклама исчезнет! _Z_ Активный участник Зарегистрирован: 10.11.2003Пользователь #: 11,437Сообщения: 545 Добавлено: Чт 16 Авг, 2007 9:25 Заголовок сообщения: Вернуться к […]

Содержание

  1. ICAP не доступен
  2. Fortinet Community
  3. Technical Tip: How to use ICAP response filtering
  4. An icap error was encountered while handling the request

ICAP не доступен

Все новые темы

Автор
brig77
Новичок

Зарегистрирован: 11.12.2006
Пользователь #: 48,071
Сообщения: 23

Добавлено: Ср 15 Авг, 2007 20:02 Заголовок сообщения: ICAP не доступен
Вернуться к началу

Зарегистрируйтесь и реклама исчезнет!

_Z_
Активный участник

Зарегистрирован: 10.11.2003
Пользователь #: 11,437
Сообщения: 545

Добавлено: Чт 16 Авг, 2007 9:25 Заголовок сообщения:
Вернуться к началу

brig77
Новичок

Зарегистрирован: 11.12.2006
Пользователь #: 48,071
Сообщения: 23

Добавлено: Пт 17 Авг, 2007 7:51 Заголовок сообщения:
Вернуться к началу

_Z_
Активный участник

Зарегистрирован: 10.11.2003
Пользователь #: 11,437
Сообщения: 545

Добавлено: Пт 17 Авг, 2007 14:04 Заголовок сообщения:
Вернуться к началу

MightyDok
Активный участник

Зарегистрирован: 09.07.2003
Пользователь #: 7,590
Сообщения: 620


Голоса: 4

Добавлено: Пт 17 Авг, 2007 14:39 Заголовок сообщения:
Вернуться к началу

brig77
Новичок

Зарегистрирован: 11.12.2006
Пользователь #: 48,071
Сообщения: 23

Добавлено: Сб 18 Авг, 2007 18:16 Заголовок сообщения:
Вернуться к началу

brig77
Новичок

Зарегистрирован: 11.12.2006
Пользователь #: 48,071
Сообщения: 23

Добавлено: Вт 21 Авг, 2007 15:33 Заголовок сообщения:
Вернуться к началу

brig77
Новичок

Зарегистрирован: 11.12.2006
Пользователь #: 48,071
Сообщения: 23

Источник

Fortinet Community

  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Printer Friendly Page
  • Report Inappropriate Content

Created on ‎04-22-2020 12:17 AM

Technical Tip: How to use ICAP response filtering

Description
This KB describes how to use ICAP response filtering.

Solution
The ICAP is a ‘lightweight’ HTTP-like protocol.
ICAP clients can pass HTTP-based (HTML) messages or content to ICAP servers for adaptation.

In this example, client request HTTP responses will be forwarded to the ICAP server from all hosts if it has an HTTP status code of ‘200’, ‘301’, or ‘302’, and have content type: image/jpeg in their header.

Client IP : 172.31.133.213; ICAP server : 172.31.133.213 (Port : 1344) , Web server : 162.x.x.x. : 80 and FortiGate IP : 172.31.133.58.

# Config icap server
edit «icap_server1»
set ip-address
end

# config icap profile
edit «icap_profile2»
set request disable
set response enable
set response-server «icap_server1»
set respmod-default-action bypass
# config respmod-forward-rules
edit «rule2»
set host «all»
set action forward
set http-resp-status-code 200 301 302
# config header-group
edit 2
set header-name «content-type»
set header «image/jpeg»
next
end
next
end
next
end

If ‘respmod-default-action’ is set to forward, FortiGate will treat every HTTP response, and send ICAP requests to the ICAP server and If ‘respmod-default-action’ is set to bypass, FortiGate will only send ICAP requests if the HTTP response matches the defined rules, and the rule’s action is set to forward.

Case 1: If content type is ‘Image/png’ then the FortiGate is bypassing the ICAP inspection.

# execute log filter category 20
# execute log display
1: date=2020-04-21 time=12:42:15 logid=»2000060000″ type=»utm» subtype=»icap» eventtype=»icap» level=»warning» vd=»root» eventtime=1587465735129231120 tz=»+0200″ msg=»Request blocked due to ICAP server error» service=»HTTP» srcip=172.31.133.213 dstip=162.x.x.x srcport=56232 dstport=80 srcintf=»port3″ srcintfrole=»undefined» dstintf=»port1″ dstintfrole=»undefined» policyid=1 sessionid=371403 proto=6 action=»blocked» profile=»default» url=»http://www.anydomain.com /images/gap.jpg»

In about output, the ‘png’ image content type response bypassed by FortiGate from ICAP inspection.

Refer to this RFC3507 for more information.

Источник

An icap error was encountered while handling the request

Доброго времени суток
Тут возникла проблемма настроил squid+icap+clamav все ок кроме одной проблеммы не загружаются файлы при запуске icap ругается на одну строчку
(Uknown type of module:perl_handler)
(Error loading service)
а браузер выдает (Downloaded 387522 bytes from 580020 of data)
(Download your file(size=580020) from Far165.exe)
нажимаешь на ссылку в данном случае (Far165.exe) получаешь что не возможно отобразить страницу а в url выписывается такая фигня (http://www.rarlab.com/far/ВЁDUMMYВЁCI_TMP_jAZYsF)
Кто знает как это побароть поделитесь опытом пажалуйста

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору
  • не загружаются файлы при работе squid+icap+clamav, gindos, 01:48 , 08-Фев-06, (1)
    • не загружаются файлы при работе squid+icap+clamav, Shurilla, 08:45 , 08-Фев-06, (2)
      • не загружаются файлы при работе squid+icap+clamav, gindos, 03:38 , 09-Фев-06, (3)
        • не загружаются файлы при работе squid+icap+clamav, Shurilla, 09:09 , 09-Фев-06, (4)
          • не загружаются файлы при работе squid+icap+clamav, dxer, 00:34 , 15-Фев-06, (5)
            • не загружаются файлы при работе squid+icap+clamav, shurilla, 08:49 , 15-Фев-06, (6)
              • не загружаются файлы при работе squid+icap+clamav, dxer, 12:40 , 15-Фев-06, ( 7 )
                • не загружаются файлы при работе squid+icap+clamav, dxer, 12:42 , 15-Фев-06, ( 8 )
                • не загружаются файлы при работе squid+icap+clamav, shurilla, 23:50 , 15-Фев-06, ( 9 )
      • не загружаются файлы при работе squid+icap+clamav, vef, 15:47 , 08-Мрт-07, ( 10 )
Сообщения по теме [Сортировка по времени, UBB]

конфиг c-icap.conf в студию, пожалуйста

1. «не загружаются файлы при работе squid+icap+clamav»
Сообщение от gindos (ok) on 08-Фев-06, 01:48
Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

2. «не загружаются файлы при работе squid+icap+clamav»
Сообщение от Shurilla on 08-Фев-06, 08:45

>конфиг c-icap.conf в студию, пожалуйста

#
# This file contains the default settings for c-icap
#

PidFile /var/run/c-icap.pid
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
# set KeepAliveTimeout to -1 for no timeout
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads 10
MaxSpareThreads 20
ThreadsPerChild 10
MaxRequestsPerChild 0

Port 1344
User nobody
Group nobody

#ServerAdmin you@your.address # Not implemented yet
#ServerName localhost:1344 # Not implemented yet

TmpDir /var/tmp
MaxMemObject 131072

ServerLog /usr/local/c_icap/var/log/server.log
AccessLog /usr/local/c_icap/var/log/access.log
#DebugLevel 3

ModulesDir /usr/local/c_icap/lib/c_icap
Module logger sys_logger.so
Module perl_handler perl_handler.so

sys_logger.Prefix «C-ICAP:»
sys_logger.Facility local1

##Specify wich logger to use.
#Logger sys_logger
Logger file_logger

## AclControlers example. The default_acl is the buildin acl controller
## To load an extrernal access controller named my_acl.so use:
#Module access_controller my_acl.so

