C-ICAP Error on One Site
I recently implemented an SG-3100 and have added Squid (with ClamAV), SquidGuard and Suricata. It's all running great with one possible exception. Every time I try to hit https://ultrasabers.com/, I get an ICAP error. So far, it only happens on this site, but it happens consistently on this site. I turn off ClamAV and it loads fine (no surprise). I hit the site at work and it loads fine, no warnings about the site being untoward in any way.
I have read many posts about the first line of defense is to put Squid in bypass mode by making the following modifications to squid.inc:
modify these two lines:
icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
But I don't see those lines in squid.inc. In fact, I can't find them in any squid configuration file. Are these settings outdated? I also see recomendations from ClamAV:
If you experience Squid "ICAP protocol error" (with bypass enabled) please consider increasing the c-icap following parameters: StartServers, MaxServers, MinSpareThreads, MaxSpareThreads, ThreadsPerChild. Increase also in clamd.conf parameter: MaxThreads may help.
But I don't see any guidance on which parameters might be more impactful or how much to increase them by. Has anyone tuned these parameters that may have some input?
Anyone challenged with clamav and icap errors? I've increased the parameters recommended here. It seems to resolve the issue I'm currently seeing, but I now have each parameter at 3x their original default. I just hit another icap error and am getting ready to go to 4x, but I can't help but think clamav isn't worth running.