Search
j0ke.net Open Build Service
>
Projects
>
ha
:
firewall
>
c-icap
> c_icap-060708rc1-CONFIG.html
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File c_icap-060708rc1-CONFIG.html of Package c-icap (Revision 1)
Currently displaying revision
1
,
show latest
<html> <head> <title>The c-icap project </title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <META name="keywords" content="icap, squid, filtering, Content Filtering,web proxy, web, http"> <link rel="stylesheet" href="docs.css" type="text/css"> </head> <tr > <table cellspacing="0" cellpadding="0" width="100%"> <td width="80%" > <H1 align="center">The c-icap project</H1> <hr width="80%"> </td> </table> <br> <table width=100%> <tr> <TD valign="top" class="maindoc"> <H2>Configuration file</H2> <P>The configuration parameters of c-icap appear in the file c-icap.conf. This configuration file usually exists in the directory <I>install-prefix</I>/etc/, where <I>install-prefix</I> is where the c-icap server has been installed. The installation path is specified during the initialization of the compilation procedure, after running the <I>configure</I> script: </P> <pre> ./configure --prefix=<I>install-prefix</I> </pre> <P>The content of the configuration file has the form: </P> <pre> DIRECTIVE arg1 arg2 arg3... </pre> <P> The c-icap server supports modules (currently, loggers and service handlers), and services. A configuration parameter of a module or a service has the form <I>MODULENAME.DIRECTIVE</I>, where <I>MODULENAME</I> is the name of the module or service, and <I>DIRECTIVE</I> is the name of the configuration parameter. A service or module must be loaded by using the configuration parameters <I>Module</I> and <I>Service</I> so that its configuration parameters can be accepted. </P> <P>As an example, view c-icap.conf in the directory of the source distribution. This file was produced from c-icap.conf.in after running the <I>configure</I> script. </P> <H2>Configuration parameters</H2> <P>Currently, the following configuration parameters are supported. </P> <P><B>PidFile <I>pid_file</I>:</B> the file to store the pid of the main process of the c-icap server. </P> <P><B>Timeout <I>secs</I></B>: the time in seconds after which a connection without activity can be cancelled. </P> <P><B>KeepAlive <I>boolean</I></B>: <I>boolean</I> can be either <I>on</I> to enable the feature or <I>off</I> to disable it. If the feature is enabled, then the c-icap server tries not to close the connection with the ICAP client, but it waits for more requests tunnelled through it. This feature can improve the communication speed between the ICAP client and the c-icap server. </P> <P><B>KeepAliveTimeout <I>secs</I></B>: the maximum time in seconds waiting for a new requests. If the value is set it to -1, there is no timeout. </P> <P><B>StartServers <I>num</I></B>: the initial number of server processes. Each server process generates a number of threads, which serve the requests. This parameter will be renamed as StartChilds.</P> <P><B>MaxServers <I>num</I></B>: the maximum number of server processes. </P> <P><B>MinSpareThreads <I>num</I></B>: if the number of the available threads is less than <I>num</I>, the c-icap server starts a new child. </P> <P><B>MaxSpareThreads <I>num</I></B>: if the number of the available threads is more than <I>num</I> then the c-icap server kills a child. </P> <P><B>ThreadsPerChild <I>num</I></B>: the initial number of threads per child process. </P> <P><B>MaxRequestsPerChild <I>num</I></B>: the maximum number of requests that a child process can serve. After this number has been reached, process dies. The goal of this parameter is to minimize the risk of memory leaks and increase the stability of c-icap. It can be disabled by setting its value to 0. </P> <P><B>Port <I>port</I></B>: the port number that the c-icap server uses to listen to requests. The default value is 1344. </P> <P><B>User <I>user</I></B>: the user owning c-icap's processes. By default, the owner is the user who runs the program. </P> <P><B>Group <I>group</I></B>: the group of users owning c-icap's processes, which, by default, is the group of the current user. </P> <P><B>TmpDir <I>dir</I></B>: <I>dir</I> is the location of temporary files. </P> <P><B>Max_mem_object <I>bytes</I></B>: the maximum memory size in bytes taken by an object which is processed by c-icap . If the size of an object's body is larger than the maximum size a temporary file is used. Currently, two different types of body storage are supported by c-icap: (1) ci_membuf, which stores all the data in the memory and is used by the echo example service, and (2) ci_cached_file, which makes use of the Max_mem_object parameter. </P> <P><B>ServerLog <I>filename</I></B>: the file used by the build-in logger <I>file_logger</I> to store debugging information, errors and other information about the c-icap server. </P> <P><B>AccessLog <I>filename</I></B>: the file used by file_logger to store access information. </P> <P><B>DebugLevel <I>level</I></B>: the level of debugging information to be logged. The acceptable range of levels is between 0 and 10. </P> <P><B>AclControllers <I>access_controler1,access_controler2 ...