Re: [squid-users] ICAP help
Matus UHLAR - fantomas wrote: On 28.11.08 08:52, [EMAIL PROTECTED] wrote: Found my error in spelling mistake for downloads instead of download. but how come eicar.com and eicar.com.txt dint had any problem. Problem was only for compress files i guess coz i requires to download and scan One more question Is it possible to scan (download) any https request no, https is encrypted, so only users' browser and web server know what's inside. That's the purpose of https. That is the purpose of the SslBup feature in 3.1. It man-in-middles HTTPS CONNECT requests going through Squid and allows AV scanning of decrypted traffic. It is not silent however. HTTPS by design makes such interaction a loud process. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2
Re: [squid-users] ICAP help
On 28.11.08 08:52, [EMAIL PROTECTED] wrote: > Found my error in spelling mistake for downloads instead of download. > > but how come eicar.com and eicar.com.txt dint had any problem. Problem was > only for compress files i guess coz i requires to download and scan > > One more question > Is it possible to scan (download) any https request no, https is encrypted, so only users' browser and web server know what's inside. That's the purpose of https. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines.
Re: [squid-users] ICAP help
Thanks Christos, Found my error in spelling mistake for downloads instead of download. but how come eicar.com and eicar.com.txt dint had any problem. Problem was only for compress files i guess coz i requires to download and scan One more question Is it possible to scan (download) any https request //Remy On Thu, 27 Nov 2008 23:20:17 +0200, Christos Tsantilas <[EMAIL PROTECTED]> wrote: > Hi Remy, > > OK so squid use the ICAP server and probably the squid part of your > configuration is OK. > > Please look on both squid logs and icap server logs for error messages. > Should exist something in the logs which explains the reason of the error. > > Also look in your c-icap configuration. For example, has the c-icap > server write access to all directories in which is trying to write? The > /var/tmp and /tmp/download/ directories in your case. (Also c-icap has > its own mailing list probably you should ask here..) > > -- >Christos > > [EMAIL PROTECTED] wrote: >> Thanks Christos, >> >> after purging it form squid cache it work fine able to scan. >> But now another problem when I try to download a zip virus file >> http://www.eicar.org/download/eicar_com.zip >> >> ERROR in the browser >> The following error was encountered while trying to retrieve the URL: >> http://www.eicar.org/download/eicar_com.zip >> >> ICAP protocol error. >> >> The system returned: [No Error] >> >> This means that some aspect of the ICAP communication failed. >> >> Some possible problems are: >> >> * >> >> The ICAP server is not reachable. >> * >> >> An Illegal response was received from the ICAP server. >> >> >> //Remy >> >>
Re: [squid-users] ICAP help
Hi Remy, OK so squid use the ICAP server and probably the squid part of your configuration is OK. Please look on both squid logs and icap server logs for error messages. Should exist something in the logs which explains the reason of the error. Also look in your c-icap configuration. For example, has the c-icap server write access to all directories in which is trying to write? The /var/tmp and /tmp/download/ directories in your case. (Also c-icap has its own mailing list probably you should ask here..) -- Christos [EMAIL PROTECTED] wrote: Thanks Christos, after purging it form squid cache it work fine able to scan. But now another problem when I try to download a zip virus file http://www.eicar.org/download/eicar_com.zip ERROR in the browser The following error was encountered while trying to retrieve the URL: http://www.eicar.org/download/eicar_com.zip ICAP protocol error. The system returned: [No Error] This means that some aspect of the ICAP communication failed. Some possible problems are: * The ICAP server is not reachable. * An Illegal response was received from the ICAP server. //Remy
Re: [squid-users] ICAP help
