Re: ICAP vectoring points

From: Steve Hill <steve_at_opendium.com>
Date: Thu, 29 Nov 2012 09:32:08 +0000

On 29.11.12 04:16, Eliezer Croitoru wrote:

> I was just wondering what exactly you need to do?
> What is the goal\task of the ICAP server.

The ICAP server does on-the-fly content filtering - it analyses the
request headers (in reqmod), the response headers and streaming content
(in respmod) to categorise the page and decide whether to block it. The
filtering criteria are done on a per-user basis, so filtering it before
it enters the cache doesn't make sense, since in the event that an
allowed user requests the object, it will then go into the cache and
will be retrievable by a disallowed user.

It would be possible to do all the possible analysis that could be
needed, insert their results as http headers and allow the object to go
into the cache, then check those headers using ACLs when it is retrieved
from the cache, but this would result in a large overhead of unnecessary
analysis since for most users those criteria are not needed.

> The only missing thing is that you cant pass yet to the ICAP server
> special custom headers by your choose.

This is something I've thought about doing for various reasons in the
past, but never actually tried. However, is this not what
adaptation_meta does?

> If you have specific ICAP solution maybe it's not design to even do what
> you need.

The ICAP server was designed by me, so it is designed to do exactly what
we need. :) However, I could never see a sensible alternative to using
a respmod_postcache vectoring point, so in the end we settled on
stacking 2 squids together to achieve that.

It would, however, be nice to be able to ditch the second squid at some
point. Although a secondary purpose the second squid is performing at
the moment is to prevent tproxy from spoofing the client's IP address,
since there appears to be no other way to do this (?). That said,
disabling spoofing on a global basis appears to be reasonably trivial to
hack into the squid code