## This parameter needed to specify the order of used acl controllers
## If not specified access control will be disabled
#AclControllers default_acl

## An example of acl lists for default_acl controller.
## acl and icap_access are aliases for default_acl.acl and default_acl.icap_access
#acl localnet_options src 192.168.1.0/255.255.255.0 type options
#acl localnet_respmod src 192.168.1.0/255.255.255.0 type respmod
#acl localnet src 192.168.1.0/255.255.255.0
##Use the folllowing to demand use of username .
##acl localnet src 192.168.1.0/255.255.255.0 user *
#acl externalnet src 0.0.0.0/0.0.0.0
#acl barbarian src 192.168.1.5
acl localsquid_respmod src 127.0.0.1 type respmod
acl localsquid src 127.0.0.1
acl externalnet src 0.0.0.0/0.0.0.0
##An example to specify access to server
#icap_access deny barbarian
#icap_access allow localnet_options
#icap_access allow localnet_respmod
#icap_access allow localnet
## http_auth mean that the icap server must try to authenticate the request
## using the http headers .
#icap_access http_auth localnet
icap_access allow localsquid_resmod
icap_access allow localsquid
icap_access deny externalnet

#Also you can specify which hosts to log or not.
# Comment out the folowing two lines to log only the external net
#icap_access nolog localnet
#icap_access log externalnet

##An example for authentication methods .
## To load an extarnal authentication method module named my_authmethod.so use:
#Module auth_method my_authmethod.so

##The following parameter needed to specify the order of authenticators for
##specific authentication method. file_basic is a buildin authenticator
##for buildin basic authentication method (Not implemented yet. ) .
#AuthMethod basic file_basic

ServicesDir /usr/local/c_icap/lib/c_icap
Service echo_module srv_echo.so
Service squard_module srv_sguard.so
Service antivirus_module srv_clamav.so

# Antivirus module settings
# For allowed file types or groups of file types look at c-icap.magic
srv_clamav.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
#The percentage of data to sent if the downloaded file exceeds the StartSendPercentDataAfter size
srv_clamav.SendPercentData 5
srv_clamav.StartSendPercentDataAfter 2M

# The Maximum object to be scanned.
srv_clamav.MaxObjectSize 5M
#The directory which clamav library will use as temporary.
srv_clamav.ClamAvTmpDir /var/tmp
#Sets the maximum number of files in archive.)i Set it to 0 to disable it
srv_clamav.ClamAvMaxFilesInArchive 0
#Sets the maximal archived file size. Set it to 0 to disable it.
srv_clamav.ClamAvMaxFileSizeInArchive 100M
#The maximal recursion level.Set it to 0 to disable it.
srv_clamav.ClamAvMaxRecLevel 5

# And here the viralator-like mode.
# where to save documents
srv_clamav.VirSaveDir /var/infected/
# from where the documents can be retrieved (you can find the get_file.pl script in contrib dir)
srv_clamav.VirHTTPServer «http://fortune/cgi-bin/get_file.pl?usename=%f&remove=1&file=»
# The refresh rate.
srv_clamav.VirUpdateTime 15
srv_clamav.VirHTTPServer ¨DUMMY¨
# For which filetypes the «virelator like mode» will be used.
srv_clamav.VirScanFileTypes ARCHIVE EXECUTABLE

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

3. «не загружаются файлы при работе squid+icap+clamav»
Сообщение от gindos (ok) on 09-Фев-06, 03:38

>ModulesDir /usr/local/c_icap/lib/c_icap
>Module logger sys_logger.so
>Module perl_handler perl_handler.so
ежели файл perl_handler.so лежит в /usr/local/c_icap/lib/c_icap, попробуй его скопировать в /usr/lib и перезапусти c-icap, а ежели его нетуть, то попробуй пересобрать c-icap только с одной опцией
./configure —prefix=/usr/local/c_icap
в целом тебе нужно добиться, чтобы c-icap пущался без ошибок

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

4. «не загружаются файлы при работе squid+icap+clamav»
Сообщение от Shurilla on 09-Фев-06, 09:09

>>ModulesDir /usr/local/c_icap/lib/c_icap
>>Module logger sys_logger.so
>>Module perl_handler perl_handler.so
>ежели файл perl_handler.so лежит в /usr/local/c_icap/lib/c_icap, попробуй его скопировать в /usr/lib и
>перезапусти c-icap, а ежели его нетуть, то попробуй пересобрать c-icap только
>с одной опцией
>./configure —prefix=/usr/local/c_icap
>в целом тебе нужно добиться, чтобы c-icap пущался без ошибок

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

5. «не загружаются файлы при работе squid+icap+clamav»
Сообщение от dxer on 15-Фев-06, 00:34

>>>ModulesDir /usr/local/c_icap/lib/c_icap
>>>Module logger sys_logger.so
>>>Module perl_handler perl_handler.so
>>ежели файл perl_handler.so лежит в /usr/local/c_icap/lib/c_icap, попробуй его скопировать в /usr/lib и
>>перезапусти c-icap, а ежели его нетуть, то попробуй пересобрать c-icap только
>>с одной опцией
>>./configure —prefix=/usr/local/c_icap
>>в целом тебе нужно добиться, чтобы c-icap пущался без ошибок
>
>ок Попробую

Такая же проблема, решение есть? Если viralator-like режим убирать, то ошибка уже непосредственно от сквида идет, в момент загрузки (ТОЛЬКО rar/zip ) файлов в таком виде:

the following error was encountered:

ICAP protocol error.

Some aspect of the ICAP communication failed. Possible problems:

ICAP server is not reachable.
Illegal response from ICAP server.

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

6. «не загружаются файлы при работе squid+icap+clamav»
Сообщение от shurilla on 15-Фев-06, 08:49

>>>>ModulesDir /usr/local/c_icap/lib/c_icap
>>>>Module logger sys_logger.so
>>>>Module perl_handler perl_handler.so
>>>ежели файл perl_handler.so лежит в /usr/local/c_icap/lib/c_icap, попробуй его скопировать в /usr/lib и
>>>перезапусти c-icap, а ежели его нетуть, то попробуй пересобрать c-icap только
>>>с одной опцией
>>>./configure —prefix=/usr/local/c_icap
>>>в целом тебе нужно добиться, чтобы c-icap пущался без ошибок
>>
>>ок Попробую
>
>Такая же проблема, решение есть? Если viralator-like режим убирать, то ошибка уже
>непосредственно от сквида идет, в момент загрузки (ТОЛЬКО rar/zip ) файлов
>в таком виде:
>
>While attempting to retrieve the URL: http://www.uralpribor.ru/mebel.zip
>
>the following error was encountered:
>
>ICAP protocol error.
>
>Some aspect of the ICAP communication failed. Possible problems:
>
>ICAP server is not reachable.
>Illegal response from ICAP server.

почитай здесь описание правдо для freeBSD но уменя под Linux работает
http://www.lissyara.su/?id=1128

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

7 . «не загружаются файлы при работе squid+icap+clamav»
Сообщение от dxer on 15-Фев-06, 12:40

>>>>>ModulesDir /usr/local/c_icap/lib/c_icap
>>>>>Module logger sys_logger.so
>>>>>Module perl_handler perl_handler.so
>>>>ежели файл perl_handler.so лежит в /usr/local/c_icap/lib/c_icap, попробуй его скопировать в /usr/lib и
>>>>перезапусти c-icap, а ежели его нетуть, то попробуй пересобрать c-icap только
>>>>с одной опцией
>>>>./configure —prefix=/usr/local/c_icap
>>>>в целом тебе нужно добиться, чтобы c-icap пущался без ошибок
>>>
>>>ок Попробую
>>
>>Такая же проблема, решение есть? Если viralator-like режим убирать, то ошибка уже
>>непосредственно от сквида идет, в момент загрузки (ТОЛЬКО rar/zip ) файлов
>>в таком виде:
>>
>>While attempting to retrieve the URL: http://www.uralpribor.ru/mebel.zip
>>
>>the following error was encountered:
>>
>>ICAP protocol error.
>>
>>Some aspect of the ICAP communication failed. Possible problems:
>>
>>ICAP server is not reachable.
>>Illegal response from ICAP server.
>
>почитай здесь описание правдо для freeBSD но уменя под Linux работает
> http://www.lissyara.su/?id=1128

Всё, накопал беду.
Не нужно собирать с —prefix=/usr/local и —static
единственные ключи для конфигарции —prefix=/usr/local/somedir_for_i-cap —with-clamav=/path/to/clamav
всё =)
Работает хорошо, кстати.