Thanks Christos, after purging it form squid cache it work fine able to scan. But now another problem when I try to download a zip virus file http://www.eicar.org/download/eicar_com.zip ERROR in the browser The following error was encountered while trying to retrieve the URL: http://www.eicar.org/download/eicar_com.zip ICAP protocol error. The system returned: [No Error] This means that some aspect of the ICAP communication failed. Some possible problems are: * The ICAP server is not reachable. * An Illegal response was received from the ICAP server. //Remy On Thu, 27 Nov 2008 21:46:15 +0200, Christos Tsantilas <[EMAIL PROTECTED]> wrote: > OK this is when your are using the icap-client.What about when you are > using squid3? > > - Are you seeing any log entries in c-icap log files? Just to see if > squid contacts the icap server... > > - Do you see any error message in squid3 cache.log file? Maybe for a > reason squid can not access the icap server. > > - What are you seeing in your web browser? How are you testing your > configuration? If you are just trying to download the eicar.com file it > is probably stored in your squid cache or your web broswer cache before > you install the icap server. You need to remove it from your cache. Look > in FAQ for info: > http://wiki.squid-cache.org/SquidFaq/OperatingSquid#head-f418956943bd72ee8b94390ec9df241c3d1dfd20 > Also be sure that you had delete any web browser cache before the test. > > Regards, > Christos > > > [EMAIL PROTECTED] wrote: >> Test sample output >> >> >> /usr/local/c_icap/bin# /usr/local/c_icap/bin/icap-client -f >> /home/remy/Desktop/eicar.com.txt -s >> "srv_clamav?allow204=on&force=on&sizelimit=off&mode=simple" >> ICAP server:localhost, ip:127.0.0.1, port:1344 >> >> >> >> >> >> >> VIRUS FOUND >> >> You try to upload/download a file that contain the virus >> Eicar-Test-Signature >> This message generated by C-ICAP/060708rc1 srvClamAV/antivirus module >> >> >> >> #for sample virus file test access log file of c-icap >> tail -f /usr/local/c_icap/var/log/access.log >> Thu Nov 27 23:09:48 2008, 127.0.0.1, 127.0.0.1, OPTIONS, >> srv_clamav?allow204=on&force=on&sizelimit=off&mode=simple, OK >> Thu Nov 27 23:09:48 2008, 127.0.0.1, 127.0.0.1, RESPMOD, >> srv_clamav?allow204=on&force=on&sizelimit=off&mode=simple, OK >> >> #for sample virus file test access log file of c-icap >> tail -f /usr/local/c_icap/var/log/server.log >> Thu Nov 27 23:09:48 2008, general, VIRUS DETECTED:Eicar-Test-Signature. >> Take action... >> >> //Remy >> >> >> On Thu, 27 Nov 2008 19:50:16 +0200, Christos Tsantilas >> <[EMAIL PROTECTED]> wrote: >>> [EMAIL PROTECTED] wrote: Hi Christos, I think I have not made my self clear first of all I don't have icap_class and icap_access in my squid.conf >>> file since you said >>> Your configuration should also contain something like the > following: >>> >>>icap_class class_avi service_avi >>>icap_access class_avi allow all I did those changes as per you and got that message my problem is I have enabled icap support but some how its not work > (not able to scan) if is use the icap-client command to test it work fine where is my mistake? >>> Do you see error messages in your squid3 server.log file? >>> Are there any entries in c-icap's access.log file? >>> How are you testing it? >>> //Remy
Re: [squid-users] ICAP help
OK this is when your are using the icap-client.What about when you are using squid3? - Are you seeing any log entries in c-icap log files? Just to see if squid contacts the icap server... - Do you see any error message in squid3 cache.log file? Maybe for a reason squid can not access the icap server. - What are you seeing in your web browser? How are you testing your configuration? If you are just trying to download the eicar.com file it is probably stored in your squid cache or your web broswer cache before you install the icap server. You need to remove it from your cache. Look in FAQ for info: http://wiki.squid-cache.org/SquidFaq/OperatingSquid#head-f418956943bd72ee8b94390ec9df241c3d1dfd20 Also be sure that you had delete any web browser cache before the test. Regards, Christos [EMAIL PROTECTED] wrote: Test sample output /usr/local/c_icap/bin# /usr/local/c_icap/bin/icap-client -f /home/remy/Desktop/eicar.com.txt -s "srv_clamav?allow204=on&force=on&sizelimit=off&mode=simple" ICAP server:localhost, ip:127.0.0.1, port:1344 VIRUS FOUND You try to upload/download a file that contain the virus Eicar-Test-Signature This message generated by C-ICAP/060708rc1 srvClamAV/antivirus module #for sample virus file test access log file of c-icap tail -f /usr/local/c_icap/var/log/access.log Thu Nov 27 23:09:48 2008, 127.0.0.1, 127.0.0.1, OPTIONS, srv_clamav?allow204=on&force=on&sizelimit=off&mode=simple, OK Thu Nov 27 23:09:48 