Help - pfsense x86 v2.2 + squid3 + c-icap + https + squidguard-dev



  • hi,

    search help for my setup. Before i run pfsense 2.1.5 with squid + c-icap + https + squidguard without problem. After upgrade to pfsense 2.2 i have problem configure squid3 to work with i-cap. all services is runing but when i want open some pages from client pc i get c-icap error (no communication). Without c-icap and squidguard all works (include HTTPS). here are my configs:

    Squid3:
    Integrations:

    url_rewrite_program /usr/pbi/squidguard-devel-i386/bin/squidGuard -c /usr/pbi/squidguard-devel-i386/etc/squidGuard/squidGuard.conf;url_rewrite_bypass off;url_rewrite_children 16 startup=8 idle=4 concurrency=
    

    Custom ACLS:

    always_direct allow all
    ssl_bump server-first all
    icap_enable on
    icap_preview_enable on
    icap_preview_size 4096
    icap_persistent_connections on
    icap_send_client_ip on
    icap_send_client_username on
    icap_client_username_header X-Client-Username
    icap_service service_req reqmod_precache routing=0 bypass=0 icap://127.0.0.1:1344/squidclamav
    icap_service service_resp respmod_precache routing=0 bypass=0 icap://127.0.0.1:1344/squidclamav
    

    Squid antivirus:
    squidclamav.conf:

    #-----------------------------------------------------------------------------
    # SquidClamav default configuration file
    #
    # To know to customize your configuration file, see squidclamav manpage
    # or go to http://squidclamav.darold.net/
    #
    #-----------------------------------------------------------------------------
    #
    # Global configuration
    #
    
    # Maximum size of a file that may be scanned. Any file bigger that this value
    # will not be scanned.
    maxsize 5000000
    
    # When a virus is found then redirect the user to this URL
    redirect http://127.0.0.1/squid_clwarn.php
    
    # Path to the squiGuard binary if you want URL filtering, note that you'd better
    # use the squid configuration directive 'url_rewrite_program' instead.
    #squidguard /usr/local/squidGuard/bin/squidGuard
    
    # Path to the clamd socket, use clamd_local if you use Unix socket or if clamd
    # is listening on an Inet socket, comment clamd_local and set the clamd_ip and
    # clamd_port to the corresponding value.
    clamd_local /var/run/clamav/clamd.sock
    #clamd_ip 192.168.1.5,127.0.0.1
    #clamd_port 3310
    
    # Set the timeout for clamd connection. Default is 1 second, this is a good
    # value but if you have slow service you can increase up to 3.
    timeout 1
    
    # Force SquidClamav to log all virus detection or squiguard block redirection
    # to the c-icap log file.
    logredir 0
    
    # Enable / disable DNS lookup of client ip address. Default is enabled '1' to
    # preserve backward compatibility but you must desactivate this feature if you
    # don't use trustclient with hostname in the regexp or if you don't have a DNS
    # on your network. Disabling it will also speed up squidclamav.
    dnslookup 1
    
    # Enable / Disable Clamav Safe Browsing feature. You mus have enabled the
    # corresponding behavior in clamd by enabling SafeBrowsing into freshclam.conf
    # Enabling it will first make a safe browsing request to clamd and then the
    # virus scan request. 
    safebrowsing 0
    
    #
    # Here is some defaut regex pattern to have a high speed proxy on system
    # with low resources.
    #
    
    # Do not scan images
    #abort ^.*\.(ico|gif|png|jpg)$
    #abortcontent ^image\/.*$
    
    # Do not scan text files
    #abort ^.*\.(css|xml|xsl|js|html|jsp)$
    #abortcontent ^text\/.*$
    #abortcontent ^application\/x-javascript$
    
    # Do not scan streamed videos
    #abortcontent ^video\/x-flv$
    #abortcontent ^video\/mp4$
    
    # Do not scan flash files
    #abort ^.*\.swf$
    #abortcontent ^application\/x-shockwave-flash$
    
    # Do not scan sequence of framed Microsoft Media Server (MMS) data packets
    #abortcontent ^.*application\/x-mms-framed.*$
    
