Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    proxy server is refusing connections - ICAP Error when Antivirus Enabled

    Cache/Proxy
    3
    13
    3.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 4
      4o4rh
      last edited by 4o4rh

      configured squid in both transparent and non-transparent.
      only testing with HTTP

      Have enabled on LAN interfaces and use interface for allowed users.
      authentication set to none.

      3128 Port shows as listening.

      in the real time logs, both browsing activities show with
      TCP_MISS/200

      however, when i set the browser to use the proxy, i get
      proxy server is refusing connections

      I also lose access to the pfsense box, even though it should not be in the proxy.

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by

        hard to tell
        you should post some screenshot of your proxy configuration to understand what's wrong

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • 4
          4o4rh
          last edited by

          i can

          telnet proxyhost 3128
          
          Trying proxyhost...
          Connected to proxyhost.
          Escape character is '^]'.
          

          so
          General
          Enable Squid Proxy X
          Proxy Interface(s) LAN1 and LAN2
          Allow Users on Interface X

          Transparent (tried both enabled/disabled) same result
          Antivirus (tried both enabled/disabled) same result

          ACLs
          Allowed Subnets 192.168.0.0/23 (have tried with/without)

          Authentication
          Authentication Method None

          I added a 3128/3129 to the allowed ports as a LAN rule

          GertjanG 1 Reply Last reply Reply Quote 0
          • kiokomanK
            kiokoman LAYER 8
            last edited by

            not enought information, we realy need screenshot as most of the time people think to have done ABC and instead they do BCD

            I replicated your configuration as you wrote it and it works for me without problems
            there are no known bug that can do this so it must be some misconfiguration

            compare with my screenshot
            squid1.jpg
            squid2.jpg
            squid3.jpg
            squid4.jpg
            squid5.jpg
            squid6.jpg

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @4o4rh
              last edited by Gertjan

              Example :

              @gwaitsi said in proxy server is refusing connections:

              I added a 3128/3129 to the allowed ports as a LAN rule

              This is not needed.
              Default, all incoming connections on LAN are permitted.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              4 1 Reply Last reply Reply Quote 0
              • 4
                4o4rh @Gertjan
                last edited by 4o4rh

                @Gertjan info i provided is exactly the same as in your screenshots and pass through is required because i block all ports on lan as well.

                from squid.conf is the following

                acl purge method PURGE
                acl connect method CONNECT
                
                # Define protocols used for redirects
                acl HTTP proto HTTP
                acl HTTPS proto HTTPS
                acl allowed_subnets src 192.168.0.0/23
                http_access allow manager localhost
                
                http_access deny manager
                http_access allow purge localhost
                http_access deny purge
                http_access deny !safeports
                http_access deny CONNECT !sslports
                
                # Always allow localhost connections
                http_access allow localhost
                
                acl sglog url_regex -i sgr=ACCESSDENIED
                http_access deny sglog
                # Setup allowed ACLs
                # Allow local network(s) on interface(s)
                http_access allow allowed_subnets
                http_access allow localnet
                
                # Default block all to be sure
                http_access deny allsrc
                icap_enable on
                icap_send_client_ip on
                icap_send_client_username off
                icap_client_username_encode off
                icap_client_username_header X-Authenticated-User
                icap_preview_enable on
                icap_preview_size 1024
                
                icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squid_clamav bypass=off
                adaptation_access service_avi_req allow all
                icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squid_clamav bypass=on
                adaptation_access service_avi_resp allow all
                
                1 Reply Last reply Reply Quote 0
                • kiokomanK
                  kiokoman LAYER 8
                  last edited by

                  how about this part?
                  shutdown_lifetime 3 seconds

                  # Allow local network(s) on interface(s)
                  acl localnet src  192.168.1.0/24 192.168.3.0/24 192.168.2.0/24
                  forwarded_for on
                  httpd_suppress_version_string on
                  uri_whitespace strip
                  

                  ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                  Please do not use chat/PM to ask for help
                  we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                  Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                  4 1 Reply Last reply Reply Quote 0
                  • 4
                    4o4rh @kiokoman
                    last edited by 4o4rh

