Can't get ICAP working with squid

312 views
Skip to first unread message

justi...@gmail.com

unread,
Jul 5, 2019, 10:58:41 AM7/5/19
to e2guardian
Hi all,

I have e2guardian and squid built and running in docker containers. Both seem to be up and running. However, I am not able to get squid working with icap.

I used the icap configuration recommended in notes/icap:
#==== ICAP configuration ===
icap_enable on
icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/request
icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/response
adaptation_access service_req allow all
adaptation_access service_resp allow all
icap_send_client_ip on
icap_send_client_username on
adaptation_masterx_shared_names X-ICAP-E2G

When I send the request, I see this in the squid logs:
2019/07/05 14:48:05| essential ICAP service is down after an options fetch failure: icap://127.0.0.1:1344/request [down,!opt]

Here is my e2guardian debug output:

hw0: 1562328368 ICAP debug : hw0: ICAP -persisting (count 3) Client IP: 172.17.0.1

hw0: 1562328368 ICAP debug : hw0: Start of request ICAPheader:in

hw0: 1562328368 ICAP debug : hw0: ICAPheader:in before getLine - timeout: 120000

hw0: 1562328370 ICAP debug : hw0: firstime: ICAPheader:in after getLine

hw0: 1562328370 ICAP debug : hw0: Returning from header:in client requests with ICAP length: 1 content:

hw0: 1562328370 ICAP debug : hw0: Request is size: 1 content:

hw0: 1562328370 ICAP debug : hw0: Request error is: 400 Bad Request Line:

hw0: 1562328370 ICAP debug : hw0: -ICAP Persistent connection closed

hw0: 1562328370 ICAP debug : hw0: ICAP -Attempting graceful connection close

Is there something I am missing here? Here is my e2guardian config:

languagedir = '/usr/share/e2guardian/languages'
language = 'ukenglish'
debuglevel = 'ALL'
debuglevelfile = '/var/log/e2guardian/debuge2'
loglevel = 3
logexceptionhits = 2
logfileformat = 6
dockermode = on
filterip = 127.0.0.1
filterports = 8080
icapport = 1344
proxytimeout = 5
connecttimeout = 5
proxyexchange = 61
pcontimeout = 55
usecustombannedimage = on
custombannedimagefile = '/usr/share/e2guardian/transparent1x1.gif'
usecustombannedflash = on
custombannedflashfile = '/usr/share/e2guardian/blockedflash.swf'
filtergroups = 1
filtergroupslist = '/etc/e2guardian/lists/filtergroupslist'
iplist = 'name=bannedclient,messageno=100,logmessageno=103,path=/etc/e2guardian/lists/bannediplist'
iplist = 'name=exceptionclient,messageno=600,path=/etc/e2guardian/lists/exceptioniplist'
user authentication
iplist = 'name=authexception,messageno=602,path=/etc/e2guardian/lists/authexceptioniplist'
sitelist = 'name=authexception,messageno=602,path=/etc/e2guardian/lists/authexceptionsitelist'
urllist = 'name=authexception,messageno=603,path=/etc/e2guardian/lists/authexceptionurllist'
showweightedfound = on
weightedphrasemode = 2
phrasefiltermode = 2
preservecase = 0
hexdecodecontent = off
forcequicksearch = off
reverseaddresslookups = off
reverseclientiplookups = off
logclienthostnames = off
maxcontentfiltersize = 256
maxcontentramcachescansize = 2000
maxcontentfilecachescansize = 20000
filecachedir = '/tmp'
deletedownloadedtempfiles = on
initialtrickledelay = 20
trickledelay = 10
downloadmanager = '/etc/e2guardian/downloadmanagers/default.conf'
contentscannertimeout = 60
recheckreplacedurls = off
forwardedfor = off
usexforwardedfor = off
logconnectionhandlingerrors = on
httpworkers = 200
nodaemon = off
nologger = off
logadblocks = off
loguseragent = off
enablessl = off
preauthstoryboard = '/etc/e2guardian/preauth.story'
searchsitelistforip = on

FredB

unread,
Jul 5, 2019, 12:01:20 PM7/5/19
to justi...@gmail.com, e2guardian
It should works
Which version and which os in your dockerfile (and more details about please)

Are you using sslbump ?


--
Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.

Justin Michael Schwartzbeck

unread,
Jul 6, 2019, 3:21:27 PM7/6/19
to FredB, e2guardian
The dockerfile uses raspbian/stretch as the base. I am using version 5.3. You can see my dockerfile here (it hasn't been updatd to 5.3 yet, but my local one is):

My squid is 3.5.27, also running on raspbian/stretch. Here is my dockerfile for that one:

Yes, I am using sslbump with squid.

FredB

unread,
Jul 6, 2019, 4:01:02 PM7/6/19
to Justin Michael Schwartzbeck, e2guardian
You are using the two differents dockerfile, how the connection can works with 127.0.0.1 address? I guess you should add a docker network between both ?

Justin Schwartzbeck

unread,
Jul 6, 2019, 10:19:32 PM7/6/19
to FredB, e2guardian
I am exposing port 1344 for testing. From the logs I showed you, the request is getting through to e2guardian, but for some reason is causing an error. I get the same thing if I try to get the options using telnet.

justi...@gmail.com

unread,
Jul 10, 2019, 7:50:48 AM7/10/19
to e2guardian
Hi Fred. It turns out you were right, squid is not reaching e2guardian's icap port over 127.0.0.1. Also my telnet icap request was wrong. I exposed port 1344 and used my host's IP to connect from squid, and it works. Now I just need to research how to configure it so that it reaches the internal network instead, so that I don't have to expose that port or use the host IP.

Thanks for your help

Reply all
Reply to author
Forward
0 new messages