Squid3-dev ICAP Protocol Error on 32-bit
-
Pfsense 2.1.3 32-bit
Ram 4 GB
HDD 128 GB SSD
CPU AMD Athlon 3400+ 64-bit
1 Wan
1 LanPackages:
pfBlocker 1.0.2
Squid3-dev 3.3.10 pkg 2.2.2I am using Squid3-dev with antivirus and SSL enabled. Works very well, but often it will give this error:
ICAP Protocol Error, with a "no error" error code
ERROR in the browser
The following error was encountered while trying to retrieve the URL: http://google.com
ICAP protocol error.The system returned: [No Error]
This means that some aspect of the ICAP communication failed.
Some possible problems are:
*
The ICAP server is not reachable.
*An Illegal response was received from the ICAP server.
The only way to fix it is to restart squid.
I have read here: http://squidclamav.darold.net/tuning.html that changing some variables might help. I have doubled the default amounts described on the darold.net page, but it does not seem to help. Does anyone have any hints on what to look at next? This page also mentions that this works "with bypass enabled" - any idea what that means?
Thanks!
-
Potentially solved… the "bypass" feature can be added in the squid.inc file, as the squid.conf gets overwritten. I'm not sure about adding it to the Custom fields in the GUI - maybe that would work(?), but I opted for the .inc edit instead.
I also modified the other c-icap.conf file options that are relevant to these ICAP errors as stated on the developer's site. I ended up tripling the values before turning on the bypass=1 feature. I might reduce the numbers now to double only, given that bypass seems to be working. Clamav is presently running multiple processes and using (?) 600 MB of RAM, but I may not be reading the system activity correctly.
So far, no ICAP error since turning bypass on. Apparently, squid will ignore errors generated by ICAPs and not pass it on to the browser. I'm not sure if this breaks clamav for some period. Squid3-dev is definately not for the ultra green ;D
-
Hi MIT, can you please show how you fixed it step by step?
Thanks.
-
Same problem…64-bit system here. ICAP problems start as soon as I enable antivirus in Squid interface. I tried the "bypass"trick and it works but I think it completely breaks the antivirus feature. I tested the same on EICAR test file and another test website; the antivirus didn't show any warning.
So...that basically kills the purpose!
-
Same problem…64-bit system here. ICAP problems start as soon as I enable antivirus in Squid interface. I tried the "bypass"trick and it works but I think it completely breaks the antivirus feature. I tested the same on EICAR test file and another test website; the antivirus didn't show any warning.
So...that basically kills the purpose!
Strange.. I conitnue to have eicar blocking both http/https with bypass
-
Hi MIT, can you please show how you fixed it step by step?
Thanks.
In pfsense web gui…
For the bypass feature....
Go to Diagnostics > edit file
Browse to /usr/local/pkg
Load squid.inc
modify these two lines:icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamavTO THIS:
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamavSave file.
Then I rebooted. Done
I ended up changing everyhing in the C-icap parameters back to the defaults (so you need not change those, found on the Antivurs tab of Squid3-dev) same goes for clam.conf, changed back to defaults. Only the bypass=1 change was needed and no more ICAP error. I have tested with EICAR and it continues to stop those everytime in http and https.
Good luck ;)
-
Does it work with squidguard included in the equation too. I tried but didn't work.
-
Does it work with squidguard included in the equation too. I tried but didn't work.
I don't use squidguard, so I am no help on that one.