    # White list some sites
    #whitelist .*\.clamav.net
    
    # See also 'trustuser' and 'trustclient' configuration directives
    

    c-icap.conf:

    #
    # This file contains the default settings for c-icap
    # 
    # 
    
    # TAG: PidFile
    # Format: PidFile pid_file
    # Description:
    #	The file to store the pid of the main process of the c-icap server.
    # Default:
    #	PidFile /var/run/c-icap/c-icap.pid
    PidFile /var/run/c-icap/c-icap.pid
    
    # TAG: CommandsSocket
    # Format: CommandsSocket socket_file
    # Description:
    #	The path of file to use as control socket for c-icap
    # Default:
    #	CommandsSocket /var/run/c-icap/c-icap.ctl
    CommandsSocket /var/run/c-icap/c-icap.ctl
    
    # TAG: Timeout
    # Format: Timeout seconds
    # Description:
    #	The time in seconds after which a connection without activity
    #	can be cancelled.
    # Default:
    #	Timeout 300
    Timeout 300
    
    # TAG: MaxKeepAliveRequests
    # Format: MaxKeepAliveRequests number
    # Description:
    #	The maximum number of requests can be served by one connection
    #	Set it to -1 for no limit
    # Default:
    #	MaxKeepAliveRequests 100
    MaxKeepAliveRequests 100
    
    # TAG: KeepAliveTimeout
    # Format: KeepAliveTimeout seconds
    # Description:
    #	The maximum time in seconds waiting for a new requests before a 
    #	connection will be closed.
    #	If the value is set to -1, there is no timeout.
    # Default:
    #	KeepAliveTimeout 600
    KeepAliveTimeout 600  
    
    # TAG: StartServers
    # Format: StartServers number
    # Description:
    #	The initial number of server processes. Each server process
    #	generates a number of threads, which serve the requests.
    # Default:
    #	StartServers 3
    StartServers 3
    
    # TAG: MaxServers
    # Format: MaxServers number
    # Description:
    #	The maximum allowed number of server processes.
    # Default:
    #	MaxServers 10
    MaxServers 10
    
    # TAG: MinSpareThreads
    # Format: MinSpareThreads number
    # Description:
    #	If the number of the available threads is less than number,
    #	the c-icap server starts a new child.
    # Default:
    #	MinSpareThreads     10
    MinSpareThreads     10
    
    # TAG: MaxSpareThreads
    # Format: MaxSpareThreads number
    # Description:
    #	If the number of the available threads is more than number then 
    #	the c-icap server kills a child.
    # Default:
    #	MaxSpareThreads     20
    MaxSpareThreads     20
    
    # TAG: ThreadsPerChild
    # Format:  ThreadsPerChild number
    # Description:
    #	The number of threads per child process.
    # Default:
    #	ThreadsPerChild     10
    ThreadsPerChild     10
    
    # TAG: MaxRequestsPerChild
    # Format: MaxRequestsPerChild number
    # Description:
    #	The maximum number of requests that a child process can serve.
    #	After this number has been reached, process dies. The goal of this
    #	parameter is to minimize the risk of memory leaks and increase the
    #	stability of c-icap. It can be disabled by setting its value to 0.
    # Default:
    #	MaxRequestsPerChild  0
    MaxRequestsPerChild  0
    
    # TAG: Port
    # Format: Port port
    # Description:
    #	The port number that the c-icap server uses to listen to requests.
    # Default:
    #	Port 1344
    Port 1344
    
    # TAG: User
    # Format: User username
    # Description:
    #	The user owning c-icap's processes. By default, the owner is the
    #	user who runs the program.
    # Default:
    #	No value
    # Example:
    #	User wwwrun
    
    # TAG: Group
    # Format: Group groupname
    # Description:
    #	The group of users owning c-icap's processes, which, by default
    #	is the group of the current user.
    # Default:
    #	No value
    # Example:
    #	Group nogroup
    
    # TAG: ServerAdmin
    # Format: ServerAdmin admin_mail
    # Description:
    #	The Administrator of this server. Used when displaying information
    #	about this server (logs, info service, etc)
    # Default:
    #	No value
    ServerAdmin admin@aaa.ss
    
