C-icap-modules-0.4.x Configuration Reference
Modules/Subsystems
Configuration parameters
Description: This is an antivirus services for the c-icap ICAP server
This module add the following log formating codes for use with
the LogFormat configuration parameter:
%{virus_scan:virus}Sa Prints the virus name or "-".
%{virus_scan:action}Sa Prints "passed" if the object scanned and no
virus found, "blocked" if a virus found and
object blocked, and "partiallyblocked" if a
virus found but some of the data transmitted
to the user.
Example:
LogFormat myVScanFmt "%tl, %>a %is %Ib %Ob %huo [Action: %{virus_scan:action}Sa] [Virus: %{virus_scan:virus}Sa]"
acl VSCAN service virus_scan
AccessLog /var/log/c-icap-access-vscan.log myVScanFmt VSCAN
The following additional formatting codes can be used with the service
templates (the VIRUS_FOUND, VIR_MODE_HEAD, VIR_MODE_PROGRESS,
VIR_MODE_TAIL and VIR_MODE_VIRUS_FOUND templates exist under the c-icap
templates directory):
%VVN The virus name.
%VVV The Antivirus name/version.
%VU The HTTP url.
%VFR The downloaded file requested name. For use with virelator mode.
%VFS Expected http body data size (Content-Length header). For use
with virelator mode.
%VF The name of the local file where the data stored. For use with
with virelator mode.
%VHS An HTTP URL to get stored object. For use with virelator mode.
See also the VirHTTPUrl configuration parameter.
%VPR Profile name (Exist only if virus_scan profiles are enabled).
Description: This is an addon module for the antivirus service (virus_scan) which
add support for the open source clamav antivirus.
Example: Module common clamav_mod.so
Description: This is an addon module for the antivirus service (virus_scan) which
adds support for the open source antivirus clamav, using the clamd
daemon.
Description: This is an URL blacklist/whitelist icap service
This module add the following log formating codes for use with
the LogFormat configuration parameter:
%{url_check:matched_cat}Sa Print all matched url categories
%{url_check:action}Sa The service decision for requested url:
MATCHED, BLOCKED or ALLOWED
%{url_check:action_cat}Sa Print the categories for which the
decision taken
Example:
LogFormat myUrlCheck "%tl, %>a %im %is %huo [MatchedCat: %{url_check:matched_cat}Sa] [Action4cat: %{url_check:action_cat}Sa] [Action: %{url_check:action}Sa]"
acl URLCHECK service srv_url_check
AccessLog /var/log/c-icap-access-url_check.log myUrlCheck URLCHECK
The following additional formatting codes can be used with the
service template "DENY":
%UU The HTTP url
%UH The HTTP host
%UM The matched Categories
%UB The blocked category
%UD The description of the blocked category
Example: Service url_check_module srv_url_check.so
Example: Service url_check_module srv_url_check.so
Configuration parameters description
- virus_scan.ScanFileTypes
-
Format:
virus_scan.ScanFileTypes type1 [type2] ...
Description: the list of file types or groups of file types which will be
scanned for viruses. For supported types look in c-icap.magic
configuration file.
Default: None set.
- virus_scan.SendPercentData
-
Format:
virus_scan.SendPercentData percent
Description: the percentage of data that can be sent by the c-icap server
before receiving the complete body of a request.
This feature in conjuction with the folowing can be usefull
becouse if the download of the object takes a lot of time
the connection of web client to proxy can be expired.
It must be noticed that the data which delivered to the
web client maybe contains a virus or a part of a virus
and can be dangerous. In the other hand partial data
(for example 5% data of a zip or an exe file) in most
cases can not be used.
Set it to 0 to disable this feature.
Default: virus_scan.SendPercentData 0
- virus_scan.StartSendPercentDataAfter
-
Format:
virus_scan.StartSendPercentDataAfter bytes
Description: Only if the object is bigger than size then the percentage
of data which defined by SendPercentData sent by the c-icap
server before receiving the complete body of request.
Default: virus_scan.StartSendPercentDataAfter 0
- virus_scan.Allow204Responces
-
Format:
virus_scan.Allow204Responces on|off
Description: Disable 204 responces outside previews for virus_scan if
your icap client does not support it.
