C-icap-modules-0.3.x Configuration Reference

Modules/Subsystems

Configuration parameters

virus_scan configuration

Description:
This is an antivirus services for the c-icap ICAP server
This module add the following log formating codes for use with 
the LogFormat configuration parameter:
  %{virus_scan:virus}Sa  Prints the virus name or "-".
  %{virus_scan:action}Sa Prints "passed" if the object scanned and no
                         virus found, "blocked" if a virus found and
	                 object blocked, and "partiallyblocked" if a
	                 virus found but some of the data transmitted
                         to the user.
Example:
  LogFormat myVScanFmt "%tl, %>a %is %Ib %Ob %huo [Action: %{virus_scan:action}Sa] [Virus: %{virus_scan:virus}Sa]"
  acl VSCAN service virus_scan
  AccessLog /var/log/c-icap-access-vscan.log myVScanFmt VSCAN

The following additional formatting codes can be used with the service
templates (the VIRUS_FOUND, VIR_MODE_HEAD, VIR_MODE_PROGRESS,
VIR_MODE_TAIL and VIR_MODE_VIRUS_FOUND templates exist under the c-icap
templates directory):
  %VVN  The virus name.
  %VVV  The Antivirus name/version.
  %VU   The HTTP url.
    %VFR  The downloaded file requested name. For use with virelator mode.
  %VFS  Expected http body data size (Content-Length header). For use
        with virelator mode.
  %VF   The name of the local file where the data stored. For use with
        with virelator mode.
  %VHS  An HTTP URL to get stored object. For use with virelator mode.
        See also the VirHTTPUrl configuration parameter.
  %VPR  Profile name (Exist only if virus_scan profiles are enabled).

clamav_mod configuration

Description:
This is an addon module for the antivirus service (virus_scan) which
add support for the open source clamav antivirus.
Example:
Module common clamav_mod.so

clamd_mod configuration

Description:
This is an addon module for the antivirus service (virus_scan) which
adds support for the open source antivirus clamav, using the clamd
daemon.

srv_url_check configuration

Description:
This is an URL blacklist/whitelist icap service
  This module add the following log formating codes for use with
  the LogFormat configuration parameter:
  %{url_check:matched_cat}Sa Print all matched url categories 
  %{url_check:action}Sa      The service decision for requested url: 
                             MATCHED, BLOCKED or ALLOWED 
  %{url_check:action_cat}Sa  Print the categories for which the 
                             decision taken
Example:
  LogFormat myUrlCheck "%tl, %>a %im %is %huo  [MatchedCat: %{url_check:matched_cat}Sa] [Action4cat: %{url_check:action_cat}Sa] [Action: %{url_check:action}Sa]" 
  acl URLCHECK service srv_url_check
    AccessLog /var/log/c-icap-access-url_check.log myUrlCheck URLCHECK

  The following additional formatting codes can be used with the
  service template "DENY":
  %UU  The HTTP url
  %UH  The HTTP host
  %UM  The matched Categories
  %UB  The blocked category
    %UD  The description of the blocked category
Example:
Service url_check_module srv_url_check.so