По производительности вопрос:
Как поведет себя на данном серваке?
SuperMicro 2U/1CPU P4-3.2Ghz/2GB RAM/233Gb-RAID1

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

8 . «не загружаются файлы при работе squid+icap+clamav»
Сообщение от dxer on 15-Фев-06, 12:42

Забыл добавить, суммарный web трафик в офисе около 1-1.3Гб.
Внешний канал = 1024kbit/s
delay_pools режет одну трубу (48 kylobytes/s) на всех пользователей squid.
+ SquidGuard + winbindd (авторизация в Active Directory) и самое главное 150 машин.

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

9 . «не загружаются файлы при работе squid+icap+clamav»
Сообщение от shurilla on 15-Фев-06, 23:50

>>>>>>ModulesDir /usr/local/c_icap/lib/c_icap
>>>>>>Module logger sys_logger.so
>>>>>>Module perl_handler perl_handler.so
>>>>>ежели файл perl_handler.so лежит в /usr/local/c_icap/lib/c_icap, попробуй его скопировать в /usr/lib и
>>>>>перезапусти c-icap, а ежели его нетуть, то попробуй пересобрать c-icap только
>>>>>с одной опцией
>>>>>./configure —prefix=/usr/local/c_icap
>>>>>в целом тебе нужно добиться, чтобы c-icap пущался без ошибок
>>>>
>>>>ок Попробую
>>>
>>>Такая же проблема, решение есть? Если viralator-like режим убирать, то ошибка уже
>>>непосредственно от сквида идет, в момент загрузки (ТОЛЬКО rar/zip ) файлов
>>>в таком виде:
>>>
>>>While attempting to retrieve the URL: http://www.uralpribor.ru/mebel.zip
>>>
>>>the following error was encountered:
>>>
>>>ICAP protocol error.
>>>
>>>Some aspect of the ICAP communication failed. Possible problems:
>>>
>>>ICAP server is not reachable.
>>>Illegal response from ICAP server.
>>
>>почитай здесь описание правдо для freeBSD но уменя под Linux работает
>> http://www.lissyara.su/?id=1128
>
>
>Всё, накопал беду.
>Не нужно собирать с —prefix=/usr/local и —static
>единственные ключи для конфигарции —prefix=/usr/local/somedir_for_i-cap —with-clamav=/path/to/clamav
>всё =)
>Работает хорошо, кстати.
>
>По производительности вопрос:
>Как поведет себя на данном серваке?
>SuperMicro 2U/1CPU P4-3.2Ghz/2GB RAM/233Gb-RAID1

встречный вопрос насчет авторизации через AD проблем не возникло у меня вылетел домен при попытки сделать samba+AD теберь боязно скрещивать
а серка должно хватить у меня P3-1200/256/40 работает правдо машин меньше всего 40

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

Не хочет с-icap почему-то принимать соединения.

сквид 3.1.10 и c-icap-060708_2,1 из портов

конфиги

Код: Выделить всё

 cat squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.84.0/24
acl localnet src 192.168.85.0/24
acl SSL_ports port 443
acl SSL_ports port 8443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?

cache_dir ufs /storage/squidcache 4096 64 256
maximum_object_size 512 KB

access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
icap_log /var/log/squid/icap.log
cache_store_log none
logfile_rotate 10

url_rewrite_program /usr/local/rejik/redirector /usr/local/etc/redirector.conf
url_rewrite_children 8
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|?)    0       0%      0
refresh_pattern .               0       20%     4320
visible_hostname server.local

icp_port 3130
icap_enable on
icap_preview_enable on
icap_preview_size 128
icap_send_client_ip on
icap_service service_avi_req reqmod_precache 0 icap://192.168.84.253/srv_clamav
icap_service service_avi respmod_precache 1 icap://192.168.84.253/srv_clamav
adaptation_service_set service_avi service_avi_req
adaptation_access  service_avi allow all
adaptation_access  service_avi_req allow all

икап, разрешено всем намеренно, в процессе поиска

Код: Выделить всё

 cat c-icap.conf | grep -v '^#' | sed '/^$/d'
cat: c-icap.conf: No such file or directory
niko-gw# cd /usr/local/etc
niko-gw# cat c-icap.conf | grep -v '^#' | sed '/^$/d'
PidFile /var/run/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
KeepAlive On
MaxKeepAliveRequests 600
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads     10
MaxSpareThreads     20
ThreadsPerChild     10
MaxRequestsPerChild  0
Port 1344
User cicap
Group cicap
TmpDir /tmp/
MaxMemObject 131072
ServerLog /var/log/c_icap/server.log
AccessLog /var/log/c_icap/access.log
DebugLevel 1
ModulesDir /usr/local/lib/c_icap
Module logger sys_logger.so
sys_logger.Prefix "C-ICAP:"
sys_logger.Facility local1
Logger sys_logger
acl squid_respmod src 192.168.84.0/255.255.255.0 type respmod
acl squid_options src 192.168.84.0/255.255.255.0 type options
acl any src 0.0.0.0/0.0.0.0
icap_access allow squid_respmod
icap_access allow squid_options
icap_access allow any
ServicesDir /usr/local/lib/c_icap
Service echo_module srv_echo.so
Service url_check_module srv_url_check.so
Service antivirus_module srv_clamav.so
ServiceAlias  avscan srv_clamav?allow204=on&sizelimit=off&mode=simple
srv_clamav.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
srv_clamav.SendPercentData 5
srv_clamav.StartSendPercentDataAfter 2M
srv_clamav.MaxObjectSize  5M
srv_clamav.ClamAvTmpDir /tmp/
srv_clamav.ClamAvMaxFilesInArchive 0
srv_clamav.ClamAvMaxFileSizeInArchive 100M
srv_clamav.ClamAvMaxRecLevel 5
srv_clamav.VirSaveDir /var/infected
srv_clamav.VirHTTPServer  "DUMMY"
srv_clamav.VirUpdateTime   15
srv_clamav.VirScanFileTypes ARCHIVE EXECUTABLE

tcpdump обмена прокси и с-icap

Код: Выделить всё

 tcpdump -npi tap0 port 1344
tcpdump: WARNING: tap0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), capture size 96 bytes
12:32:31.157214 IP 192.168.84.254.34482 > 192.168.84.253.1344: Flags [S], seq 1466692851, win 65535, options [mss 1337,nop,wscale 3,sackOK,TS val 136294970 ecr 0], length 0
12:32:31.157389 IP 192.168.84.253.1344 > 192.168.84.254.34482: Flags [S.], seq 187600070, ack 1466692852, win 65535, options [mss 1337,nop,wscale 3,sackOK,TS val 2911239331 ecr 136294970], length 0
12:32:31.161123 IP 192.168.84.254.34482 > 192.168.84.253.1344: Flags [.], ack 1, win 8281, options [nop,nop,TS val 136294972 ecr 2911239331], length 0
12:32:31.161536 IP 192.168.84.254.34482 > 192.168.84.253.1344: Flags [F.], seq 1, ack 1, win 8281, options [nop,nop,TS val 136294972 ecr 2911239331], length 0
12:32:31.161681 IP 192.168.84.253.1344 > 192.168.84.254.34482: Flags [.], ack 2, win 8281, options [nop,nop,TS val 2911239336 ecr 136294972], length 0
12:32:31.162434 IP 192.168.84.253.1344 > 192.168.84.254.34482: Flags [F.], seq 1, ack 2, win 8281, options [nop,nop,TS val 2911239336 ecr 136294972], length 0
12:32:31.163591 IP 192.168.84.254.34482 > 192.168.84.253.1344: Flags [.], ack 2, win 8281, options [nop,nop,TS val 136294977 ecr 2911239336], length 0

Сквид в браузер пишет:

Код: Выделить всё

При получении URL http://dealextreme.com/ произошла следующая ошибка

Ошибка протокола ICAP.