</I></B>: The access controlers and the order in which will be used. Currently exists only the buildin "default_acl" controler but someone can implement one. The access controler must be loaded using the "Module" directive before used here. </P> <P><B>AuthMethod <I>http_auth_method authenticator</I></B>: The authentication method and authenticator which will be used. The argument <I>http_auth_method</I> defines the authentication method and can be basic for basic http authentication method or digest for digest http authentication method. Currently only the basic authentication method is implemented.<br> The argument <I>authenticator</I> is the authenticator which will be used. The authenticators in practice implements the user/password storage/retrieval. Currently none authenticator is implemented, but someone can write one and load it as a module. </P> <P><B>ModulesDir <I>dir</I></B>: the location of modules.</P> <P><B>Module <I>moduletype filename</I></B>: it loads the module <I>filename</I>. The argument <I>moduletype</I> is the type of the module. Currently, it can be <I>service_handler</I>, <I>logger</I>, <I>access_controller</I>,<I>auth_method</I> or <I>authenticator</I>. The argument <I>filename</I> is the file name of the module. If the file name begins with character '/', then it is considered as a full path name. Otherwise, it is considered as a path relative to <I>ModulesDir</I>. </P> <P><B>ServicesDir <I>dir</I></B>: the location of services.</P> <P><B>Service <I>servicename filename</I></B>: it loads the service <I>filename</I>. The argument <I>servicename</I> is not currently used. Also, only the services srv_echo.so and srv_clamav.so have been implemented. However, a user can implement its own modules.</P> <P><B>Logger <I>logger</I></B>: the logger that we want to use. Currently, file_logger, which is a build-in logger, and sys_logger, which has been implemented as module are supported. file_logger is the default logger. </P> <H2>The sys_logger module</H2> <P>The sys_logger module has two configuration parameters:</P> <P><B>sys_logger.Prefix <I>string</I></B>: <I>string</I> is be presented in every syslog message. </P> <P><B>sys_logger.Facility <I>facility</I></B>: <I>facility</I> specifies the facility type of syslog. It can be one of the following: <I>daemon, user, local0, local1, local2,... local7</I>. </P> <H2>The default_acl internal access controler</H2> This is the internal access controller. To enable it you must use the directive <i>AclControllers</i>. The configuration procedure is similar whith this of squids acl lists. The configuration parameters are only two: <P><B>default_acl.acl <I> name spec</I></B>: Defines an acl_spec. The <I>name</I> is the name of this acl_spec. The <I>spec</I> is the description of this acl_spec and can consist of one ore more of the folowings:<BR> <ul> <li><b>src <I>ip[/netmask]</I></b>: Defines the ip of the client <li><b>srvip<I> ip</I></b>: Defines the ip of the server. By default the c-icap server listens to all available network interfaces for requests. You can use this directive to limit access on some of them. <li><b>type<I> options|respmod|reqmod</I> </b>: Defines the type of requests. <li><b>service <I>service_name</I></b>: Defines the name of the service <li><b>user <I>username</I> </I></b>: Defines the username.If <I>username</I> is "*" then this spec applies to all users. </ul> </P> <P><B>default_acl.icap_access <I>policy acl_spec</I></B>: Defines the policy to be accepted on the <I>acl_spec</I>, which previously defined by a default_acl.acl directive. The <I>policy</I> can be one of the: <ul> <li><b><i>allow</i></b>: Allow the requests which mahtch this acl_spec to use the c-icap server <li><i><b>deny</i></b>: Deny access to the requests which match this acl_spec <li><i><b>http_auth</i></b>:Require http proxy authentication for requests which match this acl_spec <li><i><b>log</i></b>: Log these requests <li><i><b>nolog</i></b>:Do not log these requests. </ul> </P> <H2>The service srv_clamav</H2> <P>Currently, the srv_clamav service has the following configuration parameters: </P> <P><B>srv_clamav.ScanFileTypes <I>type1 type2 ...