Untitled

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl CONNECT method CONNECT

acl lan src 10.0.0.0/24

# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

http_access allow lan

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|?) 0 0%  0
refresh_pattern .       0   20% 4320


request_header_access Referer deny all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all

# do not display IP address
forwarded_for off

#
# This file contains the default settings for c-icap
#
#


PidFile /var/run/c-icap/c-icap.pid


CommandsSocket /var/run/c-icap/c-icap.ctl


Timeout 300


MaxKeepAliveRequests 100


KeepAliveTimeout 600


StartServers 3


MaxServers 10


MinSpareThreads     10


MaxSpareThreads     20


ThreadsPerChild     10


MaxRequestsPerChild  0


Port 1344

# TAG: User
# Format: User username
# Description:
#   The user owning c-icap's processes. By default, the owner is the
#   user who runs the program.
# Default:
#   No value
# Example:
#   User wwwrun

# TAG: Group
# Format: Group groupname
# Description:
#   The group of users owning c-icap's processes, which, by default
#   is the group of the current user.
# Default:
#   No value
# Example:
#   Group nogroup

ServerAdmin root@srv.world

ServerName prox.srv.world

# TAG: TmpDir
# Format: TmpDir dir
# Description:
#   dir is the location of temporary files.
# Default:
#   TmpDir /var/tmp
TmpDir /var/tmp

# TAG: MaxMemObject
# Format: MaxMemObject bytes
# Description:
#   The maximum memory size in bytes taken by an object which
#   is processed by c-icap . If the size of an object's body is
#   larger than the maximum size a temporary file is used.
# Default:
#   MaxMemObject 131072
MaxMemObject 131072

# TAG: DebugLevel
# Format: DebugLevel level
# Description:
#   The level of debugging information to be logged.
#   The acceptable range of levels is between 0 and 10.
# Default:
#   DebugLevel 1
DebugLevel 1

# TAG: Pipelining
# Format: Pipelining on|off
# Description:
#   Enable or disable ICAP requests pipelining
# Default:
#   Pipelining on
Pipelining on

# TAG: SupportBuggyClients
# FORMAT: SupportBuggyClients on|off
# Description:
#   Try to handle requests from buggy clients, for example ICAP requests
#   missing "rn" sequences
# Default:
# SupportBuggyClients off
SupportBuggyClients off

# TAG: Allow204As200okZeroEncaps
# Format: Allow204As200okZeroEncaps
# Description:
#   When used the c-icap instead of allow 204 return "200 OK" responses
#   with zero encapsulated entities.
# Default:
#   No set

# TAG: ModulesDir
# Format: ModulesDir dir
# Description:
#   The location of modules
# Default:
#   ModulesDir /usr/local/c-icap-0.4.x/lib/c_icap
ModulesDir /usr/local/lib/c_icap

# TAG: ServicesDir
# Format: ServicesDir dir
# Description:
#   The location of services
# Default:
#   ServicesDir /usr/local/c-icap-0.4.x/lib/c_icap
ServicesDir /usr/local/lib/c_icap

# TAG: TemplateDir
# Format: TemplateDir dir
# Description:
#   The location of the text templates used by c-icap and its services,
#   categorized by language and services/modules
# Default:
#   No value
# Example:
TemplateDir /usr/local/share/c_icap/templates/

# TAG: TemplateDefaultLanguage
# Format: TemplateDefaultLanguage lang
# Description:
#   Sets the default language to use for text templates
# Default:
#   TemplateDefaultLanguage en
TemplateDefaultLanguage en

#TemplateReloadTime 360
#TemplateCacheSize 20
#TemplateMemBufSize 8192

# TAG: LoadMagicFile
# Format: LoadMagicFile path
# Description:
#   Load a c-icap magic file. A magic file contains various
#   data type definitions. Look inside default c-icap.magic file
#   for more informations.
#   It can be used more than once to use multiple magic files.
# Default:
#   LoadMagicFile /usr/local/c-icap-0.4.x/etc/c-icap.magic
LoadMagicFile /usr/local/etc/c-icap.magic

