Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #
- # Recommended minimum configuration:
- #
- # Example rule allowing access from your local networks.
- # Adapt to list your (internal) IP networks from where browsing
- # should be allowed
- acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
- acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
- acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
- acl localnet src fc00::/7 # RFC 4193 local private network range
- acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
- acl SSL_ports port 443
- acl Safe_ports port 80 # http
- acl Safe_ports port 21 # ftp
- acl Safe_ports port 443 # https
- acl Safe_ports port 70 # gopher
- acl Safe_ports port 210 # wais
- acl Safe_ports port 1025-65535 # unregistered ports
- acl Safe_ports port 280 # http-mgmt
- acl Safe_ports port 488 # gss-http
- acl Safe_ports port 591 # filemaker
- acl Safe_ports port 777 # multiling http
- acl CONNECT method CONNECT
- acl lan src 10.0.0.0/24
- # Recommended minimum Access Permission configuration:
- #
- # Deny requests to certain unsafe ports
- http_access deny !Safe_ports
- # Deny CONNECT to other than secure SSL ports
- http_access deny CONNECT !SSL_ports
- # Only allow cachemgr access from localhost
- http_access allow localhost manager
- http_access deny manager
- # We strongly recommend the following be uncommented to protect innocent
- # web applications running on the proxy server who think the only
- # one who can access services on "localhost" is a local user
- #http_access deny to_localhost
- #
- # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
- #
- # Example rule allowing access from your local networks.
- # Adapt localnet in the ACL section to list your (internal) IP networks
- # from where browsing should be allowed
- http_access allow localnet
- http_access allow localhost
- http_access allow lan
- # And finally deny all other access to this proxy
- http_access deny all
- # Squid normally listens to port 3128
- http_port 3128
- # Uncomment and adjust the following to add a disk cache directory.
- #cache_dir ufs /var/spool/squid 100 16 256
- # Leave coredumps in the first cache dir
- coredump_dir /var/spool/squid
- #
- # Add any of your own refresh_pattern entries above these.
- #
- refresh_pattern ^ftp: 1440 20% 10080
- refresh_pattern ^gopher: 1440 0% 1440
- refresh_pattern -i (/cgi-bin/|?) 0 0% 0
- refresh_pattern . 0 20% 4320
- request_header_access Referer deny all
- request_header_access X-Forwarded-For deny all
- request_header_access Via deny all
- request_header_access Cache-Control deny all
- icap_enable on
- icap_send_client_ip on
- icap_send_client_username on
- icap_client_username_header X-Authenticated-User
- icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
- adaptation_access service_req allow all
- icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
- adaptation_access service_resp allow all
- # do not display IP address
- forwarded_for off
- #
- # This file contains the default settings for c-icap
- #
- #
- PidFile /var/run/c-icap/c-icap.pid
- CommandsSocket /var/run/c-icap/c-icap.ctl
- Timeout 300
- MaxKeepAliveRequests 100
- KeepAliveTimeout 600
- StartServers 3
- MaxServers 10
- MinSpareThreads 10
- MaxSpareThreads 20
- ThreadsPerChild 10
- MaxRequestsPerChild 0
- Port 1344
- # TAG: User
- # Format: User username
- # Description:
- # The user owning c-icap's processes. By default, the owner is the
- # user who runs the program.
- # Default:
- # No value
- # Example:
- # User wwwrun
- # TAG: Group
- # Format: Group groupname
- # Description:
- # The group of users owning c-icap's processes, which, by default
- # is the group of the current user.
- # Default:
- # No value
- # Example:
- # Group nogroup
- ServerAdmin root@srv.world
- ServerName prox.srv.world
- # TAG: TmpDir
- # Format: TmpDir dir
- # Description:
- # dir is the location of temporary files.
- # Default:
- # TmpDir /var/tmp
- TmpDir /var/tmp
- # TAG: MaxMemObject
- # Format: MaxMemObject bytes
- # Description:
- # The maximum memory size in bytes taken by an object which
- # is processed by c-icap . If the size of an object's body is
- # larger than the maximum size a temporary file is used.