</I></B>: the list of file types or groups of file types which will be scanned for viruses. For supported types look at LoadMagicFile parameter. </I>.</P> <P><B>srv_clamav.MaxObjectSize <I> size</I></B>: The maximum size of files which will be scanned by clamav.You can use <I>K</I> and <I>M</I> indicators to define <I>size</I> in kilobytes or megabytes. </P> <P><B>srv_clamav.SendPercentData <I>percentage</I></B>: the percentage of data that can be sent by the c-icap server before receiving the complete body of a request. <BR> This feature in conjuction with the folowing can be usefull becouse if the download of the object takes a lot of time the connection of web client to proxy can be expired. It must be noticed that the data which delivered to the web client maybe contains a virus or a part of a virus and can be dangerous. In the other hand partial data (for example 5% data of a zip or an exe file) in most cases can not be used. <BR> Set it to 0 to disable this feature. </P> <P><B>srv_clamav.StartSendPercentDataAfter <I>size</I></B>: Only if the object is bigger than <I>size</I> then the percentage of data which defined by SendPercentData sent by the c-icap server before receiving the complete body of request. </P> <P> <B>srv_clamav.Allow204Responces <I>on|off</I></B>: enable 204 responces outside previews for srv_clamav if your icap client support it. For squid let it off. </P> <P><B>srv_clamav.ClamAvTmpDir <I>dir</I></B>: clamav's temporary directory. </P> <P><B>srv_clamav.ClamAvMaxFilesInArchive <I>num</I></B>: Sets the maximum number of files in archive. Used by clamav library. Set it to 0 to disable it. </P> <P><B>srv_clamav.ClamAvMaxFileSizeInArchive <I>size</I></B>: Sets the maximal archived file size. Used by clamav library. Set it to 0 to disable it. </P> <P><B>srv_clamav.ClamAvMaxRecLevel <I>level</I></B>: The maximal recursion level. Used by clamav library.Set it to 0 to disable it. </P> The following directives are related with an experimental mode which I call "viralator like" mode. The srv_clamav service checks the type of file and if it included in VirScanFileTypes list (see below) download the file localy and sends to the web client messages about the progress of download. After the download completed it sends a message with the web location where the downloaded file stored. <P><B>srv_clamav.VirScanFileTypes <I>type1 type2 .....</I></B>: The list of file types and groups of file types, for which this mode must be used. </P> <P><B>srv_clamav.VirSaveDir <I>dirname</I></B>:The directory where the downloaded files stored.Must be a directory where a web server has access. </P> <P><B>srv_clamav.VirHTTPServer <I>url</I></B>:The url which used by the web client to retrieve downloaded file. The file where the download stored can has diferent name than the original, if a file with the same name exists in the directory. In the <I>url</I> the "%f" can be used to specify the real name of downloaded file.<br> You can use the small cgi program "get_file.pl" which exists in contrib directory of c-icap distribution.An example of its usage is: <pre> srv_clamav.VirHTTPServer "http://fortune/cgi-bin/get_file.pl?usename=%f&remove=1&file=" </pre> The "remove=1" argument in url means that the file will be removed after downloaded. </P> <P><B>srv_clamav.VirUpdateTime <I>secs</I></B>:The <i>secs</i> is the interval between the "progress of download" messages in seconds. </P> <H2>The Magic File (c-icap.magic)</H2> In this file defined the types of files and the groups of file types. The predefined data types, which are not included in this file, are ASCII, ISO-8859, EXT-ASCII, UTF (not implemented yet), HTML which are belongs to TEXT predefined group and BINARY which belongs to DATA predefined group. <p> The line format of magic file is: <pre>offset:Magic:Type:Short Description:Group1[:Group2[:Group3]...]</pre> Look at the default "c-icap.magic" file into configuration dir for more info. </TD> <TD width="15%"> </TD> </tr> <tr> <TD width="100%" colspan="3" align="center" class="extrasmall"> <br> <hr width="80%"> <p align="center" class="extrasmall">© Tsantilas Christos, email: chtsanti at users dot sourceforge dot net</p> </TD> </tr> </table> </body>