# TAG: RemoteProxyUsers
# Format: RemoteProxyUsers onoff
# Description:
#   Set it to on if you want to use username provided by the proxy server.
#   This is the recomended way to use users in c-icap.
#   If the RemoteProxyUsers is off and c-icap configured to use users or
#   groups the internal authentication mechanism will be used.
# Default:
#   RemoteProxyUsers off
RemoteProxyUsers off

# TAG: RemoteProxyUserHeader
# Format: RemoteProxyUserHeader Header
# Description:
#   Used to specify the icap header used by the proxy server to send
#   the authenticated client username to c-icap server
# Default:
#   RemoteProxyUserHeader X-Authenticated-User
RemoteProxyUserHeader X-Authenticated-User

# TAG: RemoteProxyUserHeaderEncoded
# Format: RemoteProxyUserHeaderEncoded onoff
# Description:
#   Set it to off if the RemoteProxyUserHeader is not base64 encoded
# Default:
#   RemoteProxyUserHeaderEncoded on
RemoteProxyUserHeaderEncoded on

# TAG: AuthMethod
# Format: AuthMethod Method Authenticator
# Description:
#   Used to define the internal authentication mechanism to use. This
#   feature is not well tested and may cause problems. It is better to use
#   RemoteProxyUser configuration.
#   Method is the authentication method to use (basic, digest, etc).
#   Currently only basic authentication method is implemented as build in
#   module
#   Authenticator currently can only be "basic_simple_db"
#   It can be considered as a user/password store and can be
#   implemented as external module. The basic_simple_db is implemented as
#   build it module
# Default:
#   No set
# Example:
#   AuthMethod basic basic_simple_db

# TAG: basic.Realm
# Format: basic.Realm ARealm
# Description:
#   Specify the basic method realm
# Default:
#   basic.Realm "Basic authentication"
# Example:
#   basic.Realm "c-icap server authentication"

# TAG: basic_simple_db.UsersDB
# Format: basic_simple_db.UsersDB LookupTable
# Description:
#   Specify the lookup table where the usernames/passwords pairs
#   are stored. The paswords must be unencrypted
#   For more information about c-icap lookup tables read c-icap server
#   manual page
# Default:
#   No value
# Example:
#   basic_simple_db.UsersDB hash:/usr/local/c-icap/etc/c-icap-users.txt

# TAG: GroupSourceByGroup
# Format: GroupSourceByGroup LookupTable
# Description:
#   Defines a lookup table where the groups of users are stored indexed
#   by group. It can be used more than once.
#   For more information about c-icap lookup tables read c-icap server
#   manual page
# Default:
#   No set
# Example:
#   GroupSourceByGroup hash:/usr/local/c-icap/etc/c-icap-groups.txt

# TAG: GroupSourceByUser
# Format: GroupSourceByUser LookupTable
# Description:
#   Defines a lookup table where the groups of users are stored indexed
#   by user. It can be used more than once.
#   For more information about c-icap lookup tables read c-icap server
#   manual page
# Default:
#   No set
# Example:
#   GroupSourceByUser hash:/usr/local/c-icap/etc/c-icap-user-groups.txt

