Before I posted this question, I read several set up guides online, the squid docs, c-icap docus, and also the ICAP RFC (3507). Unfortunately, the documentation for SQUID and C-ICAP does not provide much in the way of examples when it comes to URL filtering, only when it comes to the simple set up of using ClamAv.
So, I'm trying to figure out how to set up simple URL filtering using Squid and the C-ICAP Server. Specifically, I'm starting out trying to use SquidGuard Databases (but not the Squidguard program) as a source of black lists. I have Squid set up and running (proxying) just fine, and I have C-ICAP set up and running (responding to options request) just fine. However, I have no clue why the URL filtering is not running, as I've followed the examples as closely as possible.
My squid.conf is set up as follows for ICAP:
#Icap Options
icap_enable on
icap_service svcBlocker reqmod_precache icap://127.0.0.1:1344/srv_url_check bypass=off
At the bottom of the c-icap.conf file, I have included the icap service I want to use:
# End module: ldap_module
#URL Check Services
Include srv_url_check.conf
I've set up the srv_url_check.conf file, following the c-icap documentation:
# Default:
#None set
#Example: url_check.LoadSquidGuardDB audio-video /home/dranfu/Downloads/blacklists/audio-video/
When I send an options request to C-ICAP, it works fine:
ICAP server:localhost, ip:127.0.0.1, port:1344
OPTIONS:
Allow 204: Yes
Preview: 1024
Keep alive: Yes
ICAP HEADERS:
ICAP/1.0 200 OK:
Methods:RESPMOD, REQMOD
Service:C-ICAP/0.2.4 server - Echo demo service
ISTag:CI0001-XXXXXXXXX
Transfer-Preview:*
Options-TTL:3600
Date:Tue, 26 Feb 2013 10:57:13 GMT
Preview:1024
Allow:204
X-Include:X-Authenticated-User, X-Authenticated-Groups
Encapsulated:null-body=0
But when I send a standard web request to a site that is on the blacklist, I get a fairly empty response:
/usr/local/c-icap/bin/c-icap-client -p 8080 -req http://mp3.com.au
ICAP server:localhost, ip:127.0.0.1, port:8080
And furthermore, I am still able to proxy to the website with no problem. So,
if anyone has any experience with setting up squid with pure C-ICAP using URL
filtering, it would be awesome to have any assistance or basic guide on how to
get this working. The documentation is just too sparse, for me at least, to
figure out what is going wrong. No doubt it's something I'm missing, though.
Best Answer
I'm trying to do the same. I got success configuring c-icap to block a request.
Your
srv_url_check.conf
seems to be incomplete. Mine is configured as follows:The file denyhosts.txt, is a simple text file. Each line should contain a host to be block, such as:
And finally, you should uncomment line
acl all src 0.0.0.0/0.0.0.0
intoc-icap.conf
.Start your c-icap server like
/usr/bin/c-icap -D -N -d 1
(adjust the log level (-d) as you wish) and test it using/usr/bin/c-icap-client -s url_check -req http://sex.com -v -d 1
.As a response, you will receive:
This is what I did so far...