    # TAG: ServerName
    # Format: ServerName aServerName
    # Description:
    #	A name for this server. Used when displaying information about this
    #	server (logs, info service, etc)
    # Default:
    #	No value
    ServerName brana2
    
    # TAG: TmpDir
    # Format: TmpDir dir
    # Description:
    #	dir is the location of temporary files.
    # Default:
    #	TmpDir /var/tmp
    TmpDir /var/tmp
    
    # TAG: MaxMemObject
    # Format: MaxMemObject bytes
    # Description:
    #	The maximum memory size in bytes taken by an object which
    #	is processed by c-icap . If the size of an object's body is
    #	larger than the maximum size a temporary file is used.
    # Default:
    #	MaxMemObject 131072
    MaxMemObject 131072
    
    # TAG: DebugLevel
    # Format: DebugLevel level
    # Description:
    #	The level of debugging information to be logged.
    #	The acceptable range of levels is between 0 and 10.
    # Default:
    #	DebugLevel 1
    DebugLevel 1
    
    # TAG: Pipelining
    # Format: Pipelining on|off
    # Description:
    #	Enable or disable ICAP requests pipelining
    # Default:
    #	Pipelining on
    Pipelining on
    
    # TAG: SupportBuggyClients
    # FORMAT: SupportBuggyClients on|off
    # Description:
    #	Try to handle requests from buggy clients, for example ICAP requests
    #	missing "\r\n" sequences
    # Default:
    # SupportBuggyClients off
    SupportBuggyClients off
    
    # TAG: ModulesDir
    # Format: ModulesDir dir
    # Description:
    #	The location of modules
    # Default:
    #	ModulesDir /usr/local/lib/c_icap
    ModulesDir /usr/local/lib/c_icap
    
    # TAG: ServicesDir
    # Format: ServicesDir dir
    # Description:
    #	The location of services
    # Default:
    #	ServicesDir /usr/local/lib/c_icap
    ServicesDir /usr/local/lib/c_icap
    
    # TAG: TemplateDir
    # Format: TemplateDir dir
    # Description:
    #	The location of the text templates used by c-icap and its services,
    #	categorized by language and services/modules
    # Default:
    #	No value
    # Example:
    TemplateDir /usr/local/share/c_icap/templates/
    
    # TAG: TemplateDefaultLanguage
    # Format: TemplateDefaultLanguage lang
    # Description:
    #	Sets the default language to use for text templates
    # Default:
    #	TemplateDefaultLanguage en
    TemplateDefaultLanguage en
    
    #TemplateReloadTime 360
    #TemplateCacheSize 20
    #TemplateMemBufSize 8192
    
    # TAG: LoadMagicFile
    # Format: LoadMagicFile path
    # Description:
    #	Load a c-icap magic file. A magic file contains various 
    #	data type definitions. Look inside default c-icap.magic file
    #	for more informations.
    #	It can be used more than once to use multiple magic files.
    # Default:
    #	LoadMagicFile /usr/local/etc/c-icap/c-icap.magic
    LoadMagicFile /usr/local/etc/c-icap/c-icap.magic
    
    # TAG: RemoteProxyUsers
    # Format: RemoteProxyUsers onoff
    # Description:
    #	Set it to on if you want to use username provided by the proxy server.
    #	This is the recomended way to use users in c-icap.
    #	If the RemoteProxyUsers is off and c-icap configured to use users or
    #	groups the internal authentication mechanism will be used.
    # Default:
    #	RemoteProxyUsers off
    RemoteProxyUsers off
    
    # TAG: RemoteProxyUserHeader
    # Format: RemoteProxyUserHeader Header
    # Description:
    #	Used to specify the icap header used by the proxy server to send
    #	the authenticated client username to c-icap server 
    # Default:
    #	RemoteProxyUserHeader X-Authenticated-User
    RemoteProxyUserHeader X-Authenticated-User
    
    # TAG: RemoteProxyUserHeaderEncoded
    # Format: RemoteProxyUserHeaderEncoded onoff
    # Description:
    #	Set it to off if the RemoteProxyUserHeader is not base64 encoded
    # Default:
    #	RemoteProxyUserHeaderEncoded on
    RemoteProxyUserHeaderEncoded on
    