# TAG: acl
# Format: acl name type[{param}] value1 [value2] [...]
# Description:
#   Supported acl types are:
#       acl aclname service service1 ...
#            The servicename
#       acl aclname type OPTIONS|RESPMOD|REQMOD ...
#            The icap method
#       acl aclname port port1 ...
#            The icap server port
#       acl aclname src ip1/netmask1 ...
#            The client ip address
#       acl aclname srvip ip1/netmask1 ...
#            The c-icap server ip address
#       acl aclname icap_header{HeaderName} value1 ...
#            Matches the icap header HeaderName with value1 ...
#            The values are in regex form: /avalue/flags
#       acl aclname icap_resp_header{HeaderName} value1 ...
#            The icap response header
#            The values are in regex form: /avalue/flags
#       acl aclname http_req_header{HeaderName} value1 ...
#            The http request header
#            The values are in regex form: /avalue/flags
#       acl aclname http_resp_header{HeaderName} value1 ...
#            The http response header
#            The values are in regex form: /avalue/flags
#       acl aclname data_type type1 ...
#            The data type as recognized by the internal data type
#            recognizer. The types are defined in c-icap.magic file
#       acl aclname auth username|* ...
#            The authenticated users. Using * instead of username means
#            all users.
#       acl aclname group group1 ...
#            if the user of request belongs to given groups
#       acl content_length{>|<|=} value1 ...
#            The content length of body data if the related information
#            included in http headers.
#            The parameter can take the value <, > or = to specify that
#            the acl will match if content length is less, greater or
#            equal to acl values.
#       acl time value1 ....
#            It checks agains current time. The values format is:
#            [DAY[,DAY,[..]]][/][HH:MM-HH:MM]
#            The DAY can be one of the following:
#           S - Sunday
#           M - Monday
#           T - Tuesday
#           W - Wednesday
#           H - Thursday
#           F - Friday
#           A - Saturday
#       acl http_client_ip ip1[/netmask1] ...
#            The HTTP client ip address, if it is available.
# Default:
#   None set
# Examples:
#   acl OPTIONS type OPTIONS
#   acl RESPMOD type RESPMOD
#   acl REQMOD  type REQMOD
#   acl ALLREQUESTS type OPTIONS RESPMOD REQMOD
#   acl XHEAD icap_header{X-Test}  /value/
#   acl ECHO service echo
#   acl localnet src 192.168.1.0/255.255.255.0
#   acl localhost src 127.0.0.1/255.255.255.255
#   acl all src 0.0.0.0/0.0.0.0
#   acl BigObjects content_length{>} 5000000
#   acl WorkingHours time M,T,W,H,F/8:00-18:00
#   acl FreeHour time Sunday,Saturday/8:00-23:59 M,T,W,H,F/18:01-23:59 M,T,W,H,F/0:00-7.59

# TAG: icap_access
# Format: icap_access allow|deny [!]acl1 ...
# Description:
#   Allowing or denying ICAP access based on defined access lists
# Default:
#   None set
# Example:
#   icap_access deny XHEAD
#   #Allow OPTIONS method for all:
#   icap_access allow localnet OPTIONS
#   #Require authentication for all users from local network:
#   icap_access allow AUTH localnet
#   icap_access deny all

# TAG: client_access
# Format: client_access allow|deny acl1 [acl2] [...]
# Description:
#   Allowing or denying connections on c-icap based on
#   defined access lists. Only the acl types src, srvip and port
#   can be used.
# Default:
#   None set
# Example:
#   client_access allow all

# TAG: LogFormat
# Format: LogFormat Name Format
# Description:
#   Name is a name for this log format.
#   Format is a string with embedded % format codes. % format codes
#   has the following form:
#       % [-] [width] [{argument}] formatcode
#       if - is specified then the output is left aligned
#       if width specified then the field is exactly width size
#       some formatcodes support arguments given as {argument}
#
#   Format codes:
#          %a:  Remote IP-Address
#          %la: Local IP Address
#          %lp: Local port
#          %>a: Http Client IP Address. Only supported if the proxy
#               client supports the "X-Client-IP" header
#          %<A: Http Server IP Address. Only supported if the proxy
#               client supports the "X-Server-IP" header
#          %ts: Seconds since epoch
#          %tl: Local time. Supports optional strftime format argument
#          %tg: GMT time. Supports optional strftime format argument
#          %>ho: Modified Http request header. Supports header name
#                as argument. If no argument given the first line returned
#          %huo: Modified Http request url
#          %<ho: Modified Http reply header. Supports header name
#                as argument. If no argument given the first line returned
#          %iu: Icap request url
#          %im: Icap method
#          %is: Icap status code
#          %>ih: Icap request header. Supports header name
#                as argument. If no argument given the first line returned
#          %<ih: Icap response header. Supports header name
#                as argument. If no argument given the first line returned
#          %Ih: Http bytes received
#          %Oh: Http bytes sent
#          %Ib: Http body bytes received
#          %Ob: Http body bytes sent
#          %I: Bytes received
#          %O: Bytes sent
#          %bph: The first 5 bytes of the body preview data. Non
#                printable characters printed in hex form.
#                Supports the number of bytes to output as argument.
#          %un: Username
#          %Sl: Service log string
#              %Sa: Attribute value set by service. The attribute name must
#                   given as argument.
# Default:
#   None set
# Example:
#   LogFormat myFormat "%tl, %a %im %iu %is %I %O %Ib %Ob %{10}bph"

