Text only | Text with Images

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: rac-hh on November 09, 2023, 04:59:05 PM

Title: c-icap fail after update to 23.7.8
Post by: rac-hh on November 09, 2023, 04:59:05 PM
There is an update in 23.7.8 to c-icap 0.5.11.

Starting in debug mode:  c-icap -f //usr/local/etc/c-icap/c-icap.conf -N -D -d 9
...
Adding to acl AUTH the data *
In search specs list 0x0,name AUTH
New ACL with name:AUTH and  ACL Type: auth
Creating new access entry as allow with specs:
In search specs list 0x829c62480,name AUTH
Checking name:AUTH with specname AUTH
In search specs list 0x829c62480,name AUTH
Checking name:AUTH with specname AUTH
        Added acl spec: AUTH
In search specs list 0x829c62480,name 127.0.0.1
Checking name:127.0.0.1 with specname AUTH
In search specs list 0x829c62480,name 127.0.0.1
Checking name:127.0.0.1 with specname AUTH
The acl spec 127.0.0.1 does not exists!
The required acl spec '127.0.0.1' is missing
Fatal error while parsing config file: "//usr/local/etc/c-icap/c-icap.conf" line: 18
The line is: icap_access allow AUTH 127.0.0.1
...

With the mentioned line commented out the service starts.
"127.0.0.1" is not from configuration GUI - so this line is from standard config.


Title: Re: c-icap fail after update to 23.7.8
Post by: seed on November 09, 2023, 08:37:10 PM
similar after updating my opnsense. c-icap wont start again
Title: Re: c-icap fail after update to 23.7.8
Post by: chatmate on November 10, 2023, 08:45:38 AM
I met the same problem after update.
I tried to comment out the line containing "icap_access" like below, the same as rac-hh mentioned, and it works on my system.

Code Select
#icap_access allow AUTH 127.0.0.1

I think it could be a workaround until the fix becomes available.
Title: Re: c-icap fail after update to 23.7.8
Post by: youmas on November 10, 2023, 11:05:31 AM
Here the same problem.

Only can't open c-icap.conf file for workaround: Error opening/parsing config file is spitting @ me.
Title: Re: c-icap fail after update to 23.7.8
Post by: chatmate on November 10, 2023, 11:52:21 AM
Additional information.

I'm not good at English, so I read the logs roughly earlier, but after carefully reading the logs shared by @rac-hh, it seems that the ACL AUTH is defined correctly, but the ACL definition of 127.0.0.1 does not exist.

After defining a new ACL with server ip address attribute and specifying 127.0.0.1 as the IP address value, I was able to start the c-icap service without any error, and I was able to activate the c-icap connection in squid without any problem.

Code Select

#icap_access allow AUTH 127.0.0.1
acl localserver srvip 127.0.0.1   
icap_access allow AUTH localserver

I think it is probably a bug in c-icap 0.5.11 rather than a problem with opnsense. I don't know when c-icap was updated in my environment, but when opnsense was updated, c-icap might be updated at the same time. The latest version of c-icap, c-icap 0.5.11, was released on September 27, 2023, and c-icap-modules-0.5.6 was released on October 2, 2023.
Title: Re: c-icap fail after update to 23.7.8
Post by: rac-hh on November 13, 2023, 09:59:06 AM
I opened an [Issue][https://github.com/opnsense/core/issues/7007]
Title: Re: c-icap fail after update to 23.7.8
Post by: rac-hh on November 13, 2023, 10:29:21 AM
There is a [pull request](https://github.com/opnsense/plugins/pull/3667) using the solution from @chatmate
Text only | Text with Images