2008, 127.0.0.1, 127.0.0.1, RESPMOD, srv_clamav?allow204=on&force=on&sizelimit=off&mode=simple, OK #for sample virus file test access log file of c-icap tail -f /usr/local/c_icap/var/log/server.log Thu Nov 27 23:09:48 2008, general, VIRUS DETECTED:Eicar-Test-Signature. Take action... //Remy On Thu, 27 Nov 2008 19:50:16 +0200, Christos Tsantilas <[EMAIL PROTECTED]> wrote: [EMAIL PROTECTED] wrote: Hi Christos, I think I have not made my self clear first of all I don't have icap_class and icap_access in my squid.conf file since you said Your configuration should also contain something like the following: icap_class class_avi service_avi icap_access class_avi allow all I did those changes as per you and got that message my problem is I have enabled icap support but some how its not work (not able to scan) if is use the icap-client command to test it work fine where is my mistake? Do you see error messages in your squid3 server.log file? Are there any entries in c-icap's access.log file? How are you testing it? //Remy
Re: [squid-users] ICAP help
Test sample output /usr/local/c_icap/bin# /usr/local/c_icap/bin/icap-client -f /home/remy/Desktop/eicar.com.txt -s "srv_clamav?allow204=on&force=on&sizelimit=off&mode=simple" ICAP server:localhost, ip:127.0.0.1, port:1344 VIRUS FOUND You try to upload/download a file that contain the virus Eicar-Test-Signature This message generated by C-ICAP/060708rc1 srvClamAV/antivirus module #for sample virus file test access log file of c-icap tail -f /usr/local/c_icap/var/log/access.log Thu Nov 27 23:09:48 2008, 127.0.0.1, 127.0.0.1, OPTIONS, srv_clamav?allow204=on&force=on&sizelimit=off&mode=simple, OK Thu Nov 27 23:09:48 2008, 127.0.0.1, 127.0.0.1, RESPMOD, srv_clamav?allow204=on&force=on&sizelimit=off&mode=simple, OK #for sample virus file test access log file of c-icap tail -f /usr/local/c_icap/var/log/server.log Thu Nov 27 23:09:48 2008, general, VIRUS DETECTED:Eicar-Test-Signature. Take action... //Remy On Thu, 27 Nov 2008 19:50:16 +0200, Christos Tsantilas <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote: >> Hi Christos, >> >> I think I have not made my self clear >> >> first of all I don't have icap_class and icap_access in my squid.conf > file >> since you said > Your configuration should also contain something like the following: > >icap_class class_avi service_avi >icap_access class_avi allow all >> I did those changes as per you and got that message >> >> my problem is I have enabled icap support but some how its not work (not >> able to scan) >> if is use the icap-client command to test it work fine >> >> where is my mistake? > > Do you see error messages in your squid3 server.log file? > Are there any entries in c-icap's access.log file? > How are you testing it? > >> >> //Remy >>
Re: [squid-users] ICAP help
[EMAIL PROTECTED] wrote: Hi Christos, I think I have not made my self clear first of all I don't have icap_class and icap_access in my squid.conf file since you said Your configuration should also contain something like the following: icap_class class_avi service_avi icap_access class_avi allow all I did those changes as per you and got that message my problem is I have enabled icap support but some how its not work (not able to scan) if is use the icap-client command to test it work fine where is my mistake? Do you see error messages in your squid3 server.log file? Are there any entries in c-icap's access.log file? How are you testing it? //Remy
Re: [squid-users] ICAP help
Hi Christos, I think I have not made my self clear first of all I don't have icap_class and icap_access in my squid.conf file since you said >>> Your configuration should also contain something like the following: >>> >>>icap_class class_avi service_avi >>>icap_access class_avi allow all I did those changes as per you and got that message my problem is I have enabled icap support but some how its not work (not able to scan) if is use the icap-client command to test it work fine where is my mistake? //Remy On Thu, 27 Nov 2008 08:59:18 -0500 (EST), "Christos Tsantilas" <[EMAIL PROTECTED]> wrote: >> Hi Christos, >> >> I used icap_class and icap_access but I get this >> >> 2008/11/27 17:07:44| Processing Configuration >> File: /etc/squid/squid.conf (depth 0) >> 2008/11/27 17:07:44| WARNING: 'icap_class' is depricated. Use >> 'adaptation_service_set' instead >> 2008/11/27 17:07:44| WARNING: 'icap_access' is depricated. Use >> 'adaptation_access' instead >> 