Amos,
I removed the line, like you said, and works fine. It was my fault I
forgot that line on my test, anyway thank you my friend. Now I can use
ICAP for filtering web contents and via parent proxy scan for threats.
Thank all,
Thiago Cruz
On 10/9/07, Amos Jeffries <squid3@treenet.co.nz> wrote:
> Thiago Cruz wrote:
> > I had forgotten to negate ICP, but I've inserted it now.
> >
> > I made a workaround for this ICAP problem but I must have another ICAP
> > server just for filtering theses no authentication sites and
> > unfortunately it isn't a good solution.
> >
> > Any Idea?
>
> Sorry, I mis-spelled the quote.
> You said earlier before I joined the thread that you "when I negate
> ICAP for some ACL it bypass cache_peer too" (cut-n-paste this time :-)
>
>
> I must be going blind. An idea just occurs to me:
>
> always_direct allow sites_no_authentication
> means bypass any peers and go direct for 'sites_no_authentication'
>
> never_direct allow all
> means NOTHING can go direct, use peer or fail.
>
> If this idea is right, then the always_direct is kicking all the peer
> logics aside and forcing it to go direct before the never_direct gets
> tested.
>
> Try this:
> always_direct deny sites_no_authentication
>
> or remove the line and finish with:
> always_direct deny all
>
> Amos
>
>
> >
> > []'s
> > Thiago Cruz
> >
> > On 10/8/07, Amos Jeffries <squid3@treenet.co.nz> wrote:
> >>> Of course not, here is it:
> >> Thank you. Everything look normal to me.
> >> What do you do to "negate ICP for some ACL"?
> >>
> >> Amos
> >>
> >>> +++++++++++++++++++++++++++++++++++
> >>> http_port 8080
> >>> icp_port 0
> >>> hierarchy_stoplist cgi-bin ?
> >>> acl QUERY urlpath_regex cgi-bin \?
> >>> cache deny QUERY
> >>> refresh_pattern ^ftp: 1440 20% 10080
> >>> refresh_pattern ^gopher: 1440 0% 1440
> >>> refresh_pattern . 0 20% 4320
> >>> visible_hostname cacheteste.hm
> >>> cache_log /var/log/squid/cache.log
> >>> cache_store_log none
> >>> debug_options ALL,1
> >>>
> >>> memory_replacement_policy lru
> >>> logformat squidmime_extended %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %ul
> >>> %Sh/%<A %mt
> >>>
> >>> cache_access_log /var/log/squid/access.log squidmime_extended
> >>>
> >>> auth_param ntlm program /usr/bin/ntlm_auth
> >>> --helper-protocol=squid-2.5-ntlmssp
> >>> auth_param ntlm children 80
> >>>
> >>> auth_param basic program /usr/bin/ntlm_auth
> >>> --helper-protocol=squid-2.5-basic
> >>> auth_param basic children 3
> >>> auth_param basic realm HM
> >>> auth_param basic credentialsttl 2 hours
> >>>
> >>> external_acl_type NTGroup children=80 ttl=3600 negative_ttl=300 %LOGIN
> >>> /usr/lib/squid/wbinfo_group.pl
> >>>
> >>> acl PURGE method PURGE
> >>>
> >>> acl all src 0.0.0.0/0.0.0.0
> >>> acl manager proto cache_object
> >>> acl localhost src 127.0.0.1/255.255.255.255
> >>> acl squid-stat src 172.17.6.126/255.255.255.255
> >>> acl to_localhost dst 127.0.0.0/8
> >>> acl SSL_ports port 443
> >>> acl Safe_ports port 80
> >>> acl Safe_ports port 21
> >>> acl Safe_ports port 443
> >>> acl Safe_ports port 70
> >>> acl Safe_ports port 210
> >>> acl Safe_ports port 1025-65535
> >>> acl Safe_ports port 280
> >>> acl Safe_ports port 488
> >>> acl Safe_ports port 591
> >>> acl Safe_ports port 777
> >>> acl CONNECT method CONNECT
> >>> acl INTRANET dstdomain .hm .hm.com.br
> >>> acl USERS_ALLOW external NTGroup @HM_USUARIOS
> >>> acl sites_no_authentication url_regex