    # TAG: AuthMethod
    # Format: AuthMethod Method Authenticator
    # Description:
    #	Used to define the internal authentication mechanism to use. This
    #	feature is not well tested and may cause problems. It is better to use
    #	RemoteProxyUser configuration.
    #	Method is the authentication method to use (basic, digest, etc).
    #	Currently only basic authentication method is implemented as build in
    #	module
    #	Authenticator currently can only be "basic_simple_db"
    #	It can be considered as a user/password store and can be
    #	implemented as external module. The basic_simple_db is implemented as
    #	build it module
    # Default:
    #	No set
    # Example:
    #	AuthMethod basic basic_simple_db
    
    # TAG: basic.Realm
    # Format: basic.Realm ARealm
    # Description:
    #	Specify the basic method realm
    # Default:
    #	basic.Realm "Basic authentication"
    # Example:
    #	basic.Realm "c-icap server authentication"
    
    # TAG: basic_simple_db.UsersDB
    # Format: basic_simple_db.UsersDB LookupTable
    # Description:
    #	Specify the lookup table where the usernames/passwords pairs 
    #	are stored. The paswords must be unencrypted
    #	For more information about c-icap lookup tables read c-icap server
    #	manual page
    # Default:
    #	No value
    # Example:
    #	basic_simple_db.UsersDB hash:/usr/local/c-icap/etc/c-icap-users.txt
    
    # TAG: GroupSourceByGroup
    # Format: GroupSourceByGroup LookupTable
    # Description:
    #	Defines a lookup table where the groups of users are stored indexed
    #	by group. It can be used more than once.
    #	For more information about c-icap lookup tables read c-icap server
    #	manual page
    # Default:
    #	No set
    # Example:
    #	GroupSourceByGroup hash:/usr/local/c-icap/etc/c-icap-groups.txt
    
    # TAG: GroupSourceByUser
    # Format: GroupSourceByUser LookupTable
    # Description:
    #	Defines a lookup table where the groups of users are stored indexed 
    #	by user. It can be used more than once.
    #	For more information about c-icap lookup tables read c-icap server
    #	manual page
    # Default:
    #	No set
    # Example:
    #	GroupSourceByUser hash:/usr/local/c-icap/etc/c-icap-user-groups.txt
    
    # TAG: acl
    # Format: acl name type[{param}] value1 [value2] [...]
    # Description:
    #	Supported acl types are:
    #		acl aclname service service1 ...
    #		     The servicename
    #		acl aclname type OPTIONS|RESPMOD|REQMOD ...
    #		     The icap method
    #		acl aclname port port1 ...
    #		     The icap server port
    #		acl aclname src ip1/netmask1 ...
    #		     The client ip address
    #		acl aclname srvip ip1/netmask1 ...
    #		     The c-icap server ip address
    #		acl aclname icap_header{HeaderName} value1 ...
    #		     Matches the icap header HeaderName with value1 ...
    #		     The values are in regex form: /avalue/
    #		acl aclname icap_resp_header{HeaderName} value1 ...
    #		     The icap response header
    #		     The values are in regex form: /avalue/
    #		acl aclname http_req_header{HeaderName} value1 ...
    #		     The http request header
    #		     The values are in regex form: /avalue/
    #		acl aclname http_resp_header{HeaderName} value1 ...
    #		     The http response header
    #		     The values are in regex form: /avalue/
    #		acl aclname data_type type1 ...
    #		     The data type as recognized by the internal data type
    #		     recognizer. The types are defined in c-icap.magic file
    #		acl aclname auth username|* ...
    #		     The authenticated users. Using * instead of username means
    #		     all users.
    #		acl aclname group group1 ...
    #		     if the user of request belongs to given groups
    # Default:
    #	None set
    # Examples:
    #	acl OPTIONS type OPTIONS
    #	acl RESPMOD type RESPMOD
    #	acl REQMOD  type REQMOD
    #	acl ALLREQUESTS type OPTIONS RESPMOD REQMOD
    #	acl XHEAD icap_header{X-Test}  /value/
    #	acl ECHO service echo
    #	acl localnet src 192.168.1.0/255.255.255.0
    #	acl localhost src 127.0.0.1/255.255.255.255
    #	acl all src 0.0.0.0/0.0.0.0
    
