• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

proxy server is refusing connections - ICAP Error when Antivirus Enabled

Cache/Proxy
3
13
3.5k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • 4
    4o4rh
    last edited by 4o4rh Aug 23, 2019, 10:01 PM Aug 23, 2019, 6:56 AM

    configured squid in both transparent and non-transparent.
    only testing with HTTP

    Have enabled on LAN interfaces and use interface for allowed users.
    authentication set to none.

    3128 Port shows as listening.

    in the real time logs, both browsing activities show with
    TCP_MISS/200

    however, when i set the browser to use the proxy, i get
    proxy server is refusing connections

    I also lose access to the pfsense box, even though it should not be in the proxy.

    1 Reply Last reply Reply Quote 0
    • K
      kiokoman LAYER 8
      last edited by Aug 23, 2019, 8:23 AM

      hard to tell
      you should post some screenshot of your proxy configuration to understand what's wrong

      ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
      Please do not use chat/PM to ask for help
      we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
      Don't forget to Upvote with the 👍 button for any post you find to be helpful.

      1 Reply Last reply Reply Quote 0
      • 4
        4o4rh
        last edited by Aug 23, 2019, 8:48 AM

        i can

        telnet proxyhost 3128
        
        Trying proxyhost...
        Connected to proxyhost.
        Escape character is '^]'.
        

        so
        General
        Enable Squid Proxy X
        Proxy Interface(s) LAN1 and LAN2
        Allow Users on Interface X

        Transparent (tried both enabled/disabled) same result
        Antivirus (tried both enabled/disabled) same result

        ACLs
        Allowed Subnets 192.168.0.0/23 (have tried with/without)

        Authentication
        Authentication Method None

        I added a 3128/3129 to the allowed ports as a LAN rule

        G 1 Reply Last reply Aug 23, 2019, 9:43 AM Reply Quote 0
        • K
          kiokoman LAYER 8
          last edited by Aug 23, 2019, 9:27 AM

          not enought information, we realy need screenshot as most of the time people think to have done ABC and instead they do BCD

          I replicated your configuration as you wrote it and it works for me without problems
          there are no known bug that can do this so it must be some misconfiguration

          compare with my screenshot
          login-to-view
          login-to-view
          login-to-view
          login-to-view
          login-to-view
          login-to-view

          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
          Please do not use chat/PM to ask for help
          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

          1 Reply Last reply Reply Quote 0
          • G
            Gertjan @4o4rh
            last edited by Gertjan Aug 23, 2019, 9:44 AM Aug 23, 2019, 9:43 AM

            Example :

            @gwaitsi said in proxy server is refusing connections:

            I added a 3128/3129 to the allowed ports as a LAN rule

            This is not needed.
            Default, all incoming connections on LAN are permitted.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            4 1 Reply Last reply Aug 23, 2019, 10:01 AM Reply Quote 0
            • 4
              4o4rh @Gertjan
              last edited by 4o4rh Aug 23, 2019, 10:51 AM Aug 23, 2019, 10:01 AM

              @Gertjan info i provided is exactly the same as in your screenshots and pass through is required because i block all ports on lan as well.

              from squid.conf is the following

              acl purge method PURGE
              acl connect method CONNECT
              
              # Define protocols used for redirects
              acl HTTP proto HTTP
              acl HTTPS proto HTTPS
              acl allowed_subnets src 192.168.0.0/23
              http_access allow manager localhost
              
              http_access deny manager
              http_access allow purge localhost
              http_access deny purge
              http_access deny !safeports
              http_access deny CONNECT !sslports
              
              # Always allow localhost connections
              http_access allow localhost
              
              acl sglog url_regex -i sgr=ACCESSDENIED
              http_access deny sglog
              # Setup allowed ACLs
              # Allow local network(s) on interface(s)
              http_access allow allowed_subnets
              http_access allow localnet
              
              # Default block all to be sure
              http_access deny allsrc
              icap_enable on
              icap_send_client_ip on
              icap_send_client_username off
              icap_client_username_encode off
              icap_client_username_header X-Authenticated-User
              icap_preview_enable on
              icap_preview_size 1024
              
              icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squid_clamav bypass=off
              adaptation_access service_avi_req allow all
              icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squid_clamav bypass=on
              adaptation_access service_avi_resp allow all
              
              1 Reply Last reply Reply Quote 0
              • K
                kiokoman LAYER 8
                last edited by Aug 23, 2019, 11:15 AM

                how about this part?
                shutdown_lifetime 3 seconds

                # Allow local network(s) on interface(s)
                acl localnet src  192.168.1.0/24 192.168.3.0/24 192.168.2.0/24
                forwarded_for on
                httpd_suppress_version_string on
                uri_whitespace strip
                

                ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                Please do not use chat/PM to ask for help
                we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                4 1 Reply Last reply Aug 23, 2019, 1:00 PM Reply Quote 0
                • 4
                  4o4rh @kiokoman
                  last edited by 4o4rh Aug 23, 2019, 1:10 PM Aug 23, 2019, 1:00 PM

