pcr/c-icap: updated to 0.5.2

1 files changed, 115 insertions, 10 deletions

diff --git a/pcr/c-icap/c-icap.conf b/pcr/c-icap/c-icap.conf
index 8a9890c9c..5d3e4749a 100644
--- a/pcr/c-icap/c-icap.conf
+++ b/pcr/c-icap/c-icap.conf
@@ -124,13 +124,75 @@ MaxRequestsPerChild  0
 #	InterProcessLockingScheme file
 
 # TAG: Port
-# Format: Port port
+# Format: Port [address:]port
 # Description:
 #	The port number that the c-icap server uses to listen to requests.
 # Default:
-#	Port 1344
+#	None
 Port 1344 
 
+# TAG: TlsPort
+# Format: TlsPort [address:]port [tls-method=method] [cert=path_to_pem_cert] [key=path_to_pem_key] [client_ca=path_to_pem_file] [ciphers=ciph1:ciph2...] [tls_options=[!]Opt1|[!]Opt2|...]
+# Description:
+#       The port number that the c-icap server uses to listen for TLS/SSL
+#	requests. Options:
+#	tls-method
+#		Set the SSL method to use. Available methods are:
+#		  SSLv23 TLSv1_2 TLSv1_1 TLSv1 SSLv3 SSLv2
+#	cert
+#		Set the certificate to use by the icap server. The certificate
+#		should be in pem format.
+#	key
+#		The key of the configured certificate in pem format. If none
+#		set then the c-icap searches for the key inside cert file.
+#	client_ca
+#		File containing all CA that we accept client certs from. If it
+#		is set then c-icap enables client certificates verification.
+#	cafile
+#		PEM file containing CA certificates to use when verifying client
+#		certificates. If not configured the root.pem file will be used.
+#	capath
+#		Directory containing additional CA certificates to use when
+#		verifying client certificates.
+#	ciphers
+#		Collon separated lists of the ciphers to accept. Please check
+#		openSSL manual for supported ciphers.
+#	tls-options
+#		Sets various options:
+#		SSL_OP_NO_SSLv2  disable the use of SSLv2
+#		SSL_OP_NO_SSLv3  disable the use of SSLv3
+#		SSL_OP_NO_TLSv1  disable the use of TLSv1
+#		SSL_OP_NO_TLSv1_2 disable the use of TLSv1.2
+#		SSL_OP_NO_TLSv1_1 disable the use of TLSv1.1
+#		SSL_OP_NO_TICKET  disable the use of RFC5077 session tickets
+#		SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+#		   When performing renegotiation as a server, always start a
+#		   new session.
+#		SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+#		   Allow legacy insecure renegotiation between OpenSSL and
+#		   unpatched clients or servers.
+#		
+#		For more options please see the SSL_set_options documentation.
+#		
+#		By default the SSL_OP_ALL flag is set which enables all of the
+#		important bug workarrounds. To reset this flag use the
+#		"!SSL_OP_ALL" as first flag:
+#			tls-options=!SSL_OP_ALL:SSL_OP_NO_TICKET
+#		
+# Default:
+#       None
+
+# TAG: TlsPassphrase
+# Format: TlsPassphrase /path/to/script
+# Description:
+#	Path to the script to run to get the passphrases of TLS certificates 
+#	keys. The c-icap will pass as arguments the IP address and port number
+#	to the script.
+# Default:
+#	No value
+# Example:
+#	TlsPassphrase /use/local/c-icap/scripts/cert-passphrase.sh 
+
 # TAG: User
 # Format: User username
 # Description:
@@ -221,6 +283,16 @@ SupportBuggyClients off
 # Default:
 #	No set
 