    # TAG: icap_access
    # Format: icap_access allow|deny [!]acl1 ...
    # Description:
    #	Allowing or denying ICAP access based on defined access lists
    # Default:
    #	None set
    # Example:
    #	icap_access deny XHEAD
    #	#Allow OPTIONS method for all:
    #	icap_access allow localnet OPTIONS
    #	#Require authentication for all users from local network:
    #	icap_access allow AUTH localnet
    #	icap_access deny all
    
    # TAG: client_access
    # Format: client_access allow|deny acl1 [acl2] [...]
    # Description:
    #	Allowing or denying connections on c-icap based on
    #	defined access lists. Only the acl types src, srvip and port
    #	can be used.
    # Default:
    #	None set
    # Example:
    #	client_access allow all
    
    # TAG: LogFormat 
    # Format: LogFormat Name Format
    # Description:
    #	Name is a name for this log format.
    #	Format is a string with embedded % format codes. % format codes 
    #	has the following form:
    #	    % [-] [width] [{argument}] formatcode
    #	    if - is specified then the output is left aligned
    #	    if width specified then the field is exactly width size
    #	    some formatcodes support arguments given as {argument}
    #	
    #	Format codes:
    #	       %a:  Remote IP-Address
    #	       %la: Local IP Address
    #	       %lp: Local port
    #	       %>a: Http Client IP Address. Only supported if the proxy 
    #	       	    client supports the "X-Client-IP" header
    #	       %<a: http="" server="" ip="" address.="" only="" supported="" if="" the="" proxy<br="">#	       	    client supports the "X-Server-IP" header
    #	       %ts: Seconds since epoch
    #	       %tl: Local time. Supports optional strftime format argument
    #	       %tg: GMT time. Supports optional strftime format argument
    #	       %>ho: Modified Http request header. Supports header name
    #	       	     as argument. If no argument given the first line returned
    #	       %huo: Modified Http request url
    #	       %<ho: modified="" http="" reply="" header.="" supports="" header="" name<br="">#	       	     as argument. If no argument given the first line returned
    #	       %iu: Icap request url
    #	       %im: Icap method
    #	       %is: Icap status code
    #	       %>ih: Icap request header. Supports header name
    #	       	     as argument. If no argument given the first line returned
    #	       %<ih: icap="" response="" header.="" supports="" header="" name<br="">#	       	     as argument. If no argument given the first line returned
    #	       %Ih: Http bytes received
    #	       %Oh: Http bytes sent
    #	       %Ib: Http body bytes received
    #	       %Ob: Http body bytes sent
    #	       %I: Bytes received
    #	       %O: Bytes sent
    #	       %bph: The first 5 bytes of the body preview data. Non 
    #	       	     printable characters printed in hex form.
    #	       	     Supports the number of bytes to output as argument.
    #	       %un: Username
    #	       %Sl: Service log string
    #              %Sa: Attribute value set by service. The attribute name must 
    #                   given as argument.
    # Default:
    #	None set
    # Example:
    #	LogFormat myFormat "%tl, %a %im %iu %is %I %O %Ib %Ob %{10}bph" 
    
    # TAG: ServerLog
    # Format: ServerLog LogFile
    # Description:
    #	the file used by the build-in logger file_logger to 
    #	store debugging information, errors and other
    #	information about the c-icap server.
    # Default:
    #	ServerLog /var/log/c-icap/server.log
    ServerLog /var/log/c-icap/server.log
    
    # TAG: AccessLog
    # Format: AccessLog LogFile [LogFormat] [[!]acl1] [[!]acl2] [...]
    # Description:
    #	LogFile is a file where to log access information.
    #	LogFormat is the log format to use. If ommited c-icap uses:
    #	 	"%tl, %la %a %im %iu %is"
    #	Also acls can be used to select certain requests to be logged.
    #	This directive can be used more than once to specify more than
    #	one access log files
    # Default:
    #	AccessLog /var/log/c-icap/access.log
    # Example:
    #	AccessLog /var/log/c-icap/access.log MyFormat all
    AccessLog /var/log/c-icap/access.log
    