                  @kiokoman they are there
                  forwarded_for on
                  uri_whitespace strip

                  but i don't have this one
                  httpd_suppress_version_string on

                  I don't understand it, because if i do the following on the pfsense box, i get

                  netstat -ln
                  tcp4       0      0 192.168.0.1.3128                             192.168.0.50.33796                           ESTABLISHED
                  tcp4       0      0 192.168.0.1.3128                             192.168.0.50.33792                           ESTABLISHED
                  tcp4       0      0 192.168.0.1.3128                             192.168.0.50.33788                           ESTABLISHED
                  

                  I have the network proxy manually set on linux mint, but firefox using no proxy when it works.
                  As soon as i switch to the proxy on firefox, i get the refusing connections errors.

                  Must be something with the ACLs, but authentication is set to no.

                  1 Reply Last reply Reply Quote 0
                  • K
                    kiokoman LAYER 8
                    last edited by kiokoman Aug 23, 2019, 1:58 PM Aug 23, 2019, 1:56 PM

                    if you set transparent proxy you don't need to configure proxy on web browser, all the http traffic should be automatically intercepted by squid

                    httpd_suppress_version_string -> not important right now

                    ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                    Please do not use chat/PM to ask for help
                    we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                    Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                    4 1 Reply Last reply Aug 23, 2019, 1:59 PM Reply Quote 0
                    • 4
                      4o4rh @kiokoman
                      last edited by 4o4rh Aug 23, 2019, 5:17 PM Aug 23, 2019, 1:59 PM

                      @kiokoman both transparent and forwarding, give the same problem on both the test and production systems.

                      I've had some progress. I now have HTTP caching working without Antivirus.
                      I added custom patterns, and checked and re-saved each of the pages (had antivirus off) and it started working.

                      have blocked HTTP on the WAN so it is definitely going via squid and i am now seeing
                      TCP_TUNNEL/200 and HITS in the real-time log.

                      Problem starts when i enable antivirus now. If i continue to browse previously cache HTTP site, i get the following.

                      The following error was encountered while trying to retrieve the URL: http://www.xxx.xx/
                      ICAP protocol error.
                      The system returned: [No Error]
                      This means that some aspect of the ICAP communication failed.
                      Some possible problems are:
                          The ICAP server is not reachable.
                          An Illegal response was received from the ICAP server.
                      

                      toggle antivirus on/off, and it works, or stops with antivirus on.

                      1 Reply Last reply Reply Quote 0
                      • 4
                        4o4rh
                        last edited by 4o4rh Aug 23, 2019, 9:50 PM Aug 23, 2019, 9:03 PM

                        This has to be a bug with the Antivirus/ICAP config. I have duplicated the setup on the test environment and replicated the same behavior. Simply put,

                        • install Squid in either transparent or forward mode (start with only HTTP) to keep it simple.
                        • block HTTP from the WAN
                        • setup the proxy manually at one or both system and/or firefox
                        • browse HTTP only site

                        With antivirus enabled, it doesn't work.
                        With antivirus disabled, it does work.
                        Using latest pfsense 2.4.4_p3


                        /var/log/c-icap/server.log
                        ERROR clientip is null, you must set 'icap_send_client_ip on' into squid.conf

                        made the following config changes;
                        Included "Loopback" in the Proxy Interface
                        X-Forwarded Header Mode - Transparent (was - on previously)
                        URI Whitespace Characters Handling - set to Encode (was - strip)

                        It is now sort of working, but still gets the occasional ICAP error per above.

                        1 Reply Last reply Reply Quote 0
                        • K
                          kiokoman LAYER 8
                          last edited by kiokoman Aug 23, 2019, 11:02 PM Aug 23, 2019, 10:59 PM

                          i don't have this problem even with antivirus enabled, did you set this option after enabling it?

                          login-to-view

                          and pressed "Update AV" ?

                          but i have 2.5.0 right now that i can test

                          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                          Please do not use chat/PM to ask for help
                          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                          4 1 Reply Last reply Aug 24, 2019, 7:35 AM Reply Quote 0
                          • 4
                            4o4rh @kiokoman
                            last edited by 4o4rh Aug 24, 2019, 3:44 PM Aug 24, 2019, 7:35 AM

                            @kiokoman below was the solution

                            • add Loopback to the Proxy Interfaces
                            • X-Forwarded Header Mode - Transparent (was - on previously)

                            and importantly, there is a bug with the "Allow Users on Interface" - it doesn't work!

                            ACls - Allowed Subnet still needs to have the subnet plus the localhost
                            192.168.0.0/24
                            127.0.0.1/32

                            another thing i found, switching from forwarding to transparent mode, it is necessary to reboot the router.
                            Not enough to restart the service, or the same ICAP error will occur.

                            1 Reply Last reply Reply Quote 0
                            4 out of 13
                            • First post
                              4/13
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.