- # Default:
- # MaxMemObject 131072
- MaxMemObject 131072
- # TAG: DebugLevel
- # Format: DebugLevel level
- # Description:
- # The level of debugging information to be logged.
- # The acceptable range of levels is between 0 and 10.
- # Default:
- # DebugLevel 1
- DebugLevel 1
- # TAG: Pipelining
- # Format: Pipelining on|off
- # Description:
- # Enable or disable ICAP requests pipelining
- # Default:
- # Pipelining on
- Pipelining on
- # TAG: SupportBuggyClients
- # FORMAT: SupportBuggyClients on|off
- # Description:
- # Try to handle requests from buggy clients, for example ICAP requests
- # missing "rn" sequences
- # Default:
- # SupportBuggyClients off
- SupportBuggyClients off
- # TAG: Allow204As200okZeroEncaps
- # Format: Allow204As200okZeroEncaps
- # Description:
- # When used the c-icap instead of allow 204 return "200 OK" responses
- # with zero encapsulated entities.
- # Default:
- # No set
- # TAG: ModulesDir
- # Format: ModulesDir dir
- # Description:
- # The location of modules
- # Default:
- # ModulesDir /usr/local/c-icap-0.4.x/lib/c_icap
- ModulesDir /usr/local/lib/c_icap
- # TAG: ServicesDir
- # Format: ServicesDir dir
- # Description:
- # The location of services
- # Default:
- # ServicesDir /usr/local/c-icap-0.4.x/lib/c_icap
- ServicesDir /usr/local/lib/c_icap
- # TAG: TemplateDir
- # Format: TemplateDir dir
- # Description:
- # The location of the text templates used by c-icap and its services,
- # categorized by language and services/modules
- # Default:
- # No value
- # Example:
- TemplateDir /usr/local/share/c_icap/templates/
- # TAG: TemplateDefaultLanguage
- # Format: TemplateDefaultLanguage lang
- # Description:
- # Sets the default language to use for text templates
- # Default:
- # TemplateDefaultLanguage en
- TemplateDefaultLanguage en
- #TemplateReloadTime 360
- #TemplateCacheSize 20
- #TemplateMemBufSize 8192
- # TAG: LoadMagicFile
- # Format: LoadMagicFile path
- # Description:
- # Load a c-icap magic file. A magic file contains various
- # data type definitions. Look inside default c-icap.magic file
- # for more informations.
- # It can be used more than once to use multiple magic files.
- # Default:
- # LoadMagicFile /usr/local/c-icap-0.4.x/etc/c-icap.magic
- LoadMagicFile /usr/local/etc/c-icap.magic
- # TAG: RemoteProxyUsers
- # Format: RemoteProxyUsers onoff
- # Description:
- # Set it to on if you want to use username provided by the proxy server.
- # This is the recomended way to use users in c-icap.
- # If the RemoteProxyUsers is off and c-icap configured to use users or
- # groups the internal authentication mechanism will be used.
- # Default:
- # RemoteProxyUsers off
- RemoteProxyUsers off
- # TAG: RemoteProxyUserHeader
- # Format: RemoteProxyUserHeader Header
- # Description:
- # Used to specify the icap header used by the proxy server to send
- # the authenticated client username to c-icap server
- # Default:
- # RemoteProxyUserHeader X-Authenticated-User
- RemoteProxyUserHeader X-Authenticated-User
- # TAG: RemoteProxyUserHeaderEncoded
- # Format: RemoteProxyUserHeaderEncoded onoff
- # Description:
- # Set it to off if the RemoteProxyUserHeader is not base64 encoded
- # Default:
- # RemoteProxyUserHeaderEncoded on
- RemoteProxyUserHeaderEncoded on
- # TAG: AuthMethod
- # Format: AuthMethod Method Authenticator
- # Description:
- # Used to define the internal authentication mechanism to use. This
- # feature is not well tested and may cause problems. It is better to use
- # RemoteProxyUser configuration.