    # TAG: Logger
    # Format: Logger LoggerName
    # Description:
    #	Specify wich logger to use. By default uses the build in "file_logger" which
    #	uses files for access and server logging.
    # Default:
    #	Logger file_logger
    # Example:
    #	Logger sys_logger
    
    # TAG: Module
    # Format: Module Type ModuleFile
    # Description:
    #	Load an external module/plugin to c-icap.
    #	ModuleFile is the filename of the module. If no full path given then c-icap
    #	searche in path defined by the ModulesDir configuration parameter.
    #	Type is the type of the external module and can be one of the following:
    #	- "logger" for modules implement a logger
    #	- "common" for general purpose modules
    # Default:
    #	
    # Example:
    #	Module logger sys_logger.so
    
    # TAG: Service
    # Format: Service aName ServiceFile
    # Description:
    #	It loads the service ServiceFile. The argument aName used 
    #	as alias name for the service
    # Default:
    #	
    # Example:
    #	Service echo_service srv_echo.so
    
    # TAG: ServiceAlias
    # Format: ServiceAlias AliasName ServiceName[?param1=value1¶m2=value2...]
    # Description:
    #	Used to define an alias name for a service.
    # Default:
    #	
    # Example:
    #	ServiceAlias avscan srv_clamav?allow204=on&sizelimit=off&mode=simple
    
    #
    # TAG: General configuration parameters for all services
    # Description:
    #	PreviewSize: The preview data size to advertise to the icap client
    #	MaxConnections: The client should not use more than MaxConnections
    #		for this service.
    #	TransferPreview: The list of file extensions, seperated by commas,
    #		for which the client should send preview data.
    #	TransferIgnore: The list of file extensions that should not be sent
    #		to the icap server
    #	TransferComplete: The list of file extensions that should be sent
    #		in their entirety, without preview, to the icap server
    #	OptionsTTL: The options ttl for the service. The "sec[s]", "min" or 
    #		"hour[s]" can be used to secify that the time is in seconds
    #		minutes or hours respectively. If no time-units given
    #		seconds are assumed.
    #	Allow206 on|off: Enable/disable advertise of 206 responses.
    #
    # Example:
    #	echo.PreviewSize 512
    #	echo.TransferIgnore gif, jpeg
    #	echo.OptionsTTL 3 min
    
    ######################################################
    # External modules comming with core c-icap server
    #
    # Module: echo
    # Description:
    #	Simple test service
    # Example:
    #	Service echo srv_echo.so
    Service echo srv_echo.so
    
    # Module: sys_logger
    # Description:
    #	Add support for logging access and server events to syslog server
    #	Use "Module" configuration parameter to load this module and "Logger"
    #	to make it default logger for the c-icap.
    # Example:
    #	Module logger sys_logger.so
    #	Logger sys_logger
    
    # TAG: sys_logger.Prefix
    # Format: sys_logger.Prefix string
    # Description:
    #	 string is be presented in every syslog message.
    # Default:
    #	sys_logger.Prefix "C-ICAP:"
    
    # TAG: sys_logger.Facility
    # Format: sys_logger.Facility daemon|user|local1|local2|local3|local4|local5|local6|local7
    # Description:
    #	specifies the facility type of syslog. 
    # Default:
    #	sys_logger.Facility daemon
    
    # TAG: sys_logger.access_priority
    # Format: sys_logger.access_priority alert|crit|debug|emerg|err|info|notice|warning
    # Description:
    #	determines  the  importance  of the access log message
    # Default:
    #	sys_logger.access_priority info
    
    # TAG: sys_logger.server_priority
    # Format: sys_logger.server_priority alert|crit|debug|emerg|err|info|notice|warning
    # Description:
    #	determines  the  importance  of the server log message
    # Default:
    #	sys_logger.server_priority crit
    
