From 2abb02c95a22a6f0d5ef2a51faa7aed4a9c2ed13 Mon Sep 17 00:00:00 2001 From: Andreas Grapentin Date: Sat, 20 Jan 2018 20:43:39 +0100 Subject: pcr/c-icap: updated to 0.5.2 --- pcr/c-icap/c-icap.conf | 125 +++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 115 insertions(+), 10 deletions(-) (limited to 'pcr/c-icap/c-icap.conf') diff --git a/pcr/c-icap/c-icap.conf b/pcr/c-icap/c-icap.conf index 8a9890c9c..5d3e4749a 100644 --- a/pcr/c-icap/c-icap.conf +++ b/pcr/c-icap/c-icap.conf @@ -124,13 +124,75 @@ MaxRequestsPerChild 0 # InterProcessLockingScheme file # TAG: Port -# Format: Port port +# Format: Port [address:]port # Description: # The port number that the c-icap server uses to listen to requests. # Default: -# Port 1344 +# None Port 1344 +# TAG: TlsPort +# Format: TlsPort [address:]port [tls-method=method] [cert=path_to_pem_cert] [key=path_to_pem_key] [client_ca=path_to_pem_file] [ciphers=ciph1:ciph2...] [tls_options=[!]Opt1|[!]Opt2|...] +# Description: +# The port number that the c-icap server uses to listen for TLS/SSL +# requests. Options: +# tls-method +# Set the SSL method to use. Available methods are: +# SSLv23 TLSv1_2 TLSv1_1 TLSv1 SSLv3 SSLv2 +# cert +# Set the certificate to use by the icap server. The certificate +# should be in pem format. +# key +# The key of the configured certificate in pem format. If none +# set then the c-icap searches for the key inside cert file. +# client_ca +# File containing all CA that we accept client certs from. If it +# is set then c-icap enables client certificates verification. +# cafile +# PEM file containing CA certificates to use when verifying client +# certificates. If not configured the root.pem file will be used. +# capath +# Directory containing additional CA certificates to use when +# verifying client certificates. +# ciphers +# Collon separated lists of the ciphers to accept. Please check +# openSSL manual for supported ciphers. +# tls-options +# Sets various options: +# SSL_OP_NO_SSLv2 disable the use of SSLv2 +# SSL_OP_NO_SSLv3 disable the use of SSLv3 +# SSL_OP_NO_TLSv1 disable the use of TLSv1 +# SSL_OP_NO_TLSv1_2 disable the use of TLSv1.2 +# SSL_OP_NO_TLSv1_1 disable the use of TLSv1.1 +# SSL_OP_NO_TICKET disable the use of RFC5077 session tickets +# SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION +# When performing renegotiation as a server, always start a +# new session. +# SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION +# Allow legacy insecure renegotiation between OpenSSL and +# unpatched clients or servers. +# +# For more options please see the SSL_set_options documentation. +# +# By default the SSL_OP_ALL flag is set which enables all of the +# important bug workarrounds. To reset this flag use the +# "!SSL_OP_ALL" as first flag: +# tls-options=!SSL_OP_ALL:SSL_OP_NO_TICKET +# +# Default: +# None + +# TAG: TlsPassphrase +# Format: TlsPassphrase /path/to/script +# Description: +# Path to the script to run to get the passphrases of TLS certificates +# keys. The c-icap will pass as arguments the IP address and port number +# to the script. +# Default: +# No value +# Example: +# TlsPassphrase /use/local/c-icap/scripts/cert-passphrase.sh + # TAG: User # Format: User username # Description: @@ -221,6 +283,16 @@ SupportBuggyClients off # Default: # No set +# TAG: FakeAllow204 +# Format: FakeAllow204 on|off +# Description: +# Support 204 responses from services preview handler to the clients +# which does not support preview. Requires early responses support +# from clients. +# If disabled the c-icap will return 500 response in these cases +# Default: +# FakeAllow204 on + # TAG: ModulesDir # Format: ModulesDir dir # Description: @@ -414,6 +486,18 @@ RemoteProxyUserHeaderEncoded on # A - Saturday # acl http_client_ip ip1[/netmask1] ... # The HTTP client ip address, if it is available. +# acl http_req_line value1 ... +# The first line of HTTP request +# The values are in regex form: /avalue/flags +# acl http_resp_line value1 ... +# The first line of HTTP response +# The values are in regex form: /avalue/flags +# acl http_req_url value1 ... +# The HTTP request url without GET request arguments +# The values are in regex form: /avalue/flags +# acl http_req_method value1 ... +# The HTTP request method + # Default: # None set # Examples: @@ -543,24 +627,36 @@ AccessLog /var/log/c-icap/access.log # Logger sys_logger # TAG: Module -# Format: Module Type ModuleFile +# Format: Module Type ModuleFile [forceUnload=off] # Description: # Load an external module/plugin to c-icap. -# ModuleFile is the filename of the module. If no full path given then c-icap -# searche in path defined by the ModulesDir configuration parameter. +# ModuleFile is the filename of the module. If no full path given then +# the c-icap uses the path defined by the ModulesDir configuration +# parameter. # Type is the type of the external module and can be one of the following: -# - "logger" for modules implement a logger -# - "common" for general purpose modules +# "logger" for modules implement a logger +# "common" for general purpose modules +# forceUnload=off +# Forces c-icap to not unload services/modules loaded as external +# dynamic libraries on shutdown or reconfigure. +# This option may required when the services/modules are using +# c++, or they are linked with c++ libraries. # Default: # # Example: # Module logger sys_logger.so # TAG: Service -# Format: Service aName ServiceFile +# Format: Service aName ServiceFile [forceUnload=off] # Description: # It loads the service ServiceFile. The argument aName used # as alias name for the service +# forceUnload=off +# Forces c-icap to not unload services/modules loaded as external +# dynamic libraries on shutdown or reconfigure. +# This option may required when the services/modules are using +# c++, or they are linked with c++ libraries. + # Default: # # Example: @@ -676,7 +772,14 @@ Service echo srv_echo.so # Description: # Add support for Berkeley DB based lookup tables. The format for # bdb path of the lookup table is: -# bdb:/path/to/bdb +# bdb:/path/to/bdb[{param1=val, ...}] +# bdb table parameters can be one or more of the followings: +# cache-size=Size[K|M] +# The cache size to use. Default is the berkeleyDB default value. +# cache-num=num +# The number of caches to create. The cache will be split across +# num separate regions, where the region size is equal to the +# initial cache size divided by ncache. # Use the c-icap-mkbdb utility to build Berkeley DB c-icap lookup tables # Example: # Module common bdb_tables.so @@ -707,8 +810,10 @@ Service echo srv_echo.so # Module: ldap_module # Description: # Add LDAP support to c-icap. The user can use LDAP based lookup tables -# using the following lookup table path: +# using the following lookup table paths: # ldap://[username:password@]ldapserver?base?attr1,attr2?filter[{[param=value, ...]}] +# ldaps://... +# ldapi://... # The filter can contain the "%s" formating code which will be replaced by # the search key. # ldap table parameters can be one or more of the followings: -- cgit v1.2.3