-
I've got the same problem on PFSense 2.1.4-RELEASE (amd64)
Enabling debug on squid, I've seen the following messages :
2014/07/11 10:36:29.862 kid1| url.cc(386) urlParse: urlParse: Split URL 'icap://127.0.0.1:1344/squidclamav ICAP/1.0
' into proto='icap', host='127.0.0.1', port='1344', path='/squidclamav ICAP/1.0'
2014/07/11 10:36:29.862 kid1| url.cc(422) urlParse: urlParse: URI has whitespace: {icap://127.0.0.1:1344/squidclamav ICAP/1.0
RESPMOD icap://127.0.0.1:1344/squidclamav ICAP/1.0
ICAP/1.0 204 Unmodified
Server: C-ICAP/0.2.5
2014/07/11 10:36:29.869 kid1| ModXact.cc(742) parseHeaders: parse ICAP headers
2014/07/11 10:36:29.869 kid1| Xaction.cc(503) setOutcome: ICAP_ERR_OTHER
2014/07/11 10:36:29.870 kid1| Server.cc(828) handleAdaptationAborted: creating ICAP error entry after ICAP failure
2014/07/11 10:36:29.870 kid1| forward.cc(397) fail: ERR_ICAP_FAILURE "Internal Server Error"It seems the url used to contact ICAP server is malformed (there is a whitespace in it).
-
Sorry to necro this…
Has anyone found a solution to this? I get this same error message and if the issue is a malformed url in a config file, which one is it?
-
Thanks MIT for the details, however in squid 3.4.10_2 pkg 0.2.6 there are changes in the squid.inc file.
it's like this:
icap_service service_avi_req reqmod_precache icap://[::1]:1344/squid_clamav bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://[::1]:1344/squid_clamav bypass=on
adaptation_access service_avi_resp allow alli changed the squid_clamav bypass=off to on and the eicar detection is working.
thank you again :)
-
As I've posted on other many squid3 topics, clamav integration will work if you:
-
Enable antivirus on squid
-
fix config warnings alerts
-
wait first freshclam to finish
-
stop and start (not restart) squid and c-icap service
Configure a clamav bypass has the same effect as disabling the antivirus integration.
I've tested it on amd64 at least 3 times and had a working on all tests.
-
-
Can you fix the default config so that it works by default. While the GUI does tell you what to do if you save the page again, I'm sure that a lot of people on the forum and irc having issues with Squid do not go back there and save the page a second time.
-
Can you fix the default config so that it works by default. While the GUI does tell you what to do if you save the page again, I'm sure that a lot of people on the forum and irc having issues with Squid do not go back there and save the page a second time.
Decide what ip to use on sarg reports warn_php for example is not that simple. If I force Lan IP on package config then somebody will ask to listen on WLAN and/or internal http server.
This is a first run configuration. Once configured, you do not need to check again antivurus options.
-
I have this problem on the 64 bit version RC 2.2 and I just go to the antivirus page and click save again and then the system comes back up .. but wish it stop messing up
-
Friends, help, please, how to solve a problem with this error ICAP?
Configuring a clamav bypass=1 is disabling the antivirus integration!
PFsense 2.1.5 x64, squid 3.3.10 -
Did you read the topic first?
https://forum.pfsense.org/index.php?topic=77264.msg485524#msg485524
-
Did you read the topic first?
https://forum.pfsense.org/index.php?topic=77264.msg485524#msg485524Friend, yes, I read it. But to my regret, I didn't understand part of instructions:
fix config warnings alerts
wait first freshclam to finish
Please, explain more in detail which needs to be made here.
Thanks! -
Antonio, don't waste your time in pfSense 2.1.5 x64 i-cap ist still broken there, since it has never worked before.
I guess you need to upgrade to pfSense 2.2 x64 to get it work, if I get marcelloc right?
fix config warnings alerts = look in Status: System logs: General for errors and fix it
wait first freshclam to finish = execute freshclam in the console/shell and watch via top till its finished
Good luck.
-
Error in system log (PFsense 2.1.5 x64, squid 3.3.10):
kernel: pid 85487 (c-icap), uid 9595: exited on signal 11It is possible to fix it, or it really nonremovable error in 2.1.5 x64 in ICAP?
I don't like 2.2. With it I have many more problems with Squid+SquidGuard+Lightsquid. May be later, build of PFsense will be stable and I update it.