Configuration parameters description

virus_scan.ScanFileTypes
Format:
virus_scan.ScanFileTypes type1 [type2] ...
Description:
the list of file types or groups of file types which will be 
scanned for viruses. For supported types look in c-icap.magic 
configuration file.
Default:
None set.
virus_scan.SendPercentData
Format:
virus_scan.SendPercentData percent
Description:
the percentage of data that can be sent by the c-icap server 
before receiving the complete body of a request.
This feature in conjuction with the folowing can be usefull 
becouse if the download of the object takes a lot of time 
the connection of web client to proxy can be expired. 
It must be noticed that the data which delivered to the 
web client maybe contains a virus or a part of a virus
and can be dangerous. In the other hand partial data 
(for example 5% data of a zip or an exe file) in most 
cases can not be used. 
Set it to 0 to disable this feature.
Default:
virus_scan.SendPercentData 0
virus_scan.StartSendPercentDataAfter
Format:
virus_scan.StartSendPercentDataAfter bytes
Description:
Only if the object is bigger than size then the percentage 
of data which defined by SendPercentData sent by the c-icap 
server before receiving the complete body of request.
Default:
virus_scan.StartSendPercentDataAfter 0
virus_scan.Allow204Responces
Format:
virus_scan.Allow204Responces on|off
Description:
 Disable 204 responces outside previews for virus_scan if 
 your icap client does not support it.
Default:
virus_scan.Allow204Responces on
virus_scan.PassOnError
Format:
virus_scan.PassOnError on|off
Description:
 Pass the content instead of blocking it, in the case when the virus
   scanner or the virus_scan module finds an error.
   The error will be logged nevertheless.
Default:
virus_scan.PassOnError off
virus_scan.MaxObjectSize
Format:
virus_scan.MaxObjectSize  Bytes
Description:
The maximum size of files which will be scanned by 
antivirus service.You can use K and M indicators to define size
in kilobytes or megabytes.
Default:
virus_scan.MaxObjectSize  5M
virus_scan.DefaultEngine
Format:
virus_scan.DefaultEngine EngineName1 EngineName2 ...
Description:
 The antivirus engines to use if no engine has selected using ICAP
 service arguments.
 The antivirus engines loaded as external c-icap modules.
 Currently the following antivirus engines are available for the
 c-icap-modules:
 	"clamd" or "clamav"
Default:
None set. The first loaded engine will be used.
Example:
virus_scan.DefaultEngine clamav
virus_scan.VirSaveDir
Format:
virus_scan.VirSaveDir path
Description:
The directory where the downloaded files stored.
Must be a directory where a web server has access.
Default:
No set
Example:
virus_scan.VirSaveDir /srv/www/htdocs/downloads/
virus_scan.VirHTTPUrl
Format:
virus_scan.VirHTTPUrl URL
Description:
The url which used by the web client to retrieve 
downloaded file. The file where the download stored 
can has diferent name than the original, if a file 
with the same name exists in the directory. In the 
url the "%f" can be used to specify the real name 
of downloaded file.
You can use the small cgi program "get_file.pl" 
which exists in contrib directory of c-icap-modules 
distribution.
Default:
No set
Example:
virus_scan.VirHTTPUrl  "http://fortune/cgi-bin/get_file.pl?usename=%f&remove=1&file="
virus_scan.VirUpdateTime
Format:
virus_scan.VirUpdateTime seconds
Description:
The secs is the interval between the "progress of download"
 messages in seconds.
Default:
virus_scan.VirUpdateTime   15
virus_scan.VirScanFileTypes
Format:
virus_scan.VirScanFileTypes type1 type2 ...
Description:
 The list of file types and groups of file types, 
 for which this mode must be used.
Default:
None set
Example:
virus_scan.VirScanFileTypes ARCHIVE EXECUTABLE
clamav_mod.TmpDir
Format:
clamav_mod.TmpDir path
Description:
clamav's temporary directory.
Default:
clamav_mod.TmpDir /var/tmp
clamav_mod.MaxFilesInArchive
Format:
clamav_mod.MaxFilesInArchive Num
Description:
 Sets the maximum number of files in archive. Used 
 by clamav library. Set it to 0 to disable it.
Default:
clamav_mod.MaxFilesInArchive 0
clamav_mod.MaxFileSizeInArchive
Format:
clamav_mod.MaxFileSizeInArchive Bytes
Description:
 Sets the maximal archived file size. Used by clamav 
 library. Set it to 0 to disable it.
Default:
clamav_mod.MaxFileSizeInArchive 100M
clamav_mod.MaxScanSize
Format:
clamav_mod.MaxScanSize Bytes
Description:
 Sets the maximum amount of data to be  scanned  for  each  input
   file. Used by clamav library. Set it to 0 to disable it.
Default:
  clamav_mod.MaxScanSize 100M
clamav_mod.MaxRecLevel
Format:
clamav_mod.MaxRecLevel level
Description:
 The maximal recursion level. Used by clamav library.
 Set it to 0 to disable it.
Default:
clamav_mod.MaxRecLevel 5
clamav_mod.DetectPUA
Format:
clamav_mod.DetectPUA on|off
Description:
Detect Possibly Unwanted Applications.
Default:
clamav_mod.DetectPUA off
clamav_mod.ExcludePUA
Format:
clamav_mod.ExcludePUA cat1 cat2 ...
Description:
Exclude a specific PUA category. This directive can be used 
multiple  times. See http://www.clamav.net/support/pua for the 
coplete list of PUA categories.
Default:
none
clamav_mod.IncludePUA cat1 cat2 ...
Format:
clamav_mod.IncludePUA 
Description:
Only include a specific PUA category. This directive can be used
multiple  times.  See  http://www.clamav.net/support/pua for the
complete list of PUA categories.
Default:
none
clamav_mod.OfficialDatabaseOnly
Format:
clamav_mod.OfficialDatabaseOnly on|off
Description:
Only load  the  official  signatures  published  by  the  ClamAV
project.
Default:
  clamav_mod.OfficialDatabaseOnly off
clamav_mod.ArchiveBlockEncrypted
Format:
clamav_mod.ArchiveBlockEncrypted on|off
Description:
Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
Default:
  clamav_mod.ArchiveBlockEncrypted off
clamav_mod.HeuristicScanPrecedence
Format:
clamav_mod.HeuristicScanPrecedence on|off
Description:
Allow heuristic match to take precedence.  When  enabled,  if  a
heuristic   scan  (such  as  phishingScan)  detects  a  possible
virus/phishing it will stop scanning  immediately.  Recommended,
saves  CPU  scan-time.
Default:
  clamav_mod.HeuristicScanPrecedence off
clamav_mod.OLE2BlockMacros
Format:
clamav_mod.OLE2BlockMacros on|off
Description:
With this option enabled OLE2 files with VBA macros, which  were
not   detected   by   signatures  will  be  marked  as  "Heuris‐
tics.OLE2.ContainsMacros".
Default:
  clamav_mod.OLE2BlockMacros off
clamav_mod.PhishingAlwaysBlockSSLMismatch
Format:
clamav_mod.PhishingAlwaysBlockSSLMismatch on|off
Description:
Always block SSL mismatches in URLs, even if the  URL  isn't  in
the database. This can lead to false positives.
Default:
  clamav_mod.PhishingAlwaysBlockSSLMismatch off
clamav_mod.PhishingAlwaysBlockCloak
Format:
clamav_mod.PhishingAlwaysBlockCloak on|off
Description:
Always  block  cloaked URLs, even if URL isn't in database. This
can lead to false positives
Default:
  clamav_mod.PhishingAlwaysBlockCloak off
clamd_mod.ClamdSocket
Format:
clamd_mod.ClamdSocket path
Description:
The path of the clamd socket to use
Default:
clamd_mod.ClamdSocket /var/run/clamav/clamd.ctl
clamd_mod.ClamdHost
Format:
clamd_mod.ClamdHost host
Description:
The host to be used to connect to Clamd if a ClamdPort is specified.
Default:
clamd_mod.ClamdHost 127.0.0.1
clamd_mod.ClamdPort
Format:
clamd_mod.ClamdPort port
Description:
The port to be used to connect to Clamd. If specified
TCP connection to port "port" will be used instead of ClamdSocket.
When you are using TCP communication with clamd please be sure
that the filesystem permissions allow clamd to scan files created
by clamd_mod module.
The clamd_mod module create files with read permissions to running
c-icap process owner and group.
Default:
clamd_mod.ClamdPort None, ClamdSocket is used.
url_check.EarlyResponses
Format:
url_check.EarlyResponses on|off
Description:
Set it to off if your ICAP client does not support early responses.
Should not required to touch this parameter.
Default:
url_check.EarlyResponses on
Example:
url_check.EarlyResponses off
url_check.LookupTableDB
Format:
url_check.LookupTableDB DBName type lookup_table_path [Description]
Description:
DBName is a a name for this database
type can be one of the following:
     host: defines a hostnames database. Matches if the hostname
     	   exist in ths database.
	   