2008/11/27 17:07:44| Initializing https proxy context > > You are using squid 3.1.x . > Just replace the icap_class and icap_access lines with the following: > > adaptation_service_set class_avi service_avi > adaptation_access class_avi allow all > > The icap_class and icap_access are deprecated but should work too. > > -- >Christos > >> >> //Remy >> >> On Thu, 2008-11-27 at 07:53 -0500, Christos Tsantilas wrote: >>> > Hi All, >>> > >>> > Need help on how to configure c-icap to scan http,https and ftp >>> request >>> > >>> > Sample virus to test >>> > http://www.eicar.org/download/eicar.com >>> > >>> > my configuration is as below >>> > to test my setup I used the above link but it was not scanned for >>> virus >>> > and I was able to downloaded it nothing is working >>> > what am i missing? >>> > can someone help me in this? >>> > >>> > #squid.conf >>> > >>> > icap_enable on >>> > icap_preview_enable on >>> > icap_preview_size 128 >>> > icap_send_client_ip on >>> > icap_service service_avi_req reqmod_precache 0 >>> > icap://localhost:1344/srv_clamav >>> > icap_service service_avi respmod_precache 1 >>> > icap://localhost:1344/srv_clamav >>> > >>> >>> You need to define an icap_class and define access list for this >>> icap_class >>> Why do you need virus scan for http requests? >>> Your configuration should also contain something like the following: >>> >>>icap_class class_avi service_avi >>>icap_access class_avi allow all >>> >>> Regards, >>>Christos >>> >> >>
Re: [squid-users] ICAP help
> Hi Christos, > > I used icap_class and icap_access but I get this > > 2008/11/27 17:07:44| Processing Configuration > File: /etc/squid/squid.conf (depth 0) > 2008/11/27 17:07:44| WARNING: 'icap_class' is depricated. Use > 'adaptation_service_set' instead > 2008/11/27 17:07:44| WARNING: 'icap_access' is depricated. Use > 'adaptation_access' instead > 2008/11/27 17:07:44| Initializing https proxy context You are using squid 3.1.x . Just replace the icap_class and icap_access lines with the following: adaptation_service_set class_avi service_avi adaptation_access class_avi allow all The icap_class and icap_access are deprecated but should work too. -- Christos > > //Remy > > On Thu, 2008-11-27 at 07:53 -0500, Christos Tsantilas wrote: >> > Hi All, >> > >> > Need help on how to configure c-icap to scan http,https and ftp >> request >> > >> > Sample virus to test >> > http://www.eicar.org/download/eicar.com >> > >> > my configuration is as below >> > to test my setup I used the above link but it was not scanned for >> virus >> > and I was able to downloaded it nothing is working >> > what am i missing? >> > can someone help me in this? >> > >> > #squid.conf >> > >> > icap_enable on >> > icap_preview_enable on >> > icap_preview_size 128 >> > icap_send_client_ip on >> > icap_service service_avi_req reqmod_precache 0 >> > icap://localhost:1344/srv_clamav >> > icap_service service_avi respmod_precache 1 >> > icap://localhost:1344/srv_clamav >> > >> >> You need to define an icap_class and define access list for this >> icap_class >> Why do you need virus scan for http requests? >> Your configuration should also contain something like the following: >> >>icap_class class_avi service_avi >>icap_access class_avi allow all >> >> Regards, >>Christos >> > >
Re: [squid-users] ICAP help
> I used icap_class and icap_access but I get this > > 2008/11/27 17:07:44| Processing Configuration > File: /etc/squid/squid.conf (depth 0) > 2008/11/27 17:07:44| WARNING: 'icap_class' is depricated. Use > 'adaptation_service_set' instead > 2008/11/27 17:07:44| WARNING: 'icap_access' is depricated. Use > 'adaptation_access' instead > 2008/11/27 17:07:44| Initializing https proxy context Follow squid's advice: icap_class => adaptation_service_set icap_access => adaptation_access It must be mentionned in the squid.conf.default, have a look. JD
Re: [squid-users] ICAP help