Default: virus_scan.Allow204Responces on
- virus_scan.PassOnError
-
Format:
virus_scan.PassOnError on|off
Description: Pass the content instead of blocking it, in the case when the virus
scanner or the virus_scan module finds an error.
The error will be logged nevertheless.
Default: virus_scan.PassOnError off
- virus_scan.MaxObjectSize
-
Format:
virus_scan.MaxObjectSize Bytes
Description: The maximum size of files which will be scanned by
antivirus service.You can use K and M indicators to define size
in kilobytes or megabytes.
Default: virus_scan.MaxObjectSize 5M
- virus_scan.DefaultEngine
-
Format:
virus_scan.DefaultEngine EngineName1 EngineName2 ...
Description: The antivirus engines to use if no engine has selected using ICAP
service arguments.
The antivirus engines loaded as external c-icap modules.
Currently the following antivirus engines are available for the
c-icap-modules:
"clamd" or "clamav"
Default: None set. The first loaded engine will be used.
Example: virus_scan.DefaultEngine clamav
- virus_scan.VirSaveDir
-
Format:
virus_scan.VirSaveDir path
Description: The directory where the downloaded files stored.
Must be a directory where a web server has access.
Default: No set
Example: virus_scan.VirSaveDir /srv/www/htdocs/downloads/
- virus_scan.VirHTTPUrl
-
Format:
virus_scan.VirHTTPUrl URL
Description: The url which used by the web client to retrieve
downloaded file. The file where the download stored
can has diferent name than the original, if a file
with the same name exists in the directory. In the
url the "%f" can be used to specify the real name
of downloaded file.
You can use the small cgi program "get_file.pl"
which exists in contrib directory of c-icap-modules
distribution.
Default: No set
Example: virus_scan.VirHTTPUrl "http://fortune/cgi-bin/get_file.pl?usename=%f&remove=1&file="
- virus_scan.VirUpdateTime
-
Format:
virus_scan.VirUpdateTime seconds
Description: The secs is the interval between the "progress of download"
messages in seconds.
Default: virus_scan.VirUpdateTime 15
- virus_scan.VirScanFileTypes
-
Format:
virus_scan.VirScanFileTypes type1 type2 ...
Description: The list of file types and groups of file types,
for which this mode must be used.
Default: None set
Example: virus_scan.VirScanFileTypes ARCHIVE EXECUTABLE
- clamav_mod.TmpDir
-
Format:
clamav_mod.TmpDir path
Description: clamav's temporary directory.
Default: clamav_mod.TmpDir /var/tmp
- clamav_mod.MaxFilesInArchive
-
Format:
clamav_mod.MaxFilesInArchive Num
Description: Sets the maximum number of files in archive. Used
by clamav library. Set it to 0 to disable it.
Default: clamav_mod.MaxFilesInArchive 0
- clamav_mod.MaxFileSizeInArchive
-
Format:
clamav_mod.MaxFileSizeInArchive Bytes
Description: Sets the maximal archived file size. Used by clamav
library. Set it to 0 to disable it.
Default: clamav_mod.MaxFileSizeInArchive 100M
- clamav_mod.MaxScanSize
-
Format:
clamav_mod.MaxScanSize Bytes
Description: Sets the maximum amount of data to be scanned for each input
file. Used by clamav library. Set it to 0 to disable it.
Default: clamav_mod.MaxScanSize 100M
- clamav_mod.MaxRecLevel
-
Format:
clamav_mod.MaxRecLevel level
Description: The maximal recursion level. Used by clamav library.
Set it to 0 to disable it.
Default: clamav_mod.MaxRecLevel 5
- clamav_mod.DetectPUA
-
Format:
clamav_mod.DetectPUA on|off
Description: Detect Possibly Unwanted Applications.
Default: clamav_mod.DetectPUA off
- clamav_mod.ExcludePUA
-
Format:
clamav_mod.ExcludePUA cat1 cat2 ...
Description: Exclude a specific PUA category. This directive can be used
multiple times. See http://www.clamav.net/support/pua for the
coplete list of PUA categories.
Default: none
- clamav_mod.IncludePUA cat1 cat2 ...