     url: defines a URL's database. Matches if a part of the
     	  http url exist in this database. WARNING: The url arguments
	  are not included in search
	  For example the  www.site.com/to/path/page.html?arg1&arg2
	  matches if any of the following exist in this database:
	     www.site.com/to/path/page.html
	     www.site.com/to/path/
	     www.site.com/to/
	     www.site.com/
	     site.com/to/path/page.html
	     site.com/to/path/
	     site.com/to/
	     site.com/
	     com/to/path/page.html
	     com/to/path/
	     com/to/
	     com/www.site.com/to/path/page.html
	     www.site.com/to/path/
	     www.site.com/to/
	     www.site.com/
	     site.com/to/path/page.html
	     site.com/to/path/
	     site.com/to/
	     site.com/
	     com/to/path/page.html
	     com/to/path/
	     com/to/
	     com/
	     
     full_url: it defines a URL's database. This type of url databases
     	  includes url arguments while searching in the database.
	  It does the same checks with the "url" databases plus
	  the checks including the arguments: 
	     www.site.com/to/path/page.html?arg1&arg2
	     site.com/to/path/page.html?arg1&arg2
	     com/to/path/page.html?arg1&arg2 
	
     url_simple_check: it defines a URL's database. In this type of url
	  databases only one query with full url performed.
	       
     domain: defines a domain names database. Matches if http 
     	  server hostname belongs to a domain which exists 
	  in this database.
	
lookup_table_path is a lookup table definition which contains
keys of the defined type

Optionally a description can be added, which will be displayed when this
database matches.
Default:
 
url_check.LoadSquidGuardDB
Format:
url_check.LoadSquidGuardDB DBName SquidGuardDBPath [Description]
Description:
Defines a squidGuard database. A such database normaly contains
one domain and one urls database, and checked with the same way
the squidGuard use it.
DBName is the database name
SquidGuardDBPath is the path of the database.
Default:
 
url_check.Profile
Format:
url_check.Profile ProfileName pass|block DBName[{subcat1, subcat2, ...}]|ALL
Description:
It is used to define policy profiles. The use of "default" as
ProfileName is reserved and defines a default policy for all 
requests for which no profile defined
Default:
None set
Example:
url_check.Profile BlockPorn block porn
url_check.Profile default block multisurbl{127.0.0.126}
url_check.Profile default pass ALL
url_check.ProfileAccess
Format:
url_check.ProfileAccess ProfileName [!]acl1 ...
Description:
It is used to select  policy profile to apply based on acls
Default:
None set
Example:
acl Foo group foo
url_check.ProfileAccess BlockPorn Foo