proxy server is refusing connections - ICAP Error when Antivirus Enabled

4o4rh · Aug 23, 2019, 6:56 AM

configured squid in both transparent and non-transparent.
only testing with HTTP

Have enabled on LAN interfaces and use interface for allowed users.
authentication set to none.

3128 Port shows as listening.

in the real time logs, both browsing activities show with
TCP_MISS/200

however, when i set the browser to use the proxy, i get
proxy server is refusing connections

I also lose access to the pfsense box, even though it should not be in the proxy.

kiokoman · Aug 23, 2019, 8:23 AM

hard to tell
you should post some screenshot of your proxy configuration to understand what's wrong

4o4rh · Aug 23, 2019, 8:48 AM

i can

telnet proxyhost 3128

Trying proxyhost...
Connected to proxyhost.
Escape character is '^]'.

so
General
Enable Squid Proxy X
Proxy Interface(s) LAN1 and LAN2
Allow Users on Interface X

Transparent (tried both enabled/disabled) same result
Antivirus (tried both enabled/disabled) same result

ACLs
Allowed Subnets 192.168.0.0/23 (have tried with/without)

Authentication
Authentication Method None

I added a 3128/3129 to the allowed ports as a LAN rule

kiokoman · Aug 23, 2019, 9:27 AM

not enought information, we realy need screenshot as most of the time people think to have done ABC and instead they do BCD

I replicated your configuration as you wrote it and it works for me without problems
there are no known bug that can do this so it must be some misconfiguration

compare with my screenshot
login-to-view
login-to-view
login-to-view
login-to-view
login-to-view
login-to-view

Gertjan · Aug 23, 2019, 9:44 AM

Example :

@gwaitsi said in proxy server is refusing connections:

I added a 3128/3129 to the allowed ports as a LAN rule

This is not needed.
Default, all incoming connections on LAN are permitted.

4o4rh · Aug 23, 2019, 10:51 AM

@Gertjan info i provided is exactly the same as in your screenshots and pass through is required because i block all ports on lan as well.

from squid.conf is the following

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src 192.168.0.0/23
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

acl sglog url_regex -i sgr=ACCESSDENIED
http_access deny sglog
# Setup allowed ACLs
# Allow local network(s) on interface(s)
http_access allow allowed_subnets
http_access allow localnet

# Default block all to be sure
http_access deny allsrc
icap_enable on
icap_send_client_ip on
icap_send_client_username off
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024

icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squid_clamav bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squid_clamav bypass=on
adaptation_access service_avi_resp allow all

kiokoman · Aug 23, 2019, 1:00 PM

how about this part?
shutdown_lifetime 3 seconds

# Allow local network(s) on interface(s)
acl localnet src  192.168.1.0/24 192.168.3.0/24 192.168.2.0/24
forwarded_for on
httpd_suppress_version_string on
uri_whitespace strip

4o4rh · Aug 23, 2019, 1:10 PM

@kiokoman they are there
forwarded_for on
uri_whitespace strip

but i don't have this one
httpd_suppress_version_string on

I don't understand it, because if i do the following on the pfsense box, i get

netstat -ln
tcp4       0      0 192.168.0.1.3128                             192.168.0.50.33796                           ESTABLISHED
tcp4       0      0 192.168.0.1.3128                             192.168.0.50.33792                           ESTABLISHED
tcp4       0      0 192.168.0.1.3128                             192.168.0.50.33788                           ESTABLISHED

I have the network proxy manually set on linux mint, but firefox using no proxy when it works.
As soon as i switch to the proxy on firefox, i get the refusing connections errors.

Must be something with the ACLs, but authentication is set to no.

kiokoman · Aug 23, 2019, 1:58 PM

if you set transparent proxy you don't need to configure proxy on web browser, all the http traffic should be automatically intercepted by squid

httpd_suppress_version_string -> not important right now

4o4rh · Aug 23, 2019, 5:17 PM

@kiokoman both transparent and forwarding, give the same problem on both the test and production systems.

I've had some progress. I now have HTTP caching working without Antivirus.
I added custom patterns, and checked and re-saved each of the pages (had antivirus off) and it started working.

have blocked HTTP on the WAN so it is definitely going via squid and i am now seeing
TCP_TUNNEL/200 and HITS in the real-time log.

Problem starts when i enable antivirus now. If i continue to browse previously cache HTTP site, i get the following.

The following error was encountered while trying to retrieve the URL: http://www.xxx.xx/
ICAP protocol error.
The system returned: [No Error]
This means that some aspect of the ICAP communication failed.
Some possible problems are:
    The ICAP server is not reachable.
    An Illegal response was received from the ICAP server.

toggle antivirus on/off, and it works, or stops with antivirus on.

4o4rh · Aug 23, 2019, 9:50 PM

This has to be a bug with the Antivirus/ICAP config. I have duplicated the setup on the test environment and replicated the same behavior. Simply put,

install Squid in either transparent or forward mode (start with only HTTP) to keep it simple.
block HTTP from the WAN
setup the proxy manually at one or both system and/or firefox
browse HTTP only site

With antivirus enabled, it doesn't work.
With antivirus disabled, it does work.
Using latest pfsense 2.4.4_p3

/var/log/c-icap/server.log
ERROR clientip is null, you must set 'icap_send_client_ip on' into squid.conf

made the following config changes;
Included "Loopback" in the Proxy Interface
X-Forwarded Header Mode - Transparent (was - on previously)
URI Whitespace Characters Handling - set to Encode (was - strip)

It is now sort of working, but still gets the occasional ICAP error per above.

kiokoman · Aug 24, 2019, 7:35 AM

i don't have this problem even with antivirus enabled, did you set this option after enabling it?

login-to-view

and pressed "Update AV" ?

but i have 2.5.0 right now that i can test

4o4rh · Aug 24, 2019, 3:44 PM

@kiokoman below was the solution

add Loopback to the Proxy Interfaces
X-Forwarded Header Mode - Transparent (was - on previously)

and importantly, there is a bug with the "Allow Users on Interface" - it doesn't work!

ACls - Allowed Subnet still needs to have the subnet plus the localhost
192.168.0.0/24
127.0.0.1/32

another thing i found, switching from forwarding to transparent mode, it is necessary to reboot the router.
Not enough to restart the service, or the same ICAP error will occur.