Система вернула: [No Error]

Это означает, что какой-то этап связи по протоколу ICAP не удался.

Возможные проблемы:

Сервер ICAP недоступен

Получен недопустимый ответ от сервера ICAP.

Запуска c-icap в отладке:

Код: Выделить всё

 c-icap -D -N -d 10
Enabling parameter -D
Disabling parameter -N
Setting parameter :-d=10
Searching 0x805d02c for default value
Setting parameter :PidFile=/var/run/c-icap.pid
Searching 0x805d030 for default value
Setting parameter :CommandsSocket=/var/run/c-icap/c-icap.ctl
Searching 0x805d050 for default value
Setting parameter :Timeout=300
Searching 0x805d058 for default value
Setting parameter :MaxKeepAliveRequests=600
Searching 0x805d054 for default value
Setting parameter :KeepAliveTimeout=600
Searching 0x805d060 for default value
Setting parameter :StartServers=3
Searching 0x805d064 for default value
Setting parameter :MaxServers=10
Searching 0x805d06c for default value
Setting parameter :MinSpareThreads=10
Searching 0x805d070 for default value
Setting parameter :MaxSpareThreads=20
Searching 0x805d068 for default value
Setting parameter :ThreadsPerChild=10
Searching 0x805d864 for default value
Setting parameter :MaxRequestsPerChild=0
Searching 0x805d020 for default value
Setting parameter :Port=1344
Searching 0x805d034 for default value
Setting parameter :User=cicap
Searching 0x805d038 for default value
Setting parameter :Group=cicap
Searching 0x805d028 for default value
Setting parameter :TmpDir=/tmp/
Searching 0x805d844 for default value
Setting parameter :MaxMemObject=131072
Searching 0x805d3d0 for default value
Setting parameter :ServerLog=/var/log/c_icap/server.log
Searching 0x805d3d4 for default value
Setting parameter :AccessLog=/var/log/c_icap/access.log
Searching 0x805d85c for default value
Setting parameter :DebugLevel=1
Setting parameter :ModulesDir=/usr/local/lib/c_icap
Loading service :logger path sys_logger.so
Going to search variable Prefix in table sys_logger
Setting parameter :Prefix=C-ICAP:
Going to search variable Facility in table sys_logger
Setting parameter :Logger=sys_logger
Setting parameter :ServicesDir=/usr/local/lib/c_icap
Loading service :echo_module path srv_echo.so
Found handler C_handler for service with extension:.so
Loading service :url_check_module path srv_url_check.so
Found handler C_handler for service with extension:.so
Initialization of url_check module......
Loading service :antivirus_module path srv_clamav.so
Found handler C_handler for service with extension:.so
Alias:avscan of service srv_clamav
Going to search variable ScanFileTypes in table srv_clamav
Iam going to scan data for simple scanning of type:,GIF,JPEG,MSOFFICE,TEXT,DATA,EXECUTABLE,ARCHIVE
Going to search variable SendPercentData in table srv_clamav
Setting parameter :SendPercentData=5
Going to search variable StartSendPercentDataAfter in table srv_clamav
Setting parameter :StartSendPercentDataAfter=2097152
Going to search variable MaxObjectSize in table srv_clamav
Setting parameter :MaxObjectSize=5242880
Going to search variable ClamAvTmpDir in table srv_clamav
Setting parameter :ClamAvTmpDir=/tmp/
Going to search variable ClamAvMaxFilesInArchive in table srv_clamav
Setting parameter :ClamAvMaxFilesInArchive=0
Going to search variable ClamAvMaxFileSizeInArchive in table srv_clamav
Setting parameter :ClamAvMaxFileSizeInArchive=104857600
Going to search variable ClamAvMaxRecLevel in table srv_clamav
Setting parameter :ClamAvMaxRecLevel=5
Going to search variable VirSaveDir in table srv_clamav
Setting parameter :VirSaveDir=/var/infected
Going to search variable VirHTTPServer in table srv_clamav
Setting parameter :VirHTTPServer=DUMMY
Going to search variable VirUpdateTime in table srv_clamav
Setting parameter :VirUpdateTime=15
Going to search variable VirScanFileTypes in table srv_clamav
Iam going to scan data for vir_mode scanning of type:,EXECUTABLE,ARCHIVE
My hostname is:niko-gw.o56.ru

Вс это вываливается при запуске, в момент обращения к сквиду — ничо больше не пишет

Хотя си-икап виси и слушает порт:

Код: Выделить всё

cicap    c-icap     95318 3  tcp4   *:1344                *:*
cicap    c-icap     95318 4  dgram  -> /var/run/logpriv
cicap    c-icap     95317 3  tcp4   *:1344                *:*
cicap    c-icap     95317 4  dgram  -> /var/run/logpriv
cicap    c-icap     95316 3  tcp4   *:1344                *:*
cicap    c-icap     95316 4  dgram  -> /var/run/logpriv
cicap    c-icap     95315 3  tcp4   *:1344                *:*
cicap    c-icap     95315 4  dgram  -> /var/run/logpriv



Proto Recv-Q Send-Q  Local Address          Foreign Address       (state)
tcp4       0      0 *.1344                 *.*                    LISTEN

This topic has been deleted. Only users with topic management privileges can see it.

  • After upgrading pfsense to v2.3, I’ve encountered a lot of problems and I’ve managed to fix a few, but I’m left with the following error every time I’m trying to access a page through my reverse proxy configuration which was working fine before the update:

    The following error was encountered while trying to retrieve the URL: https://subdomain.domain.com/
    ICAP protocol error.
    The system returned: [No Error]
    This means that some aspect of the ICAP communication failed.
    Some possible problems are:
    The ICAP server is not reachable.
    An Illegal response was received from the ICAP server.
    

    I’m assuming something didn’t go right with the ICAP installation included in the packages, but I’ve de-installed and re-installed it a bunch of time without success. I tried to manually delete the squid installation folders, but I don’t know where ICAP get’s installed and I haven’t managed to find it.

    Any advice or hint on how to solve this problem would be very welcomed.

  • Hello.

    Scenario: pfSense 2.3_1 amd64, squid 0.4.16_2, squidGuard 1.14_3

    The same problem I had, the service c-icap and clamd (ClamAV Squid) going down and squid was a mistake and did not allow connect to pages

    To fix this, I installed the package: Service Watchdog, and will  configured to monitor clamd and c-icap . And now work fine to me.

    Regards

  • Thanks for the suggestion, but both services are always running according to pfsense interface on mine. I’ll give it a try anyway, just in case the status doesn’t get reported properly.

    I’m using pfsense 2.3-RELEASE (amd64) and the squid package version is 0.4.16_2 and I don’t have squidguard installed.

    Edit: Same problem with service watchdog configured to watch clamd and C-ICAP

  • Hello.

    There is a new Upgrade: pfSense 2.3.1

    https://blog.pfsense.org/?p=2050

    Maybe this is the solution.

    Regards

  • No such luck sadly.

  • Hello.

    I try a upgrade to 2.3.1 and if the problem persists, maybe with reinstall of package squid fixed it.

    Regards.

  • Reinstalling the squid package after the upgrade also didn’t help, I still get the same error page.

  • Hello.

    You would try this:

    (Backup/copy squid.conf, and squidGuard config, in another files)

    Remove squid (and squidGuard) config:

    Diagnostics > Command Prompt > Execute PHP Commands

    foreach (array_keys($config['installedpackages']) as $sec) {
    	if (strpos($sec, "squid") !== false)
    		unset($config['installedpackages'][$sec]);
    }
    write_config("Removed all squid-related settings");
    
    

    Reinstall squid package, and config again, …

    Regards

  • Thank you so much, that finally did the trick.

  • Thanks.

    It helps me too.

    i have mnake a clean reinstall with 2.31 and it donrt works. after i killed all files and reinstall it works fine.

    thanks!

  • Turns out it doesn’t quite work after all, but I can at least easily make the reverse proxy work alone which was the main thing I needed.

    I did some more testing today and noticed that the antivirus option was disabled in squid and when I activate it, I get the ICAP error again.
    If I disable the antivirus again, then the reverse proxy works properly.

Здравствуйте!
Кто-нибудь настраивал свежую версию c-icap 1.3 ?
Squid-3.1.8-2.fc13
Clamav-0.96.1-1300.fc13

В конфиге сквида добавил вот эти строчки:

Код: Выделить всё

icap_enable on
# включить icap

 icap_preview_enable on
 icap_preview_size 128
 icap_send_client_ip on

 icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344

 icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344

adaptation_access service_req allow all
adaptation_access service_resp allow all
# всех проверяем на вирусы

Вот конфиг c-icap:

Код: Выделить всё

# # This file contains the default settings for c-icap # # # TAG: PidFile # Format: PidFile pid_file # Description: # The file to store the pid of the main process of the c-icap server. # Default: # PidFile /var/run/c-icap/c-icap.pid PidFile /var/run/c-icap/c-icap.pid # TAG: CommandsSocket # Format: CommandsSocket socket_file # Description: # The path of file to use as control socket for c-icap # Default: # CommandsSocket /var/run/c-icap/c-icap.ctl CommandsSocket /var/run/c-icap/c-icap.ctl # TAG: Timeout # Format: Timeout seconds # Description: # The time in seconds after which a connection without activity # can be cancelled. # Default: # Timeout 300 Timeout 300 # TAG: MaxKeepAliveRequests # Format: MaxKeepAliveRequests number # Description: # The maximum number of requests can be served by one connection # Set it to -1 for no limit # Default: # MaxKeepAliveRequests 100 MaxKeepAliveRequests 100 # TAG: KeepAliveTimeout # Format: KeepAliveTimeout seconds # Description: # The maximum time in seconds waiting for a new requests before a # connection will be closed. # If the value is set to -1, there is no timeout. # Default: # KeepAliveTimeout 600 KeepAliveTimeout 600 # TAG: StartServers # Format: StartServers number # Description: # The initial number of server processes. Each server process # generates a number of threads, which serve the requests. # Default: # StartServers 3 StartServers 3 # TAG: MaxServers # Format: MaxServers number # Description: # The maximum allowed number of server processes. # Default: # MaxServers 10 MaxServers 10 # TAG: MinSpareThreads # Format: MinSpareThreads number # Description: # If the number of the available threads is less than number, # the c-icap server starts a new child. # Default: # MinSpareThreads 10 MinSpareThreads 10 # TAG: MaxSpareThreads # Format: MaxSpareThreads number # Description: # If the number of the available threads is more than number then # the c-icap server kills a child. # Default: # MaxSpareThreads 20 MaxSpareThreads 20 # TAG: ThreadsPerChild # Format: ThreadsPerChild number # Description: # The number of threads per child process. # Default: # ThreadsPerChild 10 ThreadsPerChild 10 # TAG: MaxRequestsPerChild # Format: MaxRequestsPerChild number # Description: # The maximum number of requests that a child process can serve. # After this number has been reached, process dies. The goal of this # parameter is to minimize the risk of memory leaks and increase the # stability of c-icap. It can be disabled by setting its value to 0. # Default: # MaxRequestsPerChild 0 MaxRequestsPerChild 0 # TAG: Port # Format: Port port # Description: # The port number that the c-icap server uses to listen to requests. # Default: # Port 1344 Port 1344 # TAG: User # Format: User username # Description: # The user owning c-icap's processes. By default, the owner is the # user who runs the program. # Default: # No value # Example: User nobody # TAG: Group # Format: Group groupname # Description: # The group of users owning c-icap's processes, which, by default # is the group of the current user. # Default: # No value # Example: Group nobody # TAG: ServerAdmin # Format: ServerAdmin admin_mail # Description: # The Administrator of this server. Used when displaying information # about this server (logs, info service, etc) # Default: # No value ServerAdmin you@your.address # TAG: ServerName # Format: ServerName aServerName # Description: # A name for this server. Used when displaying information about this # server (logs, info service, etc) # Default: # No value ServerName YourServerName # TAG: TmpDir # Format: TmpDir dir # Description: # dir is the location of temporary files. # Default: # TmpDir /var/tmp TmpDir /var/tmp # TAG: MaxMemObject # Format: MaxMemObject bytes # Description: # The maximum memory size in bytes taken by an object which # is processed by c-icap . If the size of an object's body is # larger than the maximum size a temporary file is used. # Default: # MaxMemObject 131072 MaxMemObject 131072 # TAG: DebugLevel # Format: DebugLevel level # Description: # The level of debugging information to be logged. # The acceptable range of levels is between 0 and 10. # Default: # DebugLevel 1 DebugLevel 5 # TAG: ModulesDir # Format: ModulesDir dir # Description: # The location of modules # Default: # ModulesDir /usr/local/c-icap/lib/c_icap ModulesDir /usr/local/c-icap/lib/c_icap # TAG: ServicesDir # Format: ServicesDir dir # Description: # The location of services # Default: # ServicesDir /usr/local/c-icap/lib/c_icap ServicesDir /usr/local/c-icap/lib/c_icap # TAG: TemplateDir # Format: TemplateDir dir # Description: # The location of the text templates used by c-icap and its services, # categorized by language and services/modules # Default: # No value # Example: TemplateDir /usr/local/c-icap/share/c_icap/templates/ # TAG: TemplateDefaultLanguage # Format: TemplateDefaultLanguage lang # Description: # Sets the default language to use for text templates # Default: # TemplateDefaultLanguage en TemplateDefaultLanguage en #TemplateReloadTime 360 #TemplateCacheSize 20 #TemplateMemBufSize 8192 # TAG: LoadMagicFile # Format: LoadMagicFile path # Description: # Load a c-icap magic file. A magic file contains various # data type definitions. Look inside default c-icap.magic file # for more informations. # It can be used more than once to use multiple magic files. # Default: # LoadMagicFile /usr/local/c-icap/etc/c-icap.magic LoadMagicFile /usr/local/c-icap/etc/c-icap.magic # TAG: RemoteProxyUsers # Format: RemoteProxyUsers onoff # Description: # Set it to on if you want to use username provided by the proxy server. # This is the recomended way to use users in c-icap. # If the RemoteProxyUsers is off and c-icap configured to use users or # groups the internal authentication mechanism will be used. # Default: # RemoteProxyUsers off RemoteProxyUsers off # TAG: RemoteProxyUserHeader # Format: RemoteProxyUserHeader Header # Description: # Used to specify the icap header used by the proxy server to send # the authenticated client username to c-icap server # Default: # RemoteProxyUserHeader X-Authenticated-User RemoteProxyUserHeader X-Authenticated-User # TAG: RemoteProxyUserHeaderEncoded # Format: RemoteProxyUserHeaderEncoded onoff # Description: # Set it to off if the RemoteProxyUserHeader is not base64 encoded # Default: # RemoteProxyUserHeaderEncoded on RemoteProxyUserHeaderEncoded on # TAG: AuthMethod # Format: AuthMethod Method Authenticator # Description: # Used to define the internal authentication mechanism to use. This # feature is not well tested and may cause problems. It is better to use # RemoteProxyUser configuration. # Method is the authentication method to use (basic, digest, etc). # Currently only basic authentication method is implemented as build in # module # Authenticator currently can only be "basic_simple_db" # It can be considered as a user/password store and can be # implemented as external module. The basic_simple_db is implemented as # build it module # Default: # No set # Example: # AuthMethod basic basic_simple_db # TAG: basic.Realm # Format: basic.Realm ARealm # Description: # Specify the basic method realm # Default: # basic.Realm "Basic authentication" # Example: # basic.Realm "c-icap server authentication" # TAG: basic_simple_db.UsersDB # Format: basic_simple_db.UsersDB LookupTable # Description: # Specify the lookup table where the usernames/passwords pairs # are stored. The paswords must be unencrypted # For more information about c-icap lookup tables read c-icap server # manual page # Default: # No value # Example: # basic_simple_db.UsersDB hash:/usr/local/c-icap/etc/c-icap-users.txt # TAG: GroupSourceByGroup # Format: GroupSourceByGroup LookupTable # Description: # Defines a lookup table where the groups of users are stored indexed # by group. It can be used more than once. # For more information about c-icap lookup tables read c-icap server # manual page # Default: # No set # Example: # GroupSourceByGroup hash:/usr/local/c-icap/etc/c-icap-groups.txt # TAG: GroupSourceByUser # Format: GroupSourceByUser LookupTable # Description: # Defines a lookup table where the groups of users are stored indexed # by user. It can be used more than once. # For more information about c-icap lookup tables read c-icap server # manual page # Default: # No set # Example: # GroupSourceByUser hash:/usr/local/c-icap/etc/c-icap-user-groups.txt # TAG: acl # Format: acl name type[{param}] value1 [value2] [...] # Description: # Supported acl types are: # acl aclname service service1 ... # The servicename # acl aclname type OPTIONS|RESPMOD|REQMOD ... # The icap method # acl aclname port port1 ... # The icap server port # acl aclname src