opnsense
C-ICAP - Error adding acl spec: !localserver
Important notices Before you add a new report, we ask you kindly to acknowledge the following:
- [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
- [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
- [x] The title contains the plugin to which this issue belongs
Describe the bug Since version 25.1.7 C-ICAP doesn't start automatically and throws errors in log as shown below.
To Reproduce It's enough to upgrade opnsense to 25.1.7 and above
Expected behavior to start as normal.
Relevant log files
2025-06-12T21:03:43 Critical c-icap main proc, Error opening/parsing config file 2025-06-12T21:03:43 Critical c-icap main proc, WARNING: Can not check the used c-icap release to build service clamd_mod.so 2025-06-12T21:03:43 Critical c-icap main proc, 2025-06-12T21:03:43 Critical c-icap main proc, WARNING: Can not check the used c-icap release to build service virus_scan.so 2025-06-12T21:03:43 Critical c-icap main proc, Warning, alias is the same as service_name, not adding 2025-06-12T21:03:43 Critical c-icap main proc, The line is: sys_logger.access !localserver 2025-06-12T21:03:43 Critical c-icap main proc, Fatal error while parsing config file: "/usr/local/etc/c-icap/c-icap.conf" line: 32 2025-06-12T21:03:43 Critical c-icap main proc, Error adding acl spec: !localserver. 2025-06-12T21:03:10 Critical c-icap main proc, Error opening/parsing config file 2025-06-12T21:03:10 Critical c-icap main proc, WARNING: Can not check the used c-icap release to build service clamd_mod.so 2025-06-12T21:03:10 Critical c-icap main proc, 2025-06-12T21:03:10 Critical c-icap main proc, WARNING: Can not check the used c-icap release to build service virus_scan.so 2025-06-12T21:03:10 Critical c-icap main proc, Warning, alias is the same as service_name, not adding 2025-06-12T21:03:10 Critical c-icap main proc, The line is: sys_logger.access !localserver 2025-06-12T21:03:10 Critical c-icap main proc, Fatal error while parsing config file: "/usr/local/etc/c-icap/c-icap.conf" line: 32 2025-06-12T21:03:10 Critical c-icap main proc, Error adding acl spec: !localserver.
Additional context And once line: sys_logger.access !localserver is removed in config file /usr/local/etc/c-icap/c-icap.conf, I'm able to manually start C-ICAP.
Environment
OPNsense 25.1.8_1 (amd64). Proxmox VM with host CPU: Intel(R) Xeon(R) E-2278G CPU @ 3.40GHz (4 cores) 12 GB RAM 50 GB HDD
@Green2Matter Did you press the "Save" button in c-icap after the upgrade?
Yes, I did...
EDIT:
And by doing so, line:
sys_logger.access !localserver
is reinserted in config file and C-ICAP doesn't restart, error in log: main proc, Error adding acl spec: !localserver.
The log line is tied to enable_accesslog being specifically disabled. Ticking that setting probably unbreaks it?
Though localserver is properly defined, maybe the syntax for ! is wrong after a certain c-icap upstream change.
@Green2Matter I am not able to reproduce this error on any opnsense installation. Can you please try reinstalling c-icap?
@AndyX90 I don't think this matters. It's clear from the template it would emit that line when unsetting access log. It's not in your configuration file I think?
BTW, the documentation allows this syntax:
sys_logger.access
Format:
sys_logger.access [!]acl1 ...
Description:
Allow selecting ICAP requests to be logged using acls.
By default all requests will be logged.
Default:
None set
Example:
sys_logger.access all
I'd be more interested in what localserver is set to in the error case:
# grep localserver /usr/local/etc/c-icap/c-icap.conf
That's my conf:
PidFile /var/run/c-icap/c-icap.pid CommandsSocket /var/run/c-icap/c-icap.ctl Timeout 300 MaxKeepAliveRequests 100 KeepAliveTimeout 600 StartServers 3 MaxServers 10 MinSpareThreads 10 MaxSpareThreads 20 ThreadsPerChild 10 MaxRequestsPerChild 0 Port 127.0.0.1:1344 ServerAdmin [email protected] ServerName icap RemoteProxyUsers on acl AUTH auth * acl localserver srvip 127.0.0.1 icap_access allow AUTH localserver RemoteProxyUserHeaderEncoded off RemoteProxyUserHeader X-Username TmpDir /var/tmp MaxMemObject 131072 DebugLevel 1 Pipelining on SupportBuggyClients off ModulesDir /usr/local/lib/c_icap ServicesDir /usr/local/lib/c_icap TemplateDir /tmp/c-icap/templates/ TemplateDefaultLanguage en LoadMagicFile /usr/local/etc/c-icap/c-icap.magic Module logger sys_logger.so Logger sys_logger sys_logger.Prefix "c-icap" sys_logger.access !localserver Service echo srv_echo.so Include virus_scan.conf
The log line is tied to
enable_accesslogbeing specifically disabled. Ticking that setting probably unbreaks it?Though localserver is properly defined, maybe the syntax for ! is wrong after a certain c-icap upstream change.
So, when I enable access log (was disabled) all is ok; at least after saving config. BTW, what's value of localserver, interfaces addresses?
EDIT: I've checked config file and now this troublemaking line is not inserted...
PidFile /var/run/c-icap/c-icap.pid CommandsSocket /var/run/c-icap/c-icap.ctl Timeout 300 MaxKeepAliveRequests 100 KeepAliveTimeout 600 StartServers 3 MaxServers 15 MinSpareThreads 10 MaxSpareThreads 20 ThreadsPerChild 10 MaxRequestsPerChild 0 Port 1344 ServerAdmin M ServerName opnrouter RemoteProxyUsers off RemoteProxyUserHeaderEncoded off RemoteProxyUserHeader X-Username TmpDir /var/tmp MaxMemObject 131072 DebugLevel 1 Pipelining on SupportBuggyClients off ModulesDir /usr/local/lib/c_icap ServicesDir /usr/local/lib/c_icap TemplateDir /tmp/c-icap/templates/ TemplateDefaultLanguage en LoadMagicFile /usr/local/etc/c-icap/c-icap.magic Module logger sys_logger.so Logger sys_logger sys_logger.Prefix "c-icap" Service echo srv_echo.so Include virus_scan.conf
@Green2Matter Can you please disable accesslog again and post your conf? And what did you enter in Listen Address?
Alternatively just the grep...
# grep localserver /usr/local/etc/c-icap/c-icap.conf
@AndyX90 Config with disabled access logging:
PidFile /var/run/c-icap/c-icap.pid CommandsSocket /var/run/c-icap/c-icap.ctl Timeout 300 MaxKeepAliveRequests 100 KeepAliveTimeout 600 StartServers 3 MaxServers 15 MinSpareThreads 10 MaxSpareThreads 20 ThreadsPerChild 10 MaxRequestsPerChild 0 Port 1344 ServerAdmin Marcin ServerName opnrouter RemoteProxyUsers off RemoteProxyUserHeaderEncoded off RemoteProxyUserHeader X-Username TmpDir /var/tmp MaxMemObject 131072 DebugLevel 1 Pipelining on SupportBuggyClients off ModulesDir /usr/local/lib/c_icap ServicesDir /usr/local/lib/c_icap TemplateDir /tmp/c-icap/templates/ TemplateDefaultLanguage en LoadMagicFile /usr/local/etc/c-icap/c-icap.magic Module logger sys_logger.so Logger sys_logger sys_logger.Prefix "c-icap" sys_logger.access !localserver Service echo srv_echo.so Include virus_scan.conf
As far as I remember, I haven't changed anything in general tab (except admin and server names). And Listen Address is IP6 loopback address: ::1, I've just tried IP4 loopback and it's the same...
@Green2Matter That's strange. Also with ipv6 loopback it works well on my side! And I think we would have heard about it if it was a bigger problem. Did you try reinstalling the plugin?
~~I got it. He probably didn't enable - OPNsense.cicap.general.localSquid. That's an issue we should resolve, the acl localserver will never get defined.~~ Sorry, dumb reading...
Please just show the grep for clarity...
Now, with enabled logging grep shows nothing. After disabling:
grep localserver /usr/local/etc/c-icap/c-icap.conf sys_logger.access !localserver
It's not very often seen issue, but it's not only me: https://forum.opnsense.org/index.php?topic=47292.msg237915#msg237915 All started after upgrade to 25.1.7....
@Green2Matter Thanks for the information and the forum link. Will have a look on that. Are you using c-icap with a remote squid or the local squid on opnsense? If you are using the local squid with c-icap, please check "Use c-icap with local squid".
Thanks @AndyX90 All is used locally, option Use c-icap with local squid has been enabled since the beginning.
@Green2Matter Can you check the versions of: c-icap c-icap-modules os-c-icap in System --> Firmware --> Packages?
c-icap 0.6.3,2 949KiB OPNsense LGPL21+ ICAP server implementation c-icap-modules 0.5.7_1 441KiB OPNsense GPLv2+ Modules for c-icap: virus_scan and srv_url_check os-c-icap 1.8 50.1KiB OPNsense BSD2CLAUSE c-icap connects the web proxy with a virus scanner
I reinstaled c-icap and nothing changed. It started in opnsense 25.1.7 and after upgrade to 25.7 is still the same.
Okay, now i got the problem, i reanalyzed the template and the case is that "Send Username" is not enabled in "Squid Web Proxy" --> Administration --> Forward Proxy --> ICAP Settings --> (Advanced) Send Username. In that case, the acl spec will not get defined. Can you verify that checking the Send Username box solves the issue?
@AndyX90 you nailed it! After enabling in Squid Send Username, C-ICAP works without logging enabled...
Will this be changed or it must be left as it is now?
EDIT: and now:
grep localserver /usr/local/etc/c-icap/c-icap.conf acl localserver srvip ::1 icap_access allow AUTH localserver sys_logger.access !localserver