    # TAG: sys_logger.LogFormat
    # Format: sys_logger.LogFormat LOGFORMAT
    # Description:
    #	The log format to use. If no log format defined then 
    #	the following will be used:
    #	    "%la %a %im %iu %is"
    # Default:
    #	None set 
    # Example:
    #	Logformat BasicFormat "%la %a %im %iu %is"
    #	sys_logger.LogFormat BasicFormat
    
    # TAG: sys_logger.access
    # Format: sys_logger.access [!]acl1 ...
    # Description:
    #	Allow selecting ICAP requests to be logged using acls.
    #	By default all requests will be logged.
    # Default:
    #	None set
    # Example:
    #	sys_logger.access all
    
    # End module: sys_logger
    
    # Module: bdb_tables
    # Description:
    #	Add support for Berkeley DB based lookup tables. The format for 
    #	bdb path of the lookup table is:
    #		bdb:/path/to/bdb
    #	Use the c-icap-mkbdb utility to build Berkeley DB c-icap lookup tables
    # Example:
    #	Module common bdb_tables.so
    
    # End module: bdb_tables
    
    # Module: dnsbl_tables
    # Description:
    #	Add support for dns lookup tables. Can be used to access
    #	dns block lists. The dnsbl lookup table path definition is:
    #	    dnsbl:domainname
    #	For example the lookup table  for accessing the black.uribl.com
    #	dns black list is: 
    #	    dnsbl:black.uribl.com
    # Example:
    #	Module common dnsbl_tables.so
    
    # End module: dnsbl_tables
    
    Service squid_clamav squidclamav.so
    ![Snímka.PNG](/public/_imported_attachments_/1/Snímka.PNG)
    ![Snímka.PNG_thumb](/public/_imported_attachments_/1/Snímka.PNG_thumb)
    ![Snímka2.PNG](/public/_imported_attachments_/1/Snímka2.PNG)
    ![Snímka2.PNG_thumb](/public/_imported_attachments_/1/Snímka2.PNG_thumb)[/s][/s]</ih:></ho:></a:>
    




  • dear sir, thanks for your time.

    i already try that and now i can start all services but i cant use c-icap. i thing, that is something wrong with my configuration i posted.

    myybe this is problem:
    ps ax | grep -i fresclam  or tail -f /var/log/clamav/freshclam.log

    output:

    $ ps ax | grep -i fresclam  or tail -f /var/log/clamav/freshclam.log
    grep: fresclam: No such file or directory
    grep: or: No such file or directory
    grep: tail: No such file or directory
    

    edit: run from ssh "service clamav-freshclam onestart", wait for update, check log in "/var/log/clamav/freshclam.log". Seva all setting on all tabs, restart  clamd, c-icap, squid. still nothing.



  • If you updated you system from 2.1, I suggest you cleaning all config files on antivirus tab ro load default config again.
    Check if it loaded correcwand save again to check config warnings.



  • i reinstalled plugins squid3 and squidguard-devel. Cleaned antivirus settings. Disable antiviru, enable antivirus, click save. Some errors about wrong config, correct configs (in c-icap). Save. Restart pfsense. Nothing work….  :'(

    when i disable c-icap all work (transparent proxy with filter). But when i enable, broke all.  :'(  :'(  :'(  :'(



  • Not sure what happens with your install. I've tested my setup many times but no tests with nanobsd or cfcards.

    Can you try amd64 pfsense version?



  • yes, but must completly reinstall. I thing, that pfsense backuped configuration i cant use (if i want to know, if it all work on fresh install x64). Hm, maybe tommorow if i will have time to play and test in work. ")))



  • ok, i totaly reinstall pfsense box with x64 bit version pfsense v2.2. All working well (sqid3 - transparent mode with antivirus + squidguard + suricata + pfblockerng). big thank to all that spen time on pfsense.  8)



  • This has inspired me to do a fresh install.



  • I have similar problems, this time with fresh install. Strange this is that c-icap binds only to IPv6 socket:

    netstat -na | grep 1344
    tcp6      0      0 *.1344                .                    LISTEN

    Is it the same on every installation? Can I enforce to bind it to ipv4? Same problem here - squid is unable to communicate with icap.