-
Format:
clamav_mod.IncludePUA
Description: Only include a specific PUA category. This directive can be used
multiple times. See http://www.clamav.net/support/pua for the
complete list of PUA categories.
Default: none
- clamav_mod.OfficialDatabaseOnly
-
Format:
clamav_mod.OfficialDatabaseOnly on|off
Description: Only load the official signatures published by the ClamAV
project.
Default: clamav_mod.OfficialDatabaseOnly off
- clamav_mod.ArchiveBlockEncrypted
-
Format:
clamav_mod.ArchiveBlockEncrypted on|off
Description: Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
Default: clamav_mod.ArchiveBlockEncrypted off
- clamav_mod.HeuristicScanPrecedence
-
Format:
clamav_mod.HeuristicScanPrecedence on|off
Description: Allow heuristic match to take precedence. When enabled, if a
heuristic scan (such as phishingScan) detects a possible
virus/phishing it will stop scanning immediately. Recommended,
saves CPU scan-time.
Default: clamav_mod.HeuristicScanPrecedence off
- clamav_mod.OLE2BlockMacros
-
Format:
clamav_mod.OLE2BlockMacros on|off
Description: With this option enabled OLE2 files with VBA macros, which were
not detected by signatures will be marked as "Heurisâ
tics.OLE2.ContainsMacros".
Default: clamav_mod.OLE2BlockMacros off
- clamav_mod.PhishingAlwaysBlockSSLMismatch
-
Format:
clamav_mod.PhishingAlwaysBlockSSLMismatch on|off
Description: Always block SSL mismatches in URLs, even if the URL isn't in
the database. This can lead to false positives.
Default: clamav_mod.PhishingAlwaysBlockSSLMismatch off
- clamav_mod.PhishingAlwaysBlockCloak
-
Format:
clamav_mod.PhishingAlwaysBlockCloak on|off
Description: Always block cloaked URLs, even if URL isn't in database. This
can lead to false positives
Default: clamav_mod.PhishingAlwaysBlockCloak off
- clamd_mod.ClamdSocket
-
Format:
clamd_mod.ClamdSocket path
Description: The path of the clamd socket to use
Default: clamd_mod.ClamdSocket /var/run/clamav/clamd.ctl
- clamd_mod.ClamdHost
-
Format:
clamd_mod.ClamdHost host
Description: The host to be used to connect to Clamd if a ClamdPort is specified.
Default: clamd_mod.ClamdHost 127.0.0.1
- clamd_mod.ClamdPort
-
Format:
clamd_mod.ClamdPort port
Description: The port to be used to connect to Clamd. If specified
TCP connection to port "port" will be used instead of ClamdSocket.
When you are using TCP communication with clamd please be sure
that the filesystem permissions allow clamd to scan files created
by clamd_mod module.
The clamd_mod module create files with read permissions to running
c-icap process owner and group.
Default: clamd_mod.ClamdPort None, ClamdSocket is used.
- url_check.EarlyResponses
-
Format:
url_check.EarlyResponses on|off
Description: Set it to off if your ICAP client does not support early responses.
Should not required to touch this parameter.
Default: url_check.EarlyResponses on
Example: url_check.EarlyResponses off
- url_check.LookupTableDB
-
Format:
url_check.LookupTableDB DBName type lookup_table_path [Description]
Description: DBName is a a name for this database
type can be one of the following:
host: defines a hostnames database. Matches if the hostname
exist in ths database.
url: defines a URL's database. Matches if a part of the
http url exist in this database. WARNING: The url arguments
are not included in search
For example the www.site.com/to/path/page.html?arg1&arg2
matches if any of the following exist in this database:
www.site.com/to/path/page.html
www.site.com/to/path/
www.site.com/to/
www.site.com/
site.com/to/path/page.html
site.com/to/path/
site.com/to/
site.com/
com/to/path/page.html
com/to/path/
com/to/
com/www.site.com/to/path/page.html
www.site.com/to/path/
www.site.com/to/
www.site.com/
site.com/to/path/page.html
site.com/to/path/
site.com/to/
site.com/
com/to/path/page.html
com/to/path/
com/to/
com/
full_url: it defines a URL's database. This type of url databases
includes url arguments while searching in the database.