ip1/netmask1 ... # The client ip address # acl aclname srvip ip1/netmask1 ... # The c-icap server ip address # acl aclname icap_header{HeaderName} value1 ... # Matches the icap header HeaderName with value1 ... # The values are in regex form: /avalue/ # acl aclname icap_resp_header{HeaderName} value1 ... # The icap response header # The values are in regex form: /avalue/ # acl aclname http_req_header{HeaderName} value1 ... # The http request header # The values are in regex form: /avalue/ # acl aclname http_resp_header{HeaderName} value1 ... # The http response header # The values are in regex form: /avalue/ # acl aclname data_type type1 ... # The data type as recognized by the internal data type # recognizer. The types are defined in c-icap.magic file # acl aclname auth username|* ... # The authenticated users. Using * instead of username means # all users. # acl aclname group group1 ... # if the user of request belongs to given groups # Default: # None set # Examples: # acl OPTIONS type OPTIONS # acl RESPMOD type RESPMOD # acl REQMOD type REQMOD # acl ALLREQUESTS type OPTIONS RESPMOD REQMOD # acl XHEAD icap_header{X-Test} /value/ # acl ECHO service echo # acl localnet src 192.168.1.0/255.255.255.0 # acl localhost src 127.0.0.1/255.255.255.255 # acl all src 0.0.0.0/0.0.0.0 acl ALLREQUESTS type OPTIONS RESPMOD REQMOD acl localsquid src 127.0.0.1 acl externalnet src 0.0.0.0/0.0.0.0 # TAG: icap_access # Format: icap_access allow|deny [!]acl1 ... # Description: # Allowing or denying ICAP access based on defined access lists # Default: # None set # Example: # icap_access deny XHEAD # #Allow OPTIONS method for all: # icap_access allow localnet OPTIONS # #Require authentication for all users from local network: # icap_access allow AUTH localnet # icap_access deny all icap_access allow localsquid ALLREQUESTS icap_access allow localsquid icap_access allow AUTH localsquid icap_access allow externalnet ALLREQUESTS icap_access allow externalnet # icap_access deny externalnet # TAG: client_access # Format: client_access allow|deny acl1 [acl2] [...] # Description: # Allowing or denying connections on c-icap based on # defined access lists. Only the acl types src, srvip and port # can be used. # Default: # None set # Example: # client_access allow all # TAG: LogFormat # Format: LogFormat Name Format # Description: # Name is a name for this log format. # Format is a string with embedded % format codes. % format codes # has the following form: # % [-] [width] [{argument}] formatcode # if - is specified then the output is left aligned # if width specified then the field is exactly width size # some formatcodes support arguments given as {argument} # # Format codes: # %a: Remote IP-Address # %la: Local IP Address # %lp: Local port # %>a: Http Client IP Address. Only supported if the proxy # client supports the "X-Client-IP" header # %<A: Http Server IP Address. Only supported if the proxy # client supports the "X-Server-IP" header # %ts: Seconds since epoch # %tl: Local time. Supports optional strftime format argument # %tg: GMT time. Supports optional strftime format argument # %>ho: Modified Http request header. Supports header name # as argument # %huo: Modified Http request url # %<ho: Modified Http reply header. Supports header name # as argument # %iu: Icap request url # %im: Icap method # %is: Icap status code # %>ih: Icap request header. Supports header name # as argument # %<ih: Icap response header. Supports header name # as argument # %Ih: Http bytes received # %Oh: Http bytes sent # %Ib: Http body bytes received # %Ob: Http body bytes sent # %I: Bytes received # %O: Bytes sent # %bph: The first 5 bytes of the body preview data. Non # printable characters printed in hex form. # Supports the number of bytes to output as argument. # %un: Username # Default: # None set # Example: # LogFormat myFormat "%tl, %a %im %iu %is %I %O %Ib %Ob %{10}bph" # TAG: ServerLog # Format: ServerLog LogFile # Description: # the file used by the build-in logger file_logger to # store debugging information, errors and other # information about the c-icap server. # Default: # ServerLog /usr/local/c-icap/var/log/server.log ServerLog /usr/local/c-icap/var/log/server.log # TAG: AccessLog # Format: AccessLog LogFile [LogFormat] [[!]acl1] [[!]acl2] [...] # Description: # LogFile is a file where to log access information. # LogFormat is the log format to use. If ommited c-icap uses: # "%tl, %la %a %im %iu %is" # Also acls can be used to select certain requests to be logged. # This directive can be used more than once to specify more than # one access log files # Default: # AccessLog /usr/local/c-icap/var/log/access.log # Example: # AccessLog /usr/local/c-icap/var/log/access.log MyFormat all AccessLog /usr/local/c-icap/var/log/access.log # TAG: Logger # Format: Logger LoggerName # Description: # Specify wich logger to use. By default uses the build in "file_logger" which # uses files for access and server logging. # Default: # Logger file_logger # Example: Logger file_logger # TAG: Module # Format: Module Type ModuleFile # Description: # Load an external module/plugin to c-icap. # ModuleFile is the filename of the module. If no full path given then c-icap # searche in path defined by the ModulesDir configuration parameter. # Type is the type of the external module and can be one of the following: # - "logger" for modules implement a logger # - "common" for general purpose modules # Default: # # Example: Module logger sys_logger.so # TAG: Service # Format: Service aName ServiceFile # Description: # It loads the service ServiceFile. The argument aName used # as alias name for the service # Default: # # Example: Service echo_service srv_echo.so # TAG: ServiceAlias # Format: ServiceAlias AliasName ServiceName[?param1=value1&param2=value2...] # Description: # Used to define an alias name for a service. # Default: # # Example: ServiceAlias avscan srv_clamav?allow204=on&sizelimit=off&mode=simple # # TAG: General configuration parameters for all services # Description: # PreviewSize: The preview data size to advertise to the icap client # MaxConnections: The client should not use more than MaxConnections # for this service. # TransferPreview: The list of file extensions, seperated by commas, # for which the client should send preview data. # TransferIgnore: The list of file extensions that should not be sent # to the icap server # TransferComplete: The list of file extensions that should be sent # in their entirety, without preview, to the icap server # Example: # echo.PreviewSize 512 # echo.TransferIgnore gif, jpeg ###################################################### # External modules comming with core c-icap server # # Module: echo # Description: # Simple test service # Example: # Service echo srv_echo.so #Service echo srv_echo.so # Module: sys_logger # Description: # Add support for logging access and server events to syslog server # Use "Module" configuration parameter to load this module and "Logger" # to make it default logger for the c-icap. # Example: # Module logger sys_logger.so # Logger sys_logger # TAG: sys_logger.Prefix # Format: sys_logger.Prefix string # Description: # string is be presented in every syslog message. # Default: # sys_logger.Prefix "C-ICAP:" # TAG: sys_logger.Facility # Format: sys_logger.Facility daemon|user|local1|local2|local3|local4|local5|local6|local7 # Description: # specifies the facility type of syslog. # Default: # sys_logger.Facility daemon # TAG: sys_logger.access_priority # Format: sys_logger.access_priority alert|crit|debug|emerg|err|info|notice|warning # Description: # determines the importance of the access log message # Default: # sys_logger.access_priority info # TAG: sys_logger.server_priority # Format: sys_logger.server_priority alert|crit|debug|emerg|err|info|notice|warning # Description: # determines the importance of the server log message # Default: # sys_logger.server_priority crit # TAG: sys_logger.LogFormat # Format: sys_logger.LogFormat LOGFORMAT # Description: # The log format to use. If no log format defined then # the following will be used: # "%la %a %im %iu %is" # Default: # None set # Example: # Logformat BasicFormat "%la %a %im %iu %is" # sys_logger.LogFormat BasicFormat # TAG: sys_logger.access # Format: sys_logger.access [!]acl1 ... # Description: # Allow selecting ICAP requests to be logged using acls. # By default all requests will be logged. # Default: # None set # Example: # sys_logger.access all # End module: sys_logger # Module: bdb_tables # Description: # Add support for Berkeley DB based lookup tables. The format for # bdb path of the lookup table is: # bdb:/path/to/bdb # Use the c-icap-mkbdb utility to build Berkeley DB c-icap lookup tables # Example: # Module common bdb_tables.so # End module: bdb_tables # Module: dnsbl_tables # Description: # Add support for dns lookup tables. Can be used to access # dns block lists. The dnsbl lookup table path definition is: # dnsbl:domainname # For example the lookup table for accessing the black.uribl.com # dns black list is: # dnsbl:black.uribl.com # Example: # Module common dnsbl_tables.so # End module: dnsbl_tables # Module: ldap_module # Description: # Add LDAP support to c-icap. The user can use LDAP based lookup tables # using the following lookup table path: # ldap://[username:password@]ldapserver?base?attr1,attr2?filter # The filter can contain the "%s" formating code which will be replaced by # the search key # Examples of supported ldap urls: # ldap://ldap.chtsanti.net?o=chtsanti?cn,uid?uid=%s # ldap://cn=Directory Manager:Apassword@ldap.chtsanti.net?o=chtsanti?mermberUid?(&(objectClass=posixGroup)(cn=%s)) # # WARNING: is not enough tested it may contain bugs! # Example: # Module common ldap_module.so # End module: ldap_module