# TAG: ServerLog
# Format: ServerLog LogFile
# Description:
#   the file used by the build-in logger file_logger to
#   store debugging information, errors and other
#   information about the c-icap server.
# Default:
#   ServerLog /usr/local/c-icap-0.4.x/var/log/server.log
ServerLog /usr/local/var/log/server.log

# TAG: AccessLog
# Format: AccessLog LogFile [LogFormat] [[!]acl1] [[!]acl2] [...]
# Description:
#   LogFile is a file where to log access information.
#   LogFormat is the log format to use. If ommited c-icap uses:
#       "%tl, %la %a %im %iu %is"
#   Also acls can be used to select certain requests to be logged.
#   This directive can be used more than once to specify more than
#   one access log files
# Default:
#   AccessLog /usr/local/c-icap-0.4.x/var/log/access.log
# Example:
#   AccessLog /usr/local/c-icap-0.4.x/var/log/access.log MyFormat all
AccessLog /usr/local/var/log/access.log

# TAG: Logger
# Format: Logger LoggerName
# Description:
#   Specify wich logger to use. By default uses the build in "file_logger" which
#   uses files for access and server logging.
# Default:
#   Logger file_logger
# Example:
#   Logger sys_logger

# TAG: Module
# Format: Module Type ModuleFile
# Description:
#   Load an external module/plugin to c-icap.
#   ModuleFile is the filename of the module. If no full path given then c-icap
#   searche in path defined by the ModulesDir configuration parameter.
#   Type is the type of the external module and can be one of the following:
#   - "logger" for modules implement a logger
#   - "common" for general purpose modules
# Default:
#
# Example:
#   Module logger sys_logger.so

# TAG: Service
# Format: Service aName ServiceFile
# Description:
#   It loads the service ServiceFile. The argument aName used
#   as alias name for the service
# Default:
#
# Example:
#   Service echo_service srv_echo.so

Service squidclamav squidclamav.so

# TAG: ServiceAlias
# Format: ServiceAlias AliasName ServiceName[?param1=value1&param2=value2...]
# Description:
#   Used to define an alias name for a service.
# Default:
#
# Example:
#   ServiceAlias avscan srv_clamav?allow204=on&sizelimit=off&mode=simple


#
# TAG: General configuration parameters for all services
# Description:
#   PreviewSize: The preview data size to advertise to the icap client
#   MaxConnections: The client should not use more than MaxConnections
#       for this service.
#   TransferPreview: The list of file extensions, seperated by commas,
#       for which the client should send preview data.
#   TransferIgnore: The list of file extensions that should not be sent
#       to the icap server
#   TransferComplete: The list of file extensions that should be sent
#       in their entirety, without preview, to the icap server
#   OptionsTTL: The options ttl for the service. The "sec[s]", "min" or
#       "hour[s]" can be used to secify that the time is in seconds
#       minutes or hours respectively. If no time-units given
#       seconds are assumed.
#   Allow206 on|off: Enable/disable advertise of 206 responses.
#
# Example:
#   echo.PreviewSize 512
#   echo.TransferIgnore gif, jpeg
#   echo.OptionsTTL 3 min


######################################################
# External modules comming with core c-icap server
#
# Module: echo
# Description:
#   Simple test service
# Example:
#   Service echo srv_echo.so
Service echo srv_echo.so

# Module: sys_logger
# Description:
#   Add support for logging access and server events to syslog server
#   Use "Module" configuration parameter to load this module and "Logger"
#   to make it default logger for the c-icap.
# Example:
#   Module logger sys_logger.so
#   Logger sys_logger


# TAG: sys_logger.Prefix
# Format: sys_logger.Prefix string
# Description:
#    string is be presented in every syslog message.
# Default:
#   sys_logger.Prefix "C-ICAP:"

