Menu

configuration

chtsanti

Configuring the c-icap server

Configuration file (c-icap.conf)

The configuration parameters of c-icap appear in the file c-icap.conf. This configuration file usually exists in the directory install-prefix/etc/, where install-prefix is where the c-icap server has been installed. The installation path is specified during the initialization of the compilation procedure, after running the configure script:

./configure --prefix=install-prefix

The content of the configuration file has the form:

DIRECTIVE arg1 arg2 arg3...

The c-icap server supports modules (currently, loggers and service handlers), and services. A configuration parameter of a module or a service has the form MODULENAME.DIRECTIVE, where MODULENAME is the name of the module or service, and DIRECTIVE is the name of the configuration parameter. A service or module must be loaded by using the configuration parameters Module and Service so that its configuration parameters can be accepted.

As an example, view c-icap.conf in the directory of the source distribution. This file was produced from c-icap.conf.in after running the configure script. The configuration reference for c-icap-0.5.x can be found here:
http://c-icap.sourceforge.net/c-icap.conf-0.5.x.html

Access control and acls

The c-icap supports squid-like acls. Every access list definition must begin with an name and the acl type, followed by type-specific arguments:

   acl name type arg1 [arg2]  ...

For the full list of the supported acl types refer to the c-icap reference manual.

An access list is a list of acls:

    [!]acl1 [[!]acl2] [[!]acl3]

The "!" character used to negate the acl.
Currently the following access lists are supported:

  • icap_access, allow/deny the access to an icap service
  • client_access, allow/deny access to the server. Only TCP/IP connection related acls can be used here.
  • AccessLog, allow you to configure an access list to select the requests to be logged to an access file

Also the c-icap has an acl API to help developers include access list support in their modules. This API used by the sys_logger module distributed with c-icap server and in the services distributed with the c-icap-modules package.

Lookup tables

Lookup tables is a general mechanism to retrieve informations from stored data in various forms, eg flat files, databases or ldap servers. A lookup table defined by a url-like string, eg file:/path/of/db.txt or ldap://ldapserver?o=mydomain?cn,uid?uid=%s. The lookup table types supported currently by the c-icap server are:

  • file lookup tables, which are simple text files where the data stored in the form:
    key [: val1] [,val2] [,val3] ...
  • hash, similar to the file lookup tables, but uses a hash index for searching. The hash index created while the text file loading, on c-icap startup procedure.
  • regex, similar to the file lookup tables, but the keys are regular expressions in the form /regexkey/.
  • Berkeley DB lookup tables, which are implemented by the bdb_tables module.
  • ldap lookup tables, which are implemented by the ldap_module module.
  • dns lookup tables, which are implemented by the dnsbl_tables module.

The lookup tables currently used to store users and groups and in the url_check service to store URL lists.
Also exist an API interface to allow lookup tables use by the services and modules.

Proxy authentication, users and groups

Although it is possible to setup proxy authentication on c-icap server, the suggested method is to configure authentication on proxy server (eg squid) and pass the user name to the c-icap using an ICAP header.
The required configuration parameters in c-icap.conf files are the RemoteProxyUsers, the RemoteProxyUserHeader and the RemoteProxyUserHeaderEncoded

For example if you setup a squid-3.x server to use proxy authentication, use the X-Authenticated-User header to send the username to the icap server and have enabled the base64 encoding of the user name, you should use the following configuration parameters in your c-icap.conf file:

RemoteProxyUsers on
RemoteProxyUserHeader X-Authenticated-User
RemoteProxyUserHeaderEncoded on

The c-icap server allow administrators to configure user groups, using the GroupSourceByGroup and/or the GroupSourceByUser configuration parameters. The GroupSourceByGroup configuration parameter defines a lookup table where the groups are stored using as key the group name and as values the user names. For example to say that the users sotiria, alexandros, fanis belongs to the group Users and the user christos to both Users and PowerUsers you can use the following records in the GroupSourceByGroup lookup table:

Users: christos, sotiria, alexandros, fanis
PowerUsers: christos

The GroupSourceByUser configuration parameter defines a lookup table where the groups stored using the user name as key and the group names as values. To define the groups for the users in the above example you should use the following records:

christos: Users, PowerUsers
sotiria: Users
alexandros: Users
fanis: Users

The Magic File (c-icap.magic)

In this file defined the types of files and the groups of file types. The predefined data types, which are not included in this file, are ASCII, ISO-8859, EXT-ASCII, UTF (not implemented yet), HTML which are belongs to TEXT predefined group and BINARY which belongs to DATA predefined group.

The line format of magic file is:

offset:Magic:Type:Short Description:Group1[:Group2[:Group3]...]

Look at the default "c-icap.magic" file into configuration dir for more info.

Related

Wiki: configcicap

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.