How To Enable URL Filtering With Just Squid & C-ICAP
I'm trying to do the same. I got success configuring c-icap to block a request.
Your srv_url_check.conf
seems to be incomplete. Mine is configured as follows:
Service urlcheck /usr/lib/x86_64-linux-gnu/c_icap/srv_url_check.so
url_check.LookupTableDB denyhosts url hash:/etc/c-icap/denyhosts.txt "Denied Host"
url_check.Profile denyProfile block denyhosts
url_check.ProfileAccess denyProfile all
The file denyhosts.txt, is a simple text file. Each line should contain a host to be block, such as:
mp3.com.au
xvideos.com
sex.com
And finally, you should uncomment line acl all src 0.0.0.0/0.0.0.0
into c-icap.conf
.
Start your c-icap server like /usr/bin/c-icap -D -N -d 1
(adjust the log level (-d) as you wish) and test it using /usr/bin/c-icap-client -s url_check -req http://sex.com -v -d 1
.
As a response, you will receive:
ICAP HEADERS:
ICAP/1.0 200 OK
Server: C-ICAP/0.4.2
Connection: keep-alive
ISTag: CI0001-XXXXXXXXX
X-ICAP-Profile: denyProfile
X-Attribute: denyhosts
X-Attribute-Prefix: 7
X-Response-Info: BLOCKED
X-Response-Desc: URL category denyhosts is BLOCKED
Encapsulated: res-hdr=0, res-body=108
RESPMOD HEADERS:
HTTP/1.0 403 Forbidden
Server: C-ICAP
Content-Type: text/html
Connection: close
Content-Language: en
This is what I did so far...
Related videos on Youtube
user1647568
Updated on September 18, 2022Comments
-
user1647568 over 1 year
Before I posted this question, I read several set up guides online, the squid docs, c-icap docus, and also the ICAP RFC (3507). Unfortunately, the documentation for SQUID and C-ICAP does not provide much in the way of examples when it comes to URL filtering, only when it comes to the simple set up of using ClamAv.
So, I'm trying to figure out how to set up simple URL filtering using Squid and the C-ICAP Server. Specifically, I'm starting out trying to use SquidGuard Databases (but not the Squidguard program) as a source of black lists. I have Squid set up and running (proxying) just fine, and I have C-ICAP set up and running (responding to options request) just fine. However, I have no clue why the URL filtering is not running, as I've followed the examples as closely as possible.
My squid.conf is set up as follows for ICAP:
#Icap Options icap_enable on icap_service svcBlocker reqmod_precache icap://127.0.0.1:1344/srv_url_check bypass=off
At the bottom of the c-icap.conf file, I have included the icap service I want to use:
# End module: ldap_module #URL Check Services Include srv_url_check.conf
I've set up the srv_url_check.conf file, following the c-icap documentation:
# Default: #None set #Example: url_check.LoadSquidGuardDB audio-video /home/dranfu/Downloads/blacklists/audio-video/
When I send an options request to C-ICAP, it works fine:
ICAP server:localhost, ip:127.0.0.1, port:1344 OPTIONS: Allow 204: Yes Preview: 1024 Keep alive: Yes ICAP HEADERS: ICAP/1.0 200 OK: Methods:RESPMOD, REQMOD Service:C-ICAP/0.2.4 server - Echo demo service ISTag:CI0001-XXXXXXXXX Transfer-Preview:* Options-TTL:3600 Date:Tue, 26 Feb 2013 10:57:13 GMT Preview:1024 Allow:204 X-Include:X-Authenticated-User, X-Authenticated-Groups Encapsulated:null-body=0
But when I send a standard web request to a site that is on the blacklist, I get a fairly empty response:
/usr/local/c-icap/bin/c-icap-client -p 8080 -req http://mp3.com.au ICAP server:localhost, ip:127.0.0.1, port:8080
And furthermore, I am still able to proxy to the website with no problem. So, if anyone has any experience with setting up squid with pure C-ICAP using URL filtering, it would be awesome to have any assistance or basic guide on how to get this working. The documentation is just too sparse, for me at least, to figure out what is going wrong. No doubt it's something I'm missing, though.
-
Admin about 11 yearsI expected this may be hard to answer, but I'm researching, and once I figure it out...or someone informs me, I'll post back here so someone can make use of it.
-
-
Scott Pack over 10 yearsWelcome to Server Fault! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.