icap-server.cfg
Prev Kernun UTM Reference (5) Next

Name

icap-server.cfg — format of icap-server program configuration file

DESCRIPTION

General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the icap-server.cfg configuration file.

Repeatable sections/items are marked by the '*' before section/item name.

TYPES

Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in icap-server.cfg configuration directives:

enabling (see common(5))

yes-no (see common(5))

language (see common(5))

direction (see common(5))

ip-version (see common(5))

osi4-proto (see common(5))

time-cond (see common(5))

zip-mode (see common(5))

obligation (see common(5))

range-op (see common(5))

inline-file-format (see common(5))

dbglev (see log(5))

logfail-mode (see log(5))

week-day (see time(5))

month (see time(5))

lock-type (see ipc(5))

radius-attr (see radius(5))

ldap-tls-reqcert-mode (see ldap(5))

ldap-search-scope (see ldap(5))

ldap-group-match (see ldap(5))

auth-method (see auth(5))

oob-authentication-method (see auth(5))

user-match-mode (see auth(5))

bandwidth-mode (see pf-queue(5))

pf-sc-setting (see pf-queue(5))

antivirus-protocol (see antivirus(5))

virus-status (see antivirus(5))

database-source (see antivirus(5))

source-address-mode (see source-address(5))

accept-deny (see mod-html-filter(5))

transparency (see acl(5))

user-auth-spec (see acl(5))

doctype-ident-method (see acl(5))

header-op (see acl(5))

lagg-protocol (see interface(5))

listen-on-sock (see listen-on(5))

log-in-vain-proto (see sysctl(5))

blackhole-proto (see sysctl(5))

ssl-ver (see ssl(5))

extension-op (see ssl(5))

veri-fail-action (see ssl(5))

auth-cert-type (see ssl(5))

distrusted-cert-type (see ssl(5))

clear-web-db-category (see clear-web-db(5))

clear-web-db-match-mode (see clear-web-db(5))

ITEMS AND SECTIONS

Program icap-server recognizes following items and sections:


  admin ... ;
* antivirus name { ... }
  clear-web-db { ... }
* fake-cert name { ... }
* html-filter name { ... }
* interface name { ... }
* ldap-client-auth name { ... }
* oob-auth name { ... }
* pf-queue name { ... }
* radius-client name { ... }
* resolver name { ... }
* shared-dir name { ... }
* shared-file name { ... }
* ssl-params name { ... }
  sysctl { ... }
  use-resolver ... ;
* icap-server name { ... }
  ipv6-mode ... ;
    

Description:

admin system [contact];

Firewall administrator and contact e-mail addresses.

system (type: str)

The technical administrator(s) of the system; an address or set of comma separated adresses of persons responsible for system maintenance.

contact (type: str, optional, default: <NULL>)

The policy administator; an address of person responsible for system configuration. If not defined, the technical administration is used instead.

Constraints:

Administrator contact must comply with RFC.

antivirus name {


  connection ... ;
  sock-opt { ... }
  timeout ... ;
  comm-dir ... ;
  altq ... ;
  max-checked-size ... ;
  icap-pass-200-with-pure-body ... ;
  persistent-stream ... ;
  clamav-agent { ... }
}

        

The antivirus section is derived from antivirus section prototype. For detail description of it, see antivirus(5).

clear-web-db {


  internal-servers ... ;
  db ... ;
  lock ... ;
  local-db { ... }
}

        

The clear-web-db section is derived from clear-web-db section prototype. For detail description of it, see clear-web-db(5).

fake-cert name {


  key ... ;
  auth-ca ... ;
  fail-ca ... ;
* extension ... ;
  purge ... ;
}

        

The fake-cert section is derived from fake-cert section prototype. For detail description of it, see ssl(5).

html-filter name {


* script-tag-language ... ;
  replace-head-script-tags ... ;
  replace-body-script-tags ... ;
* style-tag-type ... ;
  replace-style-tags ... ;
* iframe-tag-src ... ;
  replace-iframe-tags ... ;
* intrinsic-language ... ;
* intrinsic-hack ... ;
  replace-intrinsic ... ;
* macro-language ... ;
* macro-hack ... ;
  replace-macros ... ;
* uri ... ;
  replace-uri ... ;
* embed-tag-type ... ;
* embed-src-hack ... ;
* embed-plugin-hack ... ;
  replace-head-embed-tags ... ;
  replace-body-embed-tags ... ;
* applet ... ;
  replace-applets ... ;
* object ... ;
* object-classid-hack ... ;
* object-data-hack ... ;
  replace-head-object-tags ... ;
  replace-body-object-tags ... ;
* param-tags ... ;
  replace-param ... ;
  script-end-hack ... ;
}

        

The html-filter section is derived from html-filter section prototype. For detail description of it, see mod-html-filter(5).

interface name {


  dev ... ;
  ipv4 ... ;
  ipv6 ... ;
  mac ... ;
  aggregate ... ;
  pike ... ;
  vlan ... ;
  tunnel ... ;
  dhcp-client ... ;
  ipv6-rtadv { ... }
* alias name { ... }
* tag ... ;
}

        

The interface section is derived from interface section prototype. For detail description of it, see interface(5).

ldap-client-auth name {


  server ... ;
  ssl { ... }
  bindinfo ... ;
  kerberos ... ;
  users ... ;
  groups ... ;
  active-directory ... ;
}

        

The ldap-client-auth section is derived from ldap-client-auth section prototype. For detail description of it, see ldap(5).

oob-auth name {


  method ... ;
  max-sessions ... ;
  max-user ... ;
  max-groups ... ;
  truncate-groups ... ;
  file ... ;
  lock ... ;
}

        

The oob-auth section is derived from oob-auth section prototype. For detail description of it, see auth(5).

pf-queue name {


  parent ... ;
  bandwidth ... ;
  priority ... ;
  qlimit ... ;
  cbq { ... }
  priq { ... }
  hfsc { ... }
}

        

The pf-queue section is derived from pf-queue section prototype. For detail description of it, see pf-queue(5).

radius-client name {


  nas ... ;
  groups ... ;
* server ... ;
}

        

The radius-client section is derived from radius-client section prototype. For detail description of it, see radius(5).

resolver name {


* server ... ;
  search ... ;
  preference ... ;
  edns ... ;
  conf-timeout ... ;
  initial-timeout ... ;
  final-timeout ... ;
  conn-timeout ... ;
  disable-deresolution ... ;
}

        

The resolver section is derived from resolver section prototype. For detail description of it, see resolver(5).

shared-dir name {


  path ... ;
}

        

The shared-dir section is derived from shared-dir section prototype. For detail description of it, see common(5).

shared-file name {


  path ... ;
  format ... ;
}

        

The shared-file section is derived from shared-file section prototype. For detail description of it, see common(5).

ssl-params name {


  versions ... ;
  ciphers ... ;
  tcp-eof ... ;
  id ... ;
* auth-cert ... ;
  distrusted-certs ... ;
  dont-check-crl ... ;
* crl ... ;
  verify-peer ... ;
  cache-timeout ... ;
  use-ticket ... ;
  enable-renegotiation ... ;
  fake-cert ... ;
  prefer_server_ciphers ... ;
  enable-ecdh ... ;
}

        

The ssl-params section is derived from ssl-params section prototype. For detail description of it, see ssl(5).

sysctl {


* variable ... ;
  portrange-default ... ;
  portrange-high ... ;
  portrange-low ... ;
  portrange-reserved ... ;
  somaxconn ... ;
  log-in-vain ... ;
  blackhole ... ;
}

        

The sysctl section is derived from sysctl section prototype. For detail description of it, see sysctl(5).

use-resolver name;

Resolver Section Specification.

This item defines name of global (system) resolver section used in particular configuration environment. Namely, it is applicable within SYSTEM section and within any section derived from PROXY prototype. The former usage defines system-wide values, the latter one values valid for particular proxy.

name (type: name of resolver, see resolver(5))

icap-server name {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  tcpserver { ... }
  doctype-identification { ... }
  client-conn { ... }
  document-root ... ;
  hdr-line-len ... ;
  preview ... ;
  blacklist-db ... ;
  max-bypass-sessions ... ;
  ssl-session-cache { ... }
  ldap-cache { ... }
* session-acl name { ... }
* service-acl name { ... }
* request-acl name { ... }
* doc-acl name { ... }
}

        

The icap-server section is derived from icap-server section prototype. For detail description of it, see icap-server(5).

ipv6-mode [status];

Enabling/Disabling IPv6 Mode.

status (type: enabling, optional, default: enable)

SEE ALSO

configuration(7), icap-server(8), acl(5), antivirus(5), auth(5), clear-web-db(5), common(5), icap-server(5), interface(5), ipc(5), ldap(5), listen-on(5), log(5), mod-html-filter(5), pf-queue(5), radius(5), resolver(5), source-address(5), ssl(5), sysctl(5), time(5), host-matching(7)

Prev Up Next
icap-server Home imap4-proxy