It does the same checks with the "url" databases plus
the checks including the arguments:
www.site.com/to/path/page.html?arg1&arg2
site.com/to/path/page.html?arg1&arg2
com/to/path/page.html?arg1&arg2
url_simple_check: it defines a URL's database. In this type of url
databases only one query with full url performed.
domain: defines a domain names database. Matches if http
server hostname belongs to a domain which exists
in this database.
lookup_table_path is a lookup table definition which contains
keys of the defined type
Optionally a description can be added, which will be displayed when this
database matches.
Default:
- url_check.LoadSquidGuardDB
-
Format:
url_check.LoadSquidGuardDB DBName SquidGuardDBPath [Description]
Description: Defines a squidGuard database. A such database normaly contains
one domain and one urls database, and checked with the same way
the squidGuard use it.
DBName is the database name
SquidGuardDBPath is the path of the database.
Default:
- url_check.Profile
-
Format:
url_check.Profile ProfileName DefaultAction pass|block|match [AddXHeader header]|[NoDefaultXHeaders]|[NoErrorPage]
Description: It is used to define policy profiles. The use of "default" as
ProfileName is reserved and defines a default policy for all
requests for which no profile defined.
Please see the url_check.DefaultAction configuration parameter for
informations about "DefaultAction" argument.
Default: None set
Example: url_check.Profile BlockPorn block porn
url_check.Profile default block multisurbl{127.0.0.126}
url_check.Profile default pass ALL
- url_check.ProfileAccess
-
Format:
url_check.ProfileAccess ProfileName [!]acl1 ...
Description: It is used to select policy profile to apply based on acls
Default: None set
Example: acl Foo group foo
url_check.ProfileAccess BlockPorn Foo
- url_check.DefaultAction
-
Format:
url_check.DefaultAction pass|block|match [AddXHeader header]|[NoDefaultXHeaders]|[NoErrorPage] [RequestFilters]
Description: Configures an url_check "pass", "block" or "match" action.
By default url_check service add the following headers to an ICAP
response: X-ICAP-Profile, X-Attribute, X-Attribute-Prefix,
X-Response-Info and X-Response-Desc.
Also respond with an error page when "block" action selected.
This option allow users to add their own X-headers to ICAP response,
do not add the default x-headers, and do not respond with error page
on blocking decisions.
Configuration options are:
AddXHeader x-header
Add the ICAP header "x-header" in ICAP response. The "x-header"
supports formating codes.
NoDefaultXHeaders
Forces url_check service do not include default X-headers
to ICAP response.
NoErrorPage
This is valid only for "block" action. The url_check service
will not send an error page as response but instead will send
an allow204 or equivalent response.
The RequestFilters are options which enable request modification filters
for the configured action. They can be one of the following:
HttpHeaderAddIfNone Header Value
Adds the Header "Header" with the value "Value" in the HTTP
request headers if the Header does not exist.
HttpHeaderListAdd Header Value
Adds the "Value" to the header "Header", if exist or add
the "Header: Value" pair in HTTP request headers
HttpHeaderRemove Header
Remove the header "Header" from HTTP request headers
HttpHeaderReplace Header Value
Replaces the Header "header in HTTP request headers with a new
one "Header: Value"
Default:
- url_check.ConvertPercentCodesTo
-
Format:
url_check.ConvertPercentCodesTo uppercase|lowercase|none
Description: The url_check service decodes the percent-encoded urls before lookup
into databases. From the decoding excluded the non printable characters
and the non safe characters (" !*'();:@&=+$,/?#[]"). The url databases
should use percent-encoding for non safe characters.
The url_check.ConvertPercentCodesTo configuration parameter can be used
to force url_check service to convert to lowercase or upercase a percent
formating code eg to %f4 or to %F4.
Default:
- srv_content_filtering.MaxBodyData
-
Format:
srv_content_filtering.MaxBodyData size[K|M|G]
Description: Set the maximum size of body data to process
Default:
Example: srv_content_filtering.MaxBodyData 2M
- srv_content_filtering.Match
-
Format:
Description:
Default:
- srv_content_filtering.Profile
-
Format:
srv_content_filtering.Profile ProfileName Action score{MatchingFilter[(>|<|=)TheScore]} [Header|template=Templete|replaceInfo=ReplaceTextTag]
Description: It is used to define policy profiles. The use of "default" as
ProfileName is reserved and defines a default policy for all
requests for which no profile defined.
