# # To enable url_check service in c-icap, copy this file in c-icap # configuration directory and add the following line at the end of # c-icap.conf file: # Include srv_url_check.conf # # Module: srv_url_check # Description: # This is an URL blacklist/whitelist icap service # This module add the following log formating codes for use with # the LogFormat configuration parameter: # %{url_check:matched_cat}Sa Print all matched url categories # %{url_check:action}Sa The service decision for requested url: # MATCHED, BLOCKED or ALLOWED # %{url_check:action_cat}Sa Print the categories for which the # decision taken # Example: # LogFormat myUrlCheck "%tl, %>a %im %is %huo [MatchedCat: %{url_check:matched_cat}Sa] [Action4cat: %{url_check:action_cat}Sa] [Action: %{url_check:action}Sa]" # acl URLCHECK service srv_url_check # AccessLog /var/log/c-icap-access-url_check.log myUrlCheck URLCHECK # # The following additional formatting codes can be used with the # service template "DENY": # %UU The HTTP url # %UH The HTTP host # %UM The matched Categories # %UB The blocked category # %UD The description of the blocked category # Example: # Service url_check_module srv_url_check.so Service url_check_module srv_url_check.so # TAG: url_check.EarlyResponses # Format: url_check.EarlyResponses on|off # Description: # Set it to off if your ICAP client does not support early responses. # Should not required to touch this parameter. # Default: # url_check.EarlyResponses on # Example: # url_check.EarlyResponses off # TAG: url_check.LookupTableDB # Format: url_check.LookupTableDB DBName type lookup_table_path [Description] # Description: # DBName is a a name for this database # type can be one of the following: # host: defines a hostnames database. Matches if the hostname # exist in ths database. # # url: defines a URL's database. Matches if a part of the # http url exist in this database. WARNING: The url arguments # are not included in search # For example the www.site.com/to/path/page.html?arg1&arg2 # matches if any of the following exist in this database: # www.site.com/to/path/page.html # www.site.com/to/path/ # www.site.com/to/ # www.site.com/ # site.com/to/path/page.html # site.com/to/path/ # site.com/to/ # site.com/ # com/to/path/page.html # com/to/path/ # com/to/ # com/www.site.com/to/path/page.html # www.site.com/to/path/ # www.site.com/to/ # www.site.com/ # site.com/to/path/page.html # site.com/to/path/ # site.com/to/ # site.com/ # com/to/path/page.html # com/to/path/ # com/to/ # com/ # # full_url: it defines a URL's database. This type of url databases # includes url arguments while searching in the database. # It does the same checks with the "url" databases plus # the checks including the arguments: # www.site.com/to/path/page.html?arg1&arg2 # site.com/to/path/page.html?arg1&arg2 # com/to/path/page.html?arg1&arg2 # # url_simple_check: it defines a URL's database. In this type of url # databases only one query with full url performed. # # domain: defines a domain names database. Matches if http # server hostname belongs to a domain which exists # in this database. # # lookup_table_path is a lookup table definition which contains # keys of the defined type # # Optionally a description can be added, which will be displayed when this # database matches. # # Default: # None set # Example: # url_check.LookupTableDB denyhosts host hash:/usr/local/c-icap/etc/denyhosts.txt "Denied Hosts" # url_check.LookupTableDB multisurbl domain dnsbl:multi.surbl.org # TAG: url_check.LoadSquidGuardDB # Format: url_check.LoadSquidGuardDB DBName SquidGuardDBPath [Description] # Description: # Defines a squidGuard database. A such database normaly contains # one domain and one urls database, and checked with the same way # the squidGuard use it. # DBName is the database name # SquidGuardDBPath is the path of the database. # # Optionally a description can be added, which will be displayed when this # database matches. # Default: # None set # Example: # url_check.LoadSquidGuardDB porn /usr/local/blacklists-toulouse/porn/ "SquidGuard Porn Sites" # TAG: url_check.Profile # Format: url_check.Profile ProfileName pass|block DBName[{subcat1, subcat2, ...}]|ALL # Format: url_check.Profile ProfileName DefaultAction pass|block|match [AddXHeader header]|[NoDefaultXHeaders]|[NoErrorPage] # Description: # It is used to define policy profiles. The use of "default" as # ProfileName is reserved and defines a default policy for all # requests for which no profile defined. # Please see the url_check.DefaultAction configuration parameter for # informations about "DefaultAction" argument. # Default: # None set # Example: # url_check.Profile BlockPorn block porn # url_check.Profile default block multisurbl{127.0.0.126} # url_check.Profile default pass ALL url_check.Profile default pass ALL # TAG: url_check.ProfileAccess # Format: url_check.ProfileAccess ProfileName [!]acl1 ... # Description: # It is used to select policy profile to apply based on acls # Default: # None set # Example: # acl Foo group foo # url_check.ProfileAccess BlockPorn Foo # TAG: url_check.DefaultAction # Format: url_check.DefaultAction pass|block|match [AddXHeader header]|[NoDefaultXHeaders]|[NoErrorPage] [RequestFilters] # Description: # Configures an url_check "pass", "block" or "match" action. # By default url_check service add the following headers to an ICAP # response: X-ICAP-Profile, X-Attribute, X-Attribute-Prefix, # X-Response-Info and X-Response-Desc. # Also respond with an error page when "block" action selected. # This option allow users to add their own X-headers to ICAP response, # do not add the default x-headers, and do not respond with error page # on blocking decisions. # Configuration options are: # AddXHeader x-header # Add the ICAP header "x-header" in ICAP response. The "x-header" # supports formating codes. # NoDefaultXHeaders # Forces url_check service do not include default X-headers # to ICAP response. # NoErrorPage # This is valid only for "block" action. The url_check service # will not send an error page as response but instead will send # an allow204 or equivalent response. # # The RequestFilters are options which enable request modification filters # for the configured action. They can be one of the following: # HttpHeaderAddIfNone Header Value # Adds the Header "Header" with the value "Value" in the HTTP # request headers if the Header does not exist. # HttpHeaderListAdd Header Value # Adds the "Value" to the header "Header", if exist or add # the "Header: Value" pair in HTTP request headers # HttpHeaderRemove Header # Remove the header "Header" from HTTP request headers # HttpHeaderReplace Header Value # Replaces the Header "header in HTTP request headers with a new # one "Header: Value" # # Default: # None set # Example: # url_check.DefaultAction block NoErrorPage # url_check.DefaultAction block AddXHeader "X-Session-ID: %{X-Session-ID}>ih" # url_check.DefaultAction block AddXHeader "X-Action: 2" # url_check.DefaultAction block AddXHeader "X-Redirect-URL: http://block.chtsanti.net" # TAG: url_check.ConvertPercentCodesTo # Format: url_check.ConvertPercentCodesTo uppercase|lowercase|none # Description: # The url_check service decodes the percent-encoded urls before lookup # into databases. From the decoding excluded the non printable characters # and the non safe characters (" !*'();:@&=+$,/?#[]"). The url databases # should use percent-encoding for non safe characters. # The url_check.ConvertPercentCodesTo configuration parameter can be used # to force url_check service to convert to lowercase or upercase a percent # formating code eg to %f4 or to %F4. # # Default: # url_check.ConvertPercentCodesTo lowercase # End module: srv_url_check