- # Method is the authentication method to use (basic, digest, etc).
- # Currently only basic authentication method is implemented as build in
- # module
- # Authenticator currently can only be "basic_simple_db"
- # It can be considered as a user/password store and can be
- # implemented as external module. The basic_simple_db is implemented as
- # build it module
- # Default:
- # No set
- # Example:
- # AuthMethod basic basic_simple_db
- # TAG: basic.Realm
- # Format: basic.Realm ARealm
- # Description:
- # Specify the basic method realm
- # Default:
- # basic.Realm "Basic authentication"
- # Example:
- # basic.Realm "c-icap server authentication"
- # TAG: basic_simple_db.UsersDB
- # Format: basic_simple_db.UsersDB LookupTable
- # Description:
- # Specify the lookup table where the usernames/passwords pairs
- # are stored. The paswords must be unencrypted
- # For more information about c-icap lookup tables read c-icap server
- # manual page
- # Default:
- # No value
- # Example:
- # basic_simple_db.UsersDB hash:/usr/local/c-icap/etc/c-icap-users.txt
- # TAG: GroupSourceByGroup
- # Format: GroupSourceByGroup LookupTable
- # Description:
- # Defines a lookup table where the groups of users are stored indexed
- # by group. It can be used more than once.
- # For more information about c-icap lookup tables read c-icap server
- # manual page
- # Default:
- # No set
- # Example:
- # GroupSourceByGroup hash:/usr/local/c-icap/etc/c-icap-groups.txt
- # TAG: GroupSourceByUser
- # Format: GroupSourceByUser LookupTable
- # Description:
- # Defines a lookup table where the groups of users are stored indexed
- # by user. It can be used more than once.
- # For more information about c-icap lookup tables read c-icap server
- # manual page
- # Default:
- # No set
- # Example:
- # GroupSourceByUser hash:/usr/local/c-icap/etc/c-icap-user-groups.txt
- # TAG: acl
- # Format: acl name type[{param}] value1 [value2] [...]
- # Description:
- # Supported acl types are:
- # acl aclname service service1 ...
- # The servicename
- # acl aclname type OPTIONS|RESPMOD|REQMOD ...
- # The icap method
- # acl aclname port port1 ...
- # The icap server port
- # acl aclname src ip1/netmask1 ...
- # The client ip address
- # acl aclname srvip ip1/netmask1 ...
- # The c-icap server ip address
- # acl aclname icap_header{HeaderName} value1 ...
- # Matches the icap header HeaderName with value1 ...
- # The values are in regex form: /avalue/flags
- # acl aclname icap_resp_header{HeaderName} value1 ...
- # The icap response header
- # The values are in regex form: /avalue/flags
- # acl aclname http_req_header{HeaderName} value1 ...
- # The http request header
- # The values are in regex form: /avalue/flags
- # acl aclname http_resp_header{HeaderName} value1 ...
- # The http response header
- # The values are in regex form: /avalue/flags
- # acl aclname data_type type1 ...
- # The data type as recognized by the internal data type
- # recognizer. The types are defined in c-icap.magic file
- # acl aclname auth username|* ...
- # The authenticated users. Using * instead of username means
- # all users.
- # acl aclname group group1 ...
- # if the user of request belongs to given groups
- # acl content_length{>|<|=} value1 ...
- # The content length of body data if the related information
- # included in http headers.
- # The parameter can take the value <, > or = to specify that
- # the acl will match if content length is less, greater or
- # equal to acl values.
- # acl time value1 ....
- # It checks agains current time. The values format is:
- # [DAY[,DAY,[..]]][/][HH:MM-HH:MM]
- # The DAY can be one of the following:
- # S - Sunday
- # M - Monday
- # T - Tuesday
- # W - Wednesday
- # H - Thursday
- # F - Friday
- # A - Saturday
- # acl http_client_ip ip1[/netmask1] ...
- # The HTTP client ip address, if it is available.
- # Default:
- # None set
- # Examples:
- # acl OPTIONS type OPTIONS
- # acl RESPMOD type RESPMOD
- # acl REQMOD type REQMOD
- # acl ALLREQUESTS type OPTIONS RESPMOD REQMOD
- # acl XHEAD icap_header{X-Test} /value/
- # acl ECHO service echo
- # acl localnet src 192.168.1.0/255.255.255.0
- # acl localhost src 127.0.0.1/255.255.255.255
- # acl all src 0.0.0.0/0.0.0.0
- # acl BigObjects content_length{>} 5000000
- # acl WorkingHours time M,T,W,H,F/8:00-18:00
- # acl FreeHour time Sunday,Saturday/8:00-23:59 M,T,W,H,F/18:01-23:59 M,T,W,H,F/0:00-7.59
- # TAG: icap_access
- # Format: icap_access allow|deny [!]acl1 ...
- # Description:
- # Allowing or denying ICAP access based on defined access lists
- # Default:
- # None set
- # Example:
- # icap_access deny XHEAD
- # #Allow OPTIONS method for all:
- # icap_access allow localnet OPTIONS
- # #Require authentication for all users from local network:
- # icap_access allow AUTH localnet
- # icap_access deny all
- # TAG: client_access
- # Format: client_access allow|deny acl1 [acl2] [...]
- # Description:
- # Allowing or denying connections on c-icap based on
- # defined access lists. Only the acl types src, srvip and port
- # can be used.
- # Default:
- # None set
- # Example:
- # client_access allow all
- # TAG: LogFormat
- # Format: LogFormat Name Format
- # Description:
- # Name is a name for this log format.
- # Format is a string with embedded % format codes. % format codes
- # has the following form:
- # % [-] [width] [{argument}] formatcode
- # if - is specified then the output is left aligned
- # if width specified then the field is exactly width size
- # some formatcodes support arguments given as {argument}
- #
- # Format codes:
- # %a: Remote IP-Address
- # %la: Local IP Address
- # %lp: Local port
- # %>a: Http Client IP Address. Only supported if the proxy
- # client supports the "X-Client-IP" header
- # %<A: Http Server IP Address. Only supported if the proxy
- # client supports the "X-Server-IP" header
- # %ts: Seconds since epoch
- # %tl: Local time. Supports optional strftime format argument
- # %tg: GMT time. Supports optional strftime format argument
- # %>ho: Modified Http request header. Supports header name
- # as argument. If no argument given the first line returned
- # %huo: Modified Http request url
- # %<ho: Modified Http reply header. Supports header name
- # as argument. If no argument given the first line returned
- # %iu: Icap request url
- # %im: Icap method
- # %is: Icap status code
- # %>ih: Icap request header. Supports header name
- # as argument. If no argument given the first line returned
- # %<ih: Icap response header. Supports header name
- # as argument. If no argument given the first line returned
- # %Ih: Http bytes received
- # %Oh: Http bytes sent
- # %Ib: Http body bytes received
- # %Ob: Http body bytes sent
- # %I: Bytes received
- # %O: Bytes sent
- # %bph: The first 5 bytes of the body preview data. Non
- # printable characters printed in hex form.
- # Supports the number of bytes to output as argument.
- # %un: Username
- # %Sl: Service log string
- # %Sa: Attribute value set by service. The attribute name must
- # given as argument.
- # Default:
- # None set
- # Example:
- # LogFormat myFormat "%tl, %a %im %iu %is %I %O %Ib %Ob %{10}bph"
- # TAG: ServerLog
- # Format: ServerLog LogFile
- # Description:
- # the file used by the build-in logger file_logger to
- # store debugging information, errors and other
- # information about the c-icap server.
- # Default:
- # ServerLog /usr/local/c-icap-0.4.x/var/log/server.log
- ServerLog /usr/local/var/log/server.log
- # TAG: AccessLog
- # Format: AccessLog LogFile [LogFormat] [[!]acl1] [[!]acl2] [...]
- # Description:
- # LogFile is a file where to log access information.
- # LogFormat is the log format to use. If ommited c-icap uses:
- # "%tl, %la %a %im %iu %is"
- # Also acls can be used to select certain requests to be logged.
- # This directive can be used more than once to specify more than
- # one access log files
- # Default:
- # AccessLog /usr/local/c-icap-0.4.x/var/log/access.log
- # Example:
- # AccessLog /usr/local/c-icap-0.4.x/var/log/access.log MyFormat all
- AccessLog /usr/local/var/log/access.log
- # TAG: Logger
- # Format: Logger LoggerName
- # Description:
- # Specify wich logger to use. By default uses the build in "file_logger" which
- # uses files for access and server logging.
- # Default:
- # Logger file_logger
- # Example:
- # Logger sys_logger
- # TAG: Module
- # Format: Module Type ModuleFile
- # Description:
- # Load an external module/plugin to c-icap.
- # ModuleFile is the filename of the module. If no full path given then c-icap
- # searche in path defined by the ModulesDir configuration parameter.
- # Type is the type of the external module and can be one of the following:
- # - "logger" for modules implement a logger
- # - "common" for general purpose modules
- # Default:
- #
- # Example:
- # Module logger sys_logger.so
- # TAG: Service
- # Format: Service aName ServiceFile
- # Description:
- # It loads the service ServiceFile. The argument aName used
- # as alias name for the service
- # Default:
- #
- # Example:
- # Service echo_service srv_echo.so
- Service squidclamav squidclamav.so
- # TAG: ServiceAlias
- # Format: ServiceAlias AliasName ServiceName[?param1=value1¶m2=value2...]
- # Description:
- # Used to define an alias name for a service.
- # Default:
- #
- # Example:
- # ServiceAlias avscan srv_clamav?allow204=on&sizelimit=off&mode=simple
- #
- # TAG: General configuration parameters for all services
- # Description:
- # PreviewSize: The preview data size to advertise to the icap client
- # MaxConnections: The client should not use more than MaxConnections
- # for this service.
- # TransferPreview: The list of file extensions, seperated by commas,
- # for which the client should send preview data.
- # TransferIgnore: The list of file extensions that should not be sent
- # to the icap server
- # TransferComplete: The list of file extensions that should be sent
- # in their entirety, without preview, to the icap server
- # OptionsTTL: The options ttl for the service. The "sec[s]", "min" or
- # "hour[s]" can be used to secify that the time is in seconds
- # minutes or hours respectively. If no time-units given
- # seconds are assumed.
- # Allow206 on|off: Enable/disable advertise of 206 responses.
- #
- # Example:
- # echo.PreviewSize 512
- # echo.TransferIgnore gif, jpeg
- # echo.OptionsTTL 3 min
- ######################################################
- # External modules comming with core c-icap server
- #
- # Module: echo
- # Description:
- # Simple test service
- # Example:
- # Service echo srv_echo.so
- Service echo srv_echo.so
- # Module: sys_logger
- # Description:
- # Add support for logging access and server events to syslog server
- # Use "Module" configuration parameter to load this module and "Logger"
- # to make it default logger for the c-icap.
- # Example:
- # Module logger sys_logger.so
- # Logger sys_logger
- # TAG: sys_logger.Prefix
- # Format: sys_logger.Prefix string
- # Description:
- # string is be presented in every syslog message.
- # Default:
- # sys_logger.Prefix "C-ICAP:"
- # TAG: sys_logger.Facility
- # Format: sys_logger.Facility daemon|user|local1|local2|local3|local4|local5|local6|local7
- # Description:
- # specifies the facility type of syslog.
- # Default:
- # sys_logger.Facility daemon
- # TAG: sys_logger.access_priority
- # Format: sys_logger.access_priority alert|crit|debug|emerg|err|info|notice|warning
- # Description:
- # determines the importance of the access log message
- # Default:
- # sys_logger.access_priority info
- # TAG: sys_logger.server_priority
- # Format: sys_logger.server_priority alert|crit|debug|emerg|err|info|notice|warning
- # Description:
- # determines the importance of the server log message
- # Default:
- # sys_logger.server_priority crit
- # TAG: sys_logger.LogFormat
- # Format: sys_logger.LogFormat LOGFORMAT
- # Description:
- # The log format to use. If no log format defined then
- # the following will be used:
- # "%la %a %im %iu %is"
- # Default:
- # None set
- # Example:
- # Logformat BasicFormat "%la %a %im %iu %is"
- # sys_logger.LogFormat BasicFormat
- # TAG: sys_logger.access
- # Format: sys_logger.access [!]acl1 ...
- # Description:
- # Allow selecting ICAP requests to be logged using acls.
- # By default all requests will be logged.
- # Default:
- # None set
- # Example:
- # sys_logger.access all
- # End module: sys_logger
- # Module: bdb_tables
- # Description:
- # Add support for Berkeley DB based lookup tables. The format for
- # bdb path of the lookup table is:
- # bdb:/path/to/bdb
- # Use the c-icap-mkbdb utility to build Berkeley DB c-icap lookup tables
- # Example:
- # Module common bdb_tables.so
- # End module: bdb_tables
- # Module: dnsbl_tables
- # Description:
- # Add support for dns lookup tables. Can be used to access
- # dns block lists. The dnsbl lookup table path definition is:
- # dnsbl:domainname[{param1=val, ...}]
- # dnsbl table parameters can be one or more of the followings:
- # cache=no|cache_type
- # The cache type to use or 'no' for no cache.
- # cache-size=Size[K|M]
- # The cache size in RAM
- # cache-ttl=ttl
- # The cache ttl to use
- #
- # For example the lookup table for accessing the black.uribl.com
- # dns black list is:
- # dnsbl:black.uribl.com
- # Example:
- # Module common dnsbl_tables.so
- # End module: dnsbl_tables
- # Module: ldap_module
- # Description:
- # Add LDAP support to c-icap. The user can use LDAP based lookup tables
- # using the following lookup table path:
- # ldap://[username:password@]ldapserver?base?attr1,attr2?filter[{[param=value, ...]}]
- # The filter can contain the "%s" formating code which will be replaced by
- # the search key.
- # ldap table parameters can be one or more of the followings:
- # name=aName
- # A unique name to use for this table
- # cache=no|cache_type
- # The cache type to use or no for no cache.
- # cache-size=Size[K|M]
- # The cache size in RAM
- # cache-ttl=ttl
- # The cache ttl to use
- # cache-item-size=ItemSize[K|M]
- # The maximum item size
- #
- # Examples of supported ldap urls:
- # ldap://ldap.chtsanti.net?o=chtsanti?cn,uid?uid=%s{cache=memcached}
- # ldap://cn=Directory Manager:Apassword@ldap.chtsanti.net?o=chtsanti?mermberUid?(&(objectClass=posixGroup)(cn=%s))
- #
- # WARNING: is not enough tested it may contain bugs!
- # Example:
- # Module common ldap_module.so
- # End module: ldap_module
- # Module: memcached
- # Description:
- # Add support for memcached c-icap cache.
- # Example:
- # Module common memcached.so
- # TAG: memcached.servers
- # Format: memcached.servers hostname1 hostname2 ...
- # Description:
- # Set the memcached servers to use
- # Default:
- # memcached.servers 127.0.0.1
- # TAG: memcached.use_md5_keys
- # Format: memcached.use_md5_keys on|off
- # Description:
- # Whether to use or not md5 hash as key when the key exceeds the
- # MEMCACHED_MAX_KEY (normaly 251 bytes)
- # Default:
- # memcached.use_md5_keys on
- # End module: memcached
Add Comment
Please, Sign In to add comment