> "/etc/squid/sites_no_authentication"
> >>> acl JAVA-SUN browser -i java
> >>>
> >>> http_access allow PURGE localhost
> >>> http_access deny PURGE
> >>>
> >>> http_access allow manager localhost
> >>> http_access deny manager
> >>> http_access deny !Safe_ports
> >>> deny_info BC_Safe_ports Safe_ports
> >>>
> >>> http_access deny CONNECT !SSL_ports
> >>> deny_info BC_not_SSL_ports SSL_ports
> >>>
> >>> http_access allow sites_no_authentication
> >>> http_access allow JAVA-SUN
> >>> http_access deny TERMO
> >>> deny_info BC_TERMO TERMO
> >>> http_access allow INTRANET
> >>> http_access allow all USERS_ALLOW
> >>> http_access deny all
> >>> deny_info BC_ACESSO_NEGADO all
> >>>
> >>> always_direct allow sites_no_authentication
> >>> always_direct allow JAVA-SUN
> >>> always_direct allow INTRANET
> >>> always_direct allow CONNECT
> >>>
> >>> never_direct allow all
> >>>
> >>> cache_effective_user squid
> >>> cache_effective_group squid
> >>>
> >>> err_html_text mailto:ti.inf@hm.com.br
> >>>
> >>> coredump_dir /usr/local/squid/var/cache
> >>> forwarded_for on
> >>>
> >>> icap_enable on
> >>> icap_preview_enable on
> >>> icap_send_client_ip on
> >>> icap_send_client_username on
> >>> icap_client_username_header X-Authenticated-User
> >>> icap_client_username_encode on
> >>> icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
> >>> icap_service service_2 respmod_precache 0
> icap://127.0.0.1:1344/wwrespmod
> >>>
> >>> icap_class filtro_url service_1 service_2
> >>>
> >>> icap_access filtro_url deny sites_no_authentication
> >>> icap_access filtro_url allow USERS_ALLOW
> >>>
> >>> icap_access filtro_url deny all
> >>>
> >>> cache_peer 172.17.205.106 parent 8088 7 no-query no-delay no-digest
> >>> default
> >>> +++++++++++++++++++++++++++++++++++
> >>>
> >>> Although I have one server only for tests, the debug mode is too big.
> >>> But if it's necessary should I post it here?
> >>>
> >>> Thanks
> >>> Thiago Cruz
> >>>
> >>> On 10/8/07, Amos Jeffries <squid3@treenet.co.nz> wrote:
> >>>> Thiago Cruz wrote:
> >>>>> Hello H. Nordstrom,
> >>>>>
> >>>>> I had already read that but unfortunately it didn't work. For some
> >>>>> reason when I negate ICAP for some ACL it bypass cache_peer too.
> >>>> Most weird. Would you mind posting the related config both negated and
> >>>> non-negated for comparison?
> >>>>
> >>>>
> >>>>> Debug
> >>>>> all 9 could help us?
> >>>> Possibly. It will generate a LOT of data for even moderate server load.
> >>>> I'd suggest starting at 5-6 to peek where the problems might be, then
> >>>> raise a particular section.
> >>>>
> >>>> Amos
> >>>>
> >>>>
> >>>>> On 10/6/07, Henrik Nordstrom <henrik@henriknordstrom.net> wrote:
> >>>>>> On fre, 2007-10-05 at 19:05 -0300, Thiago Cruz wrote:
> >>>>>>> I solved the problem which squid wasn't sending respmod using Squid3
> >>>>>>> RC1, but I have another problem, when I don't want to use ICAP (acl
> >>>>>>> sites_no_authentication), the squid bypass the cache peer too. Is
> >>>>>>> there some way to force it to use cache_peer?
> >>>>>> Squid FAQ How do I configure Squid forward all requests to another
> >>>>>> proxy?
> >>>>>>
> >>
> <url:http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-c050a0a0382c01fbfb9da7e9c18d58bafd4eb027>
> >>>>>> Regards
> >>>>>> Henrik
> >>>>>>
> >>>>
> >>
> >>
>
>
Received on Tue Oct 09 2007 - 13:53:25 MDT
This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT