C-ICAP Error on One Site



  • I recently implemented an SG-3100 and have added Squid (with ClamAV), SquidGuard and Suricata. It's all running great with one possible exception. Every time I try to hit https://ultrasabers.com/, I get an ICAP error. So far, it only happens on this site, but it happens consistently on this site. I turn off ClamAV and it loads fine (no surprise). I hit the site at work and it loads fine, no warnings about the site being untoward in any way.

    I have read many posts about the first line of defense is to put Squid in bypass mode by making the following modifications to squid.inc:
    modify these two lines:

    icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
    icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav

    TO THIS:

    icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
    icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav

    But I don't see those lines in squid.inc. In fact, I can't find them in any squid configuration file. Are these settings outdated? I also see recomendations from ClamAV:
    If you experience Squid "ICAP protocol error" (with bypass enabled) please consider increasing the c-icap following parameters: StartServers, MaxServers, MinSpareThreads, MaxSpareThreads, ThreadsPerChild. Increase also in clamd.conf parameter: MaxThreads may help.

    But I don't see any guidance on which parameters might be more impactful or how much to increase them by. Has anyone tuned these parameters that may have some input?



  • Anyone challenged with clamav and icap errors? I've increased the parameters recommended here. It seems to resolve the issue I'm currently seeing, but I now have each parameter at 3x their original default. I just hit another icap error and am getting ready to go to 4x, but I can't help but think clamav isn't worth running.