The following actions can be used for a profile:
block
Blocks and replaces the HTTP response with an error page. The error
page template defined using the "template=TemplateName" parameter
or the tempalte "BLOCK" is used.
allow
Stop processing profile actions and just allowing the response.
add_header
Add a header to the HTTP response.
replace
Replaces parts of HTTP response body data. The "replaceInfo"
parameter must be given to define a name for the info tag which
contains as value the replacement to use for "Match" regex rules.
Example usage:
srv_content_filtering.Match PornScore url /(\ +)(fuck|pussy)(\ +)/i score=10 info{XXX}="$1XXX$3"
srv_content_filtering.Profile chtsanti replace score{PornScore>5} replaceInfo=XXX
The above example will replace "fuck" and "pussy" words with the
"XXX" word for documents having PornScore greater than 5.
The actions applied if a rule which defined by the score of a matching
filter matches.
The module iterates over defined actions for a profile, examines if the
score rule matches and if yes apply the action, untill the first "allow"
or "block" action.
ProfileName
A name for the defined profile.
Action
Can have one of the following values:
block
allow
add_header
replace
MatchingFilter(>|<|=)TheScode
Used to define a rule for the defined action. The action is
applied if the filter named "MatchingFilter" has score greater
less or equal to the "TheScore"
Header
Used with add_header action.
The header definition to add if the add_header action defined
in the form "headerName: headerValue".
The c-icap log formating codes can be used here.
Template
Used with "block" action.
The template name to use as error page if the block action
defined.
ReplaceTextTag
Used with "replace" action.
The information tag which must be used to replace text for a
matching rule
Default:
Example: To block pages with score "PornScore" greater than 15 and replace some
bad words and add an info header to pages with score greater than 5
use:
srv_content_filtering.Match PornScore body /(\ +)(fuck|pussy)(\ +)/i score=10 info{XXX}="(1)XXX(3)"
srv_content_filtering.Profile chtsanti block score{PornScore>15}
srv_content_filtering.Profile chtsanti replace score{PornScore>5} replaceInfo=XXX
srv_content_filtering.Profile chtsanti add_header score{PornScore>5} "X-SrvContentFiltering-Module: maybe-porn"
- srv_content_filtering.ProfileOption
-
Format:
srv_content_filtering.ProfileOption ProfileName Option [value]
Description: It is used to set various otptions for a profile.
ProfileName
The name of the profile
Option can be one of the following:
AnyContentType
By default srv_content_filtering module process only web pages
which are of content type "text/*" (The Content-Type HTTP
response header includes the value "text/") or
"application/javascript".
This option can be used to ignore this rule for the given
profile. This options must always used together with
http_resp_header{Content-Type} or data_type acls in
srv_content_filtering.ProfileAccess, or only with matching
filters operate on http headers or URLs .
MaxBodyData value
Overwrite the srv_content_filtering.MaxBodyData for requests
using this profile. The 'K' and 'M' suffixes can be used to
value to express value on Kilobytes or Megabytes.
Default:
Example: srv_content_filtering.ProfileOption MyProfile AnyContentType
srv_content_filtering.ProfileOption MyProfile MaxBodyData 4M
- srv_content_filtering.ProfileAccess
-
Format:
srv_content_filtering.ProfileAccess ProfileName [!]acl1 ...
Description: It is used to select policy profile to apply based on acls
Default: None set
Example: acl Foo group foo
url_check.ProfileAccess BlockPorn Foo
- srv_content_filtering.Action
-
Format:
srv_content_filtering.Action Action score{MatchingFilter[(>|<|=)TheScore]}
Description: Equivalent to a srv_content_filtering.Profile configuration line
with the profile name "default":
srv_content_filtering.Profile default ....
Default: None set
Example: srv_content_filtering.Action block score{PornScore>5}
srv_content_filtering.Action block score{VideoHeader}