# TAG: sys_logger.Facility
# Format: sys_logger.Facility daemon|user|local1|local2|local3|local4|local5|local6|local7
# Description:
#   specifies the facility type of syslog.
# Default:
#   sys_logger.Facility daemon

# TAG: sys_logger.access_priority
# Format: sys_logger.access_priority alert|crit|debug|emerg|err|info|notice|warning
# Description:
#   determines  the  importance  of the access log message
# Default:
#   sys_logger.access_priority info

# TAG: sys_logger.server_priority
# Format: sys_logger.server_priority alert|crit|debug|emerg|err|info|notice|warning
# Description:
#   determines  the  importance  of the server log message
# Default:
#   sys_logger.server_priority crit

# TAG: sys_logger.LogFormat
# Format: sys_logger.LogFormat LOGFORMAT
# Description:
#   The log format to use. If no log format defined then
#   the following will be used:
#       "%la %a %im %iu %is"
# Default:
#   None set
# Example:
#   Logformat BasicFormat "%la %a %im %iu %is"
#   sys_logger.LogFormat BasicFormat

# TAG: sys_logger.access
# Format: sys_logger.access [!]acl1 ...
# Description:
#   Allow selecting ICAP requests to be logged using acls.
#   By default all requests will be logged.
# Default:
#   None set
# Example:
#   sys_logger.access all

# End module: sys_logger

# Module: bdb_tables
# Description:
#   Add support for Berkeley DB based lookup tables. The format for
#   bdb path of the lookup table is:
#       bdb:/path/to/bdb
#   Use the c-icap-mkbdb utility to build Berkeley DB c-icap lookup tables
# Example:
#   Module common bdb_tables.so

# End module: bdb_tables

# Module: dnsbl_tables
# Description:
#   Add support for dns lookup tables. Can be used to access
#   dns block lists. The dnsbl lookup table path definition is:
#       dnsbl:domainname[{param1=val, ...}]
#       dnsbl table parameters can be one or more of the followings:
#            cache=no|cache_type
#               The cache type to use or 'no' for no cache.
#            cache-size=Size[K|M]
#               The cache size in RAM
#            cache-ttl=ttl
#               The cache ttl to use
#
#   For example the lookup table  for accessing the black.uribl.com
#   dns black list is:
#       dnsbl:black.uribl.com
# Example:
#   Module common dnsbl_tables.so

# End module: dnsbl_tables

# Module: ldap_module
# Description:
#   Add LDAP support to c-icap. The user can use LDAP based lookup tables
#   using the following lookup table path:
#         ldap://[username:password@]ldapserver?base?attr1,attr2?filter[{[param=value, ...]}]
#   The filter can contain the "%s" formating code which will be replaced by
#   the search key.
#   ldap table parameters can be one or more of the followings:
#        name=aName
#       A unique name to use for this table
#        cache=no|cache_type
#       The cache type to use or no for no cache.
#        cache-size=Size[K|M]
#       The cache size in RAM
#        cache-ttl=ttl
#       The cache ttl to use
#        cache-item-size=ItemSize[K|M]
#       The maximum item size
#
#   Examples of supported ldap urls:
#        ldap://ldap.chtsanti.net?o=chtsanti?cn,uid?uid=%s{cache=memcached}
#        ldap://cn=Directory Manager:Apassword@ldap.chtsanti.net?o=chtsanti?mermberUid?(&(objectClass=posixGroup)(cn=%s))
#
#   WARNING: is not enough tested it may contain bugs!
# Example:
#   Module common ldap_module.so

# End module: ldap_module

# Module: memcached
# Description:
#       Add support for memcached c-icap cache.
# Example:
#       Module common memcached.so

# TAG: memcached.servers
# Format: memcached.servers hostname1 hostname2 ...
# Description:
#   Set the memcached servers to use
# Default:
#   memcached.servers 127.0.0.1

# TAG: memcached.use_md5_keys
# Format: memcached.use_md5_keys on|off
# Description:
#   Whether to use or not md5 hash as key when the key exceeds the
#   MEMCACHED_MAX_KEY (normaly 251 bytes)
# Default:
#   memcached.use_md5_keys on

# End module: memcached