                    @kiokoman they are there
                    forwarded_for on
                    uri_whitespace strip

                    but i don't have this one
                    httpd_suppress_version_string on

                    I don't understand it, because if i do the following on the pfsense box, i get

                    netstat -ln
                    tcp4       0      0 192.168.0.1.3128                             192.168.0.50.33796                           ESTABLISHED
                    tcp4       0      0 192.168.0.1.3128                             192.168.0.50.33792                           ESTABLISHED
                    tcp4       0      0 192.168.0.1.3128                             192.168.0.50.33788                           ESTABLISHED
                    

                    I have the network proxy manually set on linux mint, but firefox using no proxy when it works.
                    As soon as i switch to the proxy on firefox, i get the refusing connections errors.

                    Must be something with the ACLs, but authentication is set to no.

                    1 Reply Last reply Reply Quote 0
                    • kiokomanK
                      kiokoman LAYER 8
                      last edited by kiokoman

                      if you set transparent proxy you don't need to configure proxy on web browser, all the http traffic should be automatically intercepted by squid

                      httpd_suppress_version_string -> not important right now

                      ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                      Please do not use chat/PM to ask for help
                      we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                      Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                      4 1 Reply Last reply Reply Quote 0
                      • 4
                        4o4rh @kiokoman
                        last edited by 4o4rh

                        @kiokoman both transparent and forwarding, give the same problem on both the test and production systems.

                        I've had some progress. I now have HTTP caching working without Antivirus.
                        I added custom patterns, and checked and re-saved each of the pages (had antivirus off) and it started working.

                        have blocked HTTP on the WAN so it is definitely going via squid and i am now seeing
                        TCP_TUNNEL/200 and HITS in the real-time log.

                        Problem starts when i enable antivirus now. If i continue to browse previously cache HTTP site, i get the following.

                        The following error was encountered while trying to retrieve the URL: http://www.xxx.xx/
                        ICAP protocol error.
                        The system returned: [No Error]
                        This means that some aspect of the ICAP communication failed.
                        Some possible problems are:
                            The ICAP server is not reachable.
                            An Illegal response was received from the ICAP server.
                        

                        toggle antivirus on/off, and it works, or stops with antivirus on.

                        1 Reply Last reply Reply Quote 0
                        • 4
                          4o4rh
                          last edited by 4o4rh

                          This has to be a bug with the Antivirus/ICAP config. I have duplicated the setup on the test environment and replicated the same behavior. Simply put,

                          • install Squid in either transparent or forward mode (start with only HTTP) to keep it simple.
                          • block HTTP from the WAN
                          • setup the proxy manually at one or both system and/or firefox
                          • browse HTTP only site

                          With antivirus enabled, it doesn't work.
                          With antivirus disabled, it does work.
                          Using latest pfsense 2.4.4_p3


                          /var/log/c-icap/server.log
                          ERROR clientip is null, you must set 'icap_send_client_ip on' into squid.conf

                          made the following config changes;
                          Included "Loopback" in the Proxy Interface
                          X-Forwarded Header Mode - Transparent (was - on previously)
                          URI Whitespace Characters Handling - set to Encode (was - strip)

                          It is now sort of working, but still gets the occasional ICAP error per above.

                          1 Reply Last reply Reply Quote 0
                          • kiokomanK
                            kiokoman LAYER 8
                            last edited by kiokoman

                            i don't have this problem even with antivirus enabled, did you set this option after enabling it?

                            Immagine.jpg

                            and pressed "Update AV" ?

                            but i have 2.5.0 right now that i can test

                            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                            Please do not use chat/PM to ask for help
                            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                            4 1 Reply Last reply Reply Quote 0
                            • 4
                              4o4rh @kiokoman
                              last edited by 4o4rh

                              @kiokoman below was the solution

                              • add Loopback to the Proxy Interfaces
                              • X-Forwarded Header Mode - Transparent (was - on previously)

                              and importantly, there is a bug with the "Allow Users on Interface" - it doesn't work!

                              ACls - Allowed Subnet still needs to have the subnet plus the localhost
                              192.168.0.0/24
                              127.0.0.1/32

                              another thing i found, switching from forwarding to transparent mode, it is necessary to reboot the router.
                              Not enough to restart the service, or the same ICAP error will occur.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.