Hi Christos, I used icap_class and icap_access but I get this 2008/11/27 17:07:44| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2008/11/27 17:07:44| WARNING: 'icap_class' is depricated. Use 'adaptation_service_set' instead 2008/11/27 17:07:44| WARNING: 'icap_access' is depricated. Use 'adaptation_access' instead 2008/11/27 17:07:44| Initializing https proxy context //Remy On Thu, 2008-11-27 at 07:53 -0500, Christos Tsantilas wrote: > > Hi All, > > > > Need help on how to configure c-icap to scan http,https and ftp request > > > > Sample virus to test > > http://www.eicar.org/download/eicar.com > > > > my configuration is as below > > to test my setup I used the above link but it was not scanned for virus > > and I was able to downloaded it nothing is working > > what am i missing? > > can someone help me in this? > > > > #squid.conf > > > > icap_enable on > > icap_preview_enable on > > icap_preview_size 128 > > icap_send_client_ip on > > icap_service service_avi_req reqmod_precache 0 > > icap://localhost:1344/srv_clamav > > icap_service service_avi respmod_precache 1 > > icap://localhost:1344/srv_clamav > > > > You need to define an icap_class and define access list for this icap_class > Why do you need virus scan for http requests? > Your configuration should also contain something like the following: > >icap_class class_avi service_avi >icap_access class_avi allow all > > Regards, >Christos >
Re: [squid-users] ICAP help
> Hi All, > > Need help on how to configure c-icap to scan http,https and ftp request > > Sample virus to test > http://www.eicar.org/download/eicar.com > > my configuration is as below > to test my setup I used the above link but it was not scanned for virus > and I was able to downloaded it nothing is working > what am i missing? > can someone help me in this? > > #squid.conf > > icap_enable on > icap_preview_enable on > icap_preview_size 128 > icap_send_client_ip on > icap_service service_avi_req reqmod_precache 0 > icap://localhost:1344/srv_clamav > icap_service service_avi respmod_precache 1 > icap://localhost:1344/srv_clamav > You need to define an icap_class and define access list for this icap_class Why do you need virus scan for http requests? Your configuration should also contain something like the following: icap_class class_avi service_avi icap_access class_avi allow all Regards, Christos
[squid-users] ICAP help
Hi All, Need help on how to configure c-icap to scan http,https and ftp request Sample virus to test http://www.eicar.org/download/eicar.com my configuration is as below to test my setup I used the above link but it was not scanned for virus and I was able to downloaded it nothing is working what am i missing? can someone help me in this? #squid.conf icap_enable on icap_preview_enable on icap_preview_size 128 icap_send_client_ip on icap_service service_avi_req reqmod_precache 0 icap://localhost:1344/srv_clamav icap_service service_avi respmod_precache 1 icap://localhost:1344/srv_clamav #c-icap.conf + PidFile /var/run/c-icap.pid CommandsSocket /var/run/c-icap/c-icap.ctl Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 600 StartServers 3 MaxServers 10 MinSpareThreads 10 MaxSpareThreads 20 ThreadsPerChild 10 MaxRequestsPerChild 0 Port 1344 User proxy Group nobody TmpDir /var/tmp MaxMemObject 131072 ServerLog /usr/local/c_icap/var/log/server.log AccessLog /usr/local/c_icap/var/log/access.log DebugLevel 3 ModulesDir /usr/lib/c_icap Module logger sys_logger.so sys_logger.Prefix "C-ICAP:" sys_logger.Facility local1 Logger file_logger AclControllers default_acl acl localsquid_respmod src 127.0.0.1 type respmod acl localsquid_options src 127.0.0.1 type options acl localsquid src 127.0.0.1 acl externalnet src 0.0.0.0/0.0.0.0 acl localnet_respmod src 10.200.2.0/255.255.255.0 type respmod acl localnet_options src 10.200.2.0/255.255.255.0 type options acl localnet src 10.200.2.0/255.255.255.0 icap_access allow localsquid_respmod icap_access allow localsquid_options icap_access allow localsquid icap_access allow localnet_respmod icap_access allow localnet_options icap_access allow localnet icap_access deny externalnet icap_access log localsquid icap_access log localnet icap_access log externalnet ServicesDir /usr/lib/c_icap Service echo_module srv_echo.so Service url_check_module srv_url_check.so Service antivirus_module srv_clamav.so ServiceAlias avscan srv_clamav?allow204=on&sizelimit=off&mode=simple srv_clamav.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE StartSendPercentDataAfter size srv_clamav.SendPercentData 5 srv_clamav.StartSendPercentDataAfter 2M previews for srv_clamav srv_clamav.Allow204Responces off srv_clamav.MaxObjectSize 5M srv_clamav.ClamAvMaxFilesInArchive 0 srv_clamav.ClamAvMaxFileSizeInArchive 100M srv_clamav.ClamAvMaxRecLevel 5 srv_clamav.VirSaveDir /tmp/download/ get_file.pl script in contrib dir) srv_clamav.VirHTTPServer "http://fortune/cgi-bin/get_file.pl?usename=% f&remove=1&file=" srv_clamav.VirUpdateTime 15 srv_clamav.VirScanFileTypes ARCHIVE EXECUTABLE //Remy