При запуске клиента вроде всё нормально:

Код: Выделить всё

# ./c-icap-client ICAP server:localhost, ip:127.0.0.1, port:1344 OPTIONS: Allow 204: Yes Preview: 1024 Keep alive: Yes ICAP HEADERS: ICAP/1.0 200 OK Methods: RESPMOD, REQMOD Service: C-ICAP/0.1.3 server - Echo demo service ISTag: CI0001-XXXXXXXXX Transfer-Preview: * Options-TTL: 3600 Date: Mon, 08 Nov 2010 07:39:17 GMT Preview: 1024 Allow: 204 X-Include: X-Authenticated-User, X-Authenticated-Groups Encapsulated: null-body=0

И даже вроде как виря ловит, если дать такую команду:

Код: Выделить всё

# ./c-icap-client -f /mnt/my_configs/clamav/test-virus/eicar.com ICAP server:localhost, ip:127.0.0.1, port:1344 X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*[root@linrouter1 bin]#

Хоть и крокозябрами отображает…

А вот squid не видит c-icap и всё тут…

Ошибка протокола ICAP.

Система вернула: [No Error]

Это означает, что какой-то этап связи по протоколу ICAP не удался.

Возможные проблемы:

Сервер ICAP недоступен

Получен недопустимый ответ от сервера ICAP.

Помогите, пожалуйста, найти ошибку….

Permalink

Cannot retrieve contributors at this time


This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters

<!DOCTYPE html PUBLIC «-//W3C//DTD HTML 4.01//EN» «http://www.w3.org/TR/html4/strict.dtd»>
<html><head>
<meta type=»copyright» content=»Copyright (C) 1996-2021 The Squid Software Foundation and contributors»>
<meta http-equiv=»Content-Type» content=»text/html; charset=utf-8″>
<title>ОШИБКА: Запрошенный URL не может быть получен</title>
<style type=»text/css»><!—
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
—></style>
</head><body id=»%c»>
<div id=»titles»>
<h1>ОШИБКА</h1>
<h2>Запрошенный URL не может быть получен</h2>
</div>
<hr>
<div id=»content»>
<p>При получении URL <a href=»%U»>%U</a> произошла следующая ошибка</p>
<blockquote id=»error»>
<p><b>Ошибка протокола ICAP.</b></p>
</blockquote>
<p id=»sysmsg»>Система вернула: <i>%E</i></p>
<p>Это означает, что какой-то этап связи по протоколу ICAP не удался.</p>
<p>Возможные проблемы:</p>
<ul>
<li><p>Сервер ICAP недоступен</p></li>
<li><p>Получен недопустимый ответ от сервера ICAP.</p></li>
</ul>
<br>
</div>
<hr>
<div id=»footer»>
<p>Создано %T на %h (%s)</p>
<!— %c —>
</div>
</body></html>

Topic: [SOLVED] ICAP protocol error  (Read 3407 times)

It seems that I messed the installation. I checked by error something (icap) in the Web proxy configuration and now I can’t enter the GUI and slowly more and more inet pages show the «ICAP protocol error.» page.
Is there anything I can change in the console so I can stop icap and bring back the system?
Help, please.

Edit: In console I see repeating «[bin/mongod] Preventing execution due to repeated segfaults» and the disk is continuously accessed. I dunno if that has relation.

« Last Edit: September 24, 2018, 09:59:21 pm by MultiCubic »


Logged


I solved it by accesing the system through a vlan not filtered and fixed the configuration.
The segfault errors still are there though and the ssd access is continuous.


Logged


Description
This KB describes how to use ICAP response filtering.

Solution

The ICAP is a ‘lightweight’ HTTP-like protocol.
ICAP clients can pass HTTP-based (HTML) messages or content to ICAP servers for adaptation.
In this example, client request HTTP responses will be forwarded to the ICAP server from all hosts if it has an HTTP status code of ‘200’, ‘301’, or ‘302’, and have content type: image/jpeg in their header.Network.Client IP : 172.31.133.213; ICAP server : 172.31.133.213 (Port : 1344)  , Web server : 162.x.x.x. : 80 and FortiGate IP  : 172.31.133.58.

CLI Configuration.

# Config icap server
    edit «icap_server1»
        set ip-address  <ICAP_Server_IP>
    end

# config icap profile
    edit «icap_profile2»
        set request disable
        set response enable
        set response-server «icap_server1»                  
        set respmod-default-action bypass
        # config respmod-forward-rules
            edit «rule2»
                set host «all»
                set action forward
                set http-resp-status-code 200 301 302
                # config header-group
                    edit 2
                        set header-name «content-type»
                        set header «image/jpeg»
                    next
                end
            next
        end
    next
end

Note:

If ‘respmod-default-action’ is set to forward, FortiGate will treat every HTTP response, and send ICAP requests to the ICAP server and If ‘respmod-default-action’ is set to bypass, FortiGate will only send ICAP requests if the HTTP response matches the defined rules, and the rule’s action is set to forward.

Case 1: If content type is ‘Image/png’ then the FortiGate is bypassing the ICAP inspection.

Case 2: If content type is ‘Image/jpg’ and HTTP response code is  ‘200’ ‘301’ or ‘302’ then the FortiGate is sending the HTTP body for the ICAP inspection.

Since, the content type is ‘Image/jpg’. When the Fortigate is receiving is HTTP response packet from the web server with status code ‘200’, the HTTP packet is getting forwarded towards ICAP server for inspection.

ICAP server for inspection.

In above PCAP file, the FortiGate is not receiving any ICAP response packet from the ICAP server and is throwing error ‘An ICAP error was encountered while handling the request’.

ICAP packet going out from the FortiGate firewall.

Use category 20 for ICAP log.

# execute log filter category 20 
# execute log display

1: date=2020-04-21 time=12:42:15 logid=»2000060000″ type=»utm» subtype=»icap» eventtype=»icap» level=»warning» vd=»root» eventtime=1587465735129231120 tz=»+0200″ msg=»Request blocked due to ICAP server error» service=»HTTP» srcip=172.31.133.213 dstip=162.x.x.x  srcport=56232 dstport=80 srcintf=»port3″ srcintfrole=»undefined» dstintf=»port1″ dstintfrole=»undefined» policyid=1 sessionid=371403 proto=6 action=»blocked» profile=»default» url=»http://www.anydomain.com /images/gap.jpg»

 Browser output .

In above output, The ‘jpg’ image content type response processed by the ICAP server.

In about output, the ‘png’ image content type response bypassed by FortiGate from ICAP inspection.

Refer to this RFC3507 for more information.

This topic has been deleted. Only users with topic management privileges can see it.

  • configured squid in both transparent and non-transparent.
    only testing with HTTP

    Have enabled on LAN interfaces and use interface for allowed users.
    authentication set to none.

    3128 Port shows as listening.

    in the real time logs, both browsing activities show with
    TCP_MISS/200

    however, when i set the browser to use the proxy, i get
    proxy server is refusing connections

    I also lose access to the pfsense box, even though it should not be in the proxy.

  • hard to tell
    you should post some screenshot of your proxy configuration to understand what’s wrong

  • i can

    telnet proxyhost 3128
    
    Trying proxyhost...
    Connected to proxyhost.
    Escape character is '^]'.
    

    so
    General
    Enable Squid Proxy X
    Proxy Interface(s) LAN1 and LAN2
    Allow Users on Interface X

    Transparent (tried both enabled/disabled) same result
    Antivirus (tried both enabled/disabled) same result

    ACLs
    Allowed Subnets 192.168.0.0/23 (have tried with/without)

    Authentication
    Authentication Method None

    I added a 3128/3129 to the allowed ports as a LAN rule

  • not enought information, we realy need screenshot as most of the time people think to have done ABC and instead they do BCD

    I replicated your configuration as you wrote it and it works for me without problems
    there are no known bug that can do this so it must be some misconfiguration

    compare with my screenshot
    squid1.jpg
    squid2.jpg
    squid3.jpg
    squid4.jpg
    squid5.jpg
    squid6.jpg

  • Example :

    @gwaitsi said in proxy server is refusing connections:

    I added a 3128/3129 to the allowed ports as a LAN rule

    This is not needed.
    Default, all incoming connections on LAN are permitted.

  • @Gertjan info i provided is exactly the same as in your screenshots and pass through is required because i block all ports on lan as well.

    from squid.conf is the following

    acl purge method PURGE
    acl connect method CONNECT
    
    # Define protocols used for redirects
    acl HTTP proto HTTP
    acl HTTPS proto HTTPS
    acl allowed_subnets src 192.168.0.0/23
    http_access allow manager localhost
    
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports
    
    # Always allow localhost connections
    http_access allow localhost
    
    acl sglog url_regex -i sgr=ACCESSDENIED
    http_access deny sglog
    # Setup allowed ACLs
    # Allow local network(s) on interface(s)
    http_access allow allowed_subnets
    http_access allow localnet
    
    # Default block all to be sure
    http_access deny allsrc
    icap_enable on
    icap_send_client_ip on
    icap_send_client_username off
    icap_client_username_encode off
    icap_client_username_header X-Authenticated-User
    icap_preview_enable on
    icap_preview_size 1024
    
    icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squid_clamav bypass=off
    adaptation_access service_avi_req allow all
    icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squid_clamav bypass=on
    adaptation_access service_avi_resp allow all
    
  • how about this part?
    shutdown_lifetime 3 seconds

    # Allow local network(s) on interface(s)
    acl localnet src  192.168.1.0/24 192.168.3.0/24 192.168.2.0/24
    forwarded_for on
    httpd_suppress_version_string on
    uri_whitespace strip
    
  • @kiokoman they are there
    forwarded_for on
    uri_whitespace strip

    but i don’t have this one
    httpd_suppress_version_string on

    I don’t understand it, because if i do the following on the pfsense box, i get

    netstat -ln
    tcp4       0      0 192.168.0.1.3128                             192.168.0.50.33796                           ESTABLISHED
    tcp4       0      0 192.168.0.1.3128                             192.168.0.50.33792                           ESTABLISHED
    tcp4       0      0 192.168.0.1.3128                             192.168.0.50.33788                           ESTABLISHED
    

    I have the network proxy manually set on linux mint, but firefox using no proxy when it works.
    As soon as i switch to the proxy on firefox, i get the refusing connections errors.

    Must be something with the ACLs, but authentication is set to no.

  • if you set transparent proxy you don’t need to configure proxy on web browser, all the http traffic should be automatically intercepted by squid

    httpd_suppress_version_string -> not important right now

  • @kiokoman both transparent and forwarding, give the same problem on both the test and production systems.

    I’ve had some progress. I now have HTTP caching working without Antivirus.
    I added custom patterns, and checked and re-saved each of the pages (had antivirus off) and it started working.

    have blocked HTTP on the WAN so it is definitely going via squid and i am now seeing
    TCP_TUNNEL/200 and HITS in the real-time log.

    Problem starts when i enable antivirus now. If i continue to browse previously cache HTTP site, i get the following.

    The following error was encountered while trying to retrieve the URL: http://www.xxx.xx/
    ICAP protocol error.
    The system returned: [No Error]
    This means that some aspect of the ICAP communication failed.
    Some possible problems are:
        The ICAP server is not reachable.
        An Illegal response was received from the ICAP server.
    

    toggle antivirus on/off, and it works, or stops with antivirus on.

  • This has to be a bug with the Antivirus/ICAP config. I have duplicated the setup on the test environment and replicated the same behavior. Simply put,

    • install Squid in either transparent or forward mode (start with only HTTP) to keep it simple.
    • block HTTP from the WAN
    • setup the proxy manually at one or both system and/or firefox
    • browse HTTP only site

    With antivirus enabled, it doesn’t work.
    With antivirus disabled, it does work.
    Using latest pfsense 2.4.4_p3


    /var/log/c-icap/server.log
    ERROR clientip is null, you must set ‘icap_send_client_ip on’ into squid.conf

    made the following config changes;
    Included «Loopback» in the Proxy Interface
    X-Forwarded Header Mode — Transparent (was — on previously)
    URI Whitespace Characters Handling — set to Encode (was — strip)

    It is now sort of working, but still gets the occasional ICAP error per above.

  • i don’t have this problem even with antivirus enabled, did you set this option after enabling it?

    Immagine.jpg

    and pressed «Update AV» ?

    but i have 2.5.0 right now that i can test

  • @kiokoman below was the solution

    • add Loopback to the Proxy Interfaces
    • X-Forwarded Header Mode — Transparent (was — on previously)

    and importantly, there is a bug with the «Allow Users on Interface» — it doesn’t work!

    ACls — Allowed Subnet still needs to have the subnet plus the localhost
    192.168.0.0/24
    127.0.0.1/32

    another thing i found, switching from forwarding to transparent mode, it is necessary to reboot the router.
    Not enough to restart the service, or the same ICAP error will occur.

Понравилась статья? Поделить с друзьями:

Читайте также:

  • An extended error has occurred
  • An existing connection was forcibly closed by the remote host error 10054
  • An exception runtime error has occurred
  • An unexpected error has occurred что делать windows 7
  • An exception occurred as described below source tmacv6 error 9 subscript out of range

  • 0 0 голоса
    Рейтинг статьи
    Подписаться
    Уведомить о
    guest

    0 комментариев
    Старые
    Новые Популярные
    Межтекстовые Отзывы
    Посмотреть все комментарии