How To Enable URL Filtering With Just Squid & C-ICAP

Before I posted this question, I read several set up guides online, the squid docs, c-icap docus, and also the ICAP RFC (3507). Unfortunately, the documentation for SQUID and C-ICAP does not provide much in the way of examples when it comes to URL filtering, only when it comes to the simple set up of using ClamAv.

So, I'm trying to figure out how to set up simple URL filtering using Squid and the C-ICAP Server. Specifically, I'm starting out trying to use SquidGuard Databases (but not the Squidguard program) as a source of black lists. I have Squid set up and running (proxying) just fine, and I have C-ICAP set up and running (responding to options request) just fine. However, I have no clue why the URL filtering is not running, as I've followed the examples as closely as possible.

My squid.conf is set up as follows for ICAP:

#Icap Options
icap_enable on
icap_service svcBlocker reqmod_precache icap://127.0.0.1:1344/srv_url_check bypass=off

At the bottom of the c-icap.conf file, I have included the icap service I want to use:

# End module: ldap_module
#URL Check Services
Include srv_url_check.conf

I've set up the srv_url_check.conf file, following the c-icap documentation:

# Default:
#None set
#Example: url_check.LoadSquidGuardDB audio-video /home/dranfu/Downloads/blacklists/audio-video/

When I send an options request to C-ICAP, it works fine:

ICAP server:localhost, ip:127.0.0.1, port:1344

OPTIONS:
    Allow 204: Yes
    Preview: 1024
    Keep alive: Yes

ICAP HEADERS:
    ICAP/1.0 200 OK:
    Methods:RESPMOD, REQMOD
    Service:C-ICAP/0.2.4 server - Echo demo service
    ISTag:CI0001-XXXXXXXXX
    Transfer-Preview:*
    Options-TTL:3600
    Date:Tue, 26 Feb 2013 10:57:13 GMT
    Preview:1024
    Allow:204
    X-Include:X-Authenticated-User, X-Authenticated-Groups
    Encapsulated:null-body=0

But when I send a standard web request to a site that is on the blacklist, I get a fairly empty response:

/usr/local/c-icap/bin/c-icap-client -p 8080 -req http://mp3.com.au 

ICAP server:localhost, ip:127.0.0.1, port:8080

And furthermore, I am still able to proxy to the website with no problem. So,
if anyone has any experience with setting up squid with pure C-ICAP using URL
filtering, it would be awesome to have any assistance or basic guide on how to
get this working. The documentation is just too sparse, for me at least, to
figure out what is going wrong. No doubt it's something I'm missing, though.

Service urlcheck /usr/lib/x86_64-linux-gnu/c_icap/srv_url_check.so url_check.LookupTableDB denyhosts url hash:/etc/c-icap/denyhosts.txt "Denied Host" url_check.Profile denyProfile block denyhosts url_check.ProfileAccess denyProfile all

ICAP HEADERS: ICAP/1.0 200 OK Server: C-ICAP/0.4.2 Connection: keep-alive ISTag: CI0001-XXXXXXXXX X-ICAP-Profile: denyProfile X-Attribute: denyhosts X-Attribute-Prefix: 7 X-Response-Info: BLOCKED X-Response-Desc: URL category denyhosts is BLOCKED Encapsulated: res-hdr=0, res-body=108 RESPMOD HEADERS: HTTP/1.0 403 Forbidden Server: C-ICAP Content-Type: text/html Connection: close Content-Language: en

Best Answer

I'm trying to do the same. I got success configuring c-icap to block a request.

Your srv_url_check.conf seems to be incomplete. Mine is configured as follows:

The file denyhosts.txt, is a simple text file. Each line should contain a host to be block, such as:

mp3.com.au
xvideos.com
sex.com

And finally, you should uncomment line acl all src 0.0.0.0/0.0.0.0 into c-icap.conf.

Start your c-icap server like /usr/bin/c-icap -D -N -d 1 (adjust the log level (-d) as you wish) and test it using /usr/bin/c-icap-client -s url_check -req http://sex.com -v -d 1.

As a response, you will receive:

This is what I did so far...

Best Answer

Related Solutions

Ssl – How To Enable HTTPS filtering with Squid3 and Qlproxy

URL filtering and squid performance

Related Topic