+# TAG: FakeAllow204
+# Format: FakeAllow204 on|off
+# Description:
+#	Support 204 responses from services preview handler to the clients
+#	which does not support preview. Requires early responses support
+#	from clients.
+#	If disabled the c-icap will return 500 response in these cases
+# Default:
+# FakeAllow204 on
+
 # TAG: ModulesDir
 # Format: ModulesDir dir
 # Description:
@@ -414,6 +486,18 @@ RemoteProxyUserHeaderEncoded on
 #			A - Saturday
 #		acl http_client_ip ip1[/netmask1] ...
 #		     The HTTP client ip address, if it is available.
+#		acl http_req_line value1 ...
+#		     The first line of HTTP request
+#		     The values are in regex form: /avalue/flags
+#		acl http_resp_line value1 ...
+#		     The first line of HTTP response
+#		     The values are in regex form: /avalue/flags
+#		acl http_req_url value1 ...
+#		     The HTTP request url without GET request arguments
+#		     The values are in regex form: /avalue/flags
+#		acl http_req_method value1 ...
+#		     The HTTP request method
+
 # Default:
 #	None set
 # Examples:
@@ -543,24 +627,36 @@ AccessLog /var/log/c-icap/access.log
 #	Logger sys_logger
 
 # TAG: Module
-# Format: Module Type ModuleFile
+# Format: Module Type ModuleFile [forceUnload=off]
 # Description:
 #	Load an external module/plugin to c-icap.
-#	ModuleFile is the filename of the module. If no full path given then c-icap
-#	searche in path defined by the ModulesDir configuration parameter.
+#	ModuleFile is the filename of the module. If no full path given then
+#	the c-icap uses the path defined by the ModulesDir configuration
+#	parameter.
 #	Type is the type of the external module and can be one of the following:
-#	- "logger" for modules implement a logger
-#	- "common" for general purpose modules
+#		"logger" for modules implement a logger
+#		"common" for general purpose modules
+#	forceUnload=off
+#		Forces c-icap to not unload services/modules loaded as external
+#		dynamic libraries on shutdown or reconfigure.
+#		This option may required when the services/modules are using
+#		c++, or they are linked with c++ libraries.
 # Default:
 #	
 # Example:
 #	Module logger sys_logger.so
 
 # TAG: Service
-# Format: Service aName ServiceFile
+# Format: Service aName ServiceFile [forceUnload=off]
 # Description:
 #	It loads the service ServiceFile. The argument aName used 
 #	as alias name for the service
+#	forceUnload=off
+#		Forces c-icap to not unload services/modules loaded as external
+#		dynamic libraries on shutdown or reconfigure.
+#		This option may required when the services/modules are using
+#		c++, or they are linked with c++ libraries.
+
 # Default:
 #	
 # Example:
@@ -676,7 +772,14 @@ Service echo srv_echo.so
 # Description:
 #	Add support for Berkeley DB based lookup tables. The format for 
 #	bdb path of the lookup table is:
-#		bdb:/path/to/bdb
+#		bdb:/path/to/bdb[{param1=val, ...}]
+#	bdb table parameters can be one or more of the followings:
+#	    cache-size=Size[K|M]
+#               The cache size to use. Default is the berkeleyDB default value.
+#	    cache-num=num
+#	        The number of caches to create. The cache will be split across
+#	        num separate regions, where the region size is equal to the
+#	        initial cache size divided by ncache.
 #	Use the c-icap-mkbdb utility to build Berkeley DB c-icap lookup tables
 # Example:
 #	Module common bdb_tables.so
@@ -707,8 +810,10 @@ Service echo srv_echo.so
 # Module: ldap_module
 # Description:
 #	Add LDAP support to c-icap. The user can use LDAP based lookup tables
-#	using the following lookup table path:
+#	using the following lookup table paths:
 #	      ldap://[username:password@]ldapserver?base?attr1,attr2?filter[{[param=value, ...]}]
+#	      ldaps://...
+#	      ldapi://...
 #	The filter can contain the "%s" formating code which will be replaced by
 #	the search key.
 #	ldap table parameters can be one or more of the followings: