icap-server.cfg — format of icap-server program configuration file
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the icap-server.cfg configuration file.
Repeatable sections/items are marked by
the '*
' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in icap-server.cfg configuration directives:
enabling
(see common(5))yes-no
(see common(5))language
(see common(5))direction
(see common(5))ip-version
(see common(5))osi4-proto
(see common(5))time-cond
(see common(5))zip-mode
(see common(5))obligation
(see common(5))range-op
(see common(5))inline-file-format
(see common(5))dbglev
(see log(5))logfail-mode
(see log(5))week-day
(see time(5))month
(see time(5))lock-type
(see ipc(5))radius-attr
(see radius(5))ldap-tls-reqcert-mode
(see ldap(5))ldap-search-scope
(see ldap(5))ldap-group-match
(see ldap(5))auth-method
(see auth(5))oob-authentication-method
(see auth(5))user-match-mode
(see auth(5))bandwidth-mode
(see pf-queue(5))pf-sc-setting
(see pf-queue(5))antivirus-protocol
(see antivirus(5))virus-status
(see antivirus(5))database-source
(see antivirus(5))source-address-mode
(see source-address(5))accept-deny
(see mod-html-filter(5))transparency
(see acl(5))user-auth-spec
(see acl(5))doctype-ident-method
(see acl(5))header-op
(see acl(5))lagg-protocol
(see interface(5))listen-on-sock
(see listen-on(5))log-in-vain-proto
(see sysctl(5))blackhole-proto
(see sysctl(5))ssl-ver
(see ssl(5))extension-op
(see ssl(5))veri-fail-action
(see ssl(5))auth-cert-type
(see ssl(5))distrusted-cert-type
(see ssl(5))clear-web-db-category
(see clear-web-db(5))clear-web-db-match-mode
(see clear-web-db(5))Program icap-server recognizes following items and sections:
admin ... ;
* antivirus name
{ ... }
clear-web-db { ... }
* fake-cert name
{ ... }
* html-filter name
{ ... }
* interface name
{ ... }
* ldap-client-auth name
{ ... }
* oob-auth name
{ ... }
* pf-queue name
{ ... }
* radius-client name
{ ... }
* resolver name
{ ... }
* shared-dir name
{ ... }
* shared-file name
{ ... }
* ssl-params name
{ ... }
sysctl { ... }
use-resolver ... ;
* icap-server name
{ ... }
ipv6-mode ... ;
admin
system
[contact
];Firewall administrator and contact e-mail addresses.
system
(type: str
)The technical administrator(s) of the system; an address or set of comma separated adresses of persons responsible for system maintenance.
contact
(type: str
, optional, default: <NULL>)The policy administator; an address of person responsible for system configuration. If not defined, the technical administration is used instead.
Administrator contact must comply with RFC.
antivirus
name
{
connection ... ;
sock-opt { ... }
timeout ... ;
comm-dir ... ;
altq ... ;
max-checked-size ... ;
icap-pass-200-with-pure-body ... ;
persistent-stream ... ;
clamav-agent { ... }
}
antivirus
section is derived from
antivirus
section prototype.
For detail description of it, see antivirus(5).
clear-web-db
{
internal-servers ... ;
db ... ;
lock ... ;
local-db { ... }
}
clear-web-db
section is derived from
clear-web-db
section prototype.
For detail description of it, see clear-web-db(5).
fake-cert
name
{
key ... ;
auth-ca ... ;
fail-ca ... ;
* extension ... ;
purge ... ;
}
fake-cert
section is derived from
fake-cert
section prototype.
For detail description of it, see ssl(5).
html-filter
name
{
* script-tag-language ... ;
replace-head-script-tags ... ;
replace-body-script-tags ... ;
* style-tag-type ... ;
replace-style-tags ... ;
* iframe-tag-src ... ;
replace-iframe-tags ... ;
* intrinsic-language ... ;
* intrinsic-hack ... ;
replace-intrinsic ... ;
* macro-language ... ;
* macro-hack ... ;
replace-macros ... ;
* uri ... ;
replace-uri ... ;
* embed-tag-type ... ;
* embed-src-hack ... ;
* embed-plugin-hack ... ;
replace-head-embed-tags ... ;
replace-body-embed-tags ... ;
* applet ... ;
replace-applets ... ;
* object ... ;
* object-classid-hack ... ;
* object-data-hack ... ;
replace-head-object-tags ... ;
replace-body-object-tags ... ;
* param-tags ... ;
replace-param ... ;
script-end-hack ... ;
}
html-filter
section is derived from
html-filter
section prototype.
For detail description of it, see mod-html-filter(5).
interface
name
{
dev ... ;
ipv4 ... ;
ipv6 ... ;
mac ... ;
aggregate ... ;
pike ... ;
vlan ... ;
tunnel ... ;
dhcp-client ... ;
ipv6-rtadv { ... }
* alias name
{ ... }
* tag ... ;
}
interface
section is derived from
interface
section prototype.
For detail description of it, see interface(5).
ldap-client-auth
name
{
server ... ;
ssl { ... }
bindinfo ... ;
kerberos ... ;
users ... ;
groups ... ;
active-directory ... ;
}
ldap-client-auth
section is derived from
ldap-client-auth
section prototype.
For detail description of it, see ldap(5).
oob-auth
name
{
method ... ;
max-sessions ... ;
max-user ... ;
max-groups ... ;
truncate-groups ... ;
file ... ;
lock ... ;
}
oob-auth
section is derived from
oob-auth
section prototype.
For detail description of it, see auth(5).
pf-queue
name
{
parent ... ;
bandwidth ... ;
priority ... ;
qlimit ... ;
cbq { ... }
priq { ... }
hfsc { ... }
}
pf-queue
section is derived from
pf-queue
section prototype.
For detail description of it, see pf-queue(5).
radius-client
name
{
nas ... ;
groups ... ;
* server ... ;
}
radius-client
section is derived from
radius-client
section prototype.
For detail description of it, see radius(5).
resolver
name
{
* server ... ;
search ... ;
preference ... ;
edns ... ;
conf-timeout ... ;
initial-timeout ... ;
final-timeout ... ;
conn-timeout ... ;
disable-deresolution ... ;
}
resolver
section is derived from
resolver
section prototype.
For detail description of it, see resolver(5).
shared-dir
name
{
path ... ;
}
shared-dir
section is derived from
shared-dir
section prototype.
For detail description of it, see common(5).
shared-file
name
{
path ... ;
format ... ;
}
shared-file
section is derived from
shared-file
section prototype.
For detail description of it, see common(5).
ssl-params
name
{
versions ... ;
ciphers ... ;
tcp-eof ... ;
id ... ;
* auth-cert ... ;
distrusted-certs ... ;
dont-check-crl ... ;
* crl ... ;
verify-peer ... ;
cache-timeout ... ;
use-ticket ... ;
enable-renegotiation ... ;
fake-cert ... ;
prefer_server_ciphers ... ;
enable-ecdh ... ;
}
ssl-params
section is derived from
ssl-params
section prototype.
For detail description of it, see ssl(5).
sysctl
{
* variable ... ;
portrange-default ... ;
portrange-high ... ;
portrange-low ... ;
portrange-reserved ... ;
somaxconn ... ;
log-in-vain ... ;
blackhole ... ;
}
sysctl
section is derived from
sysctl
section prototype.
For detail description of it, see sysctl(5).
use-resolver
name
;Resolver Section Specification.
This item defines name of global (system) resolver section used in particular configuration environment. Namely, it is applicable within SYSTEM section and within any section derived from PROXY prototype. The former usage defines system-wide values, the latter one values valid for particular proxy.
name
(type: name
of resolver
, see resolver(5))icap-server
name
{
phase ... ;
* tag ... ;
log-debug { ... }
log-stats { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
app-user ... ;
idle-timeout ... ;
run-block-sigalrm ... ;
listen-on { ... }
tcpserver { ... }
doctype-identification { ... }
client-conn { ... }
document-root ... ;
hdr-line-len ... ;
preview ... ;
blacklist-db ... ;
max-bypass-sessions ... ;
ssl-session-cache { ... }
ldap-cache { ... }
* session-acl name
{ ... }
* service-acl name
{ ... }
* request-acl name
{ ... }
* doc-acl name
{ ... }
}
icap-server
section is derived from
icap-server
section prototype.
For detail description of it, see icap-server(5).
ipv6-mode
[status
];Enabling/Disabling IPv6 Mode.
status
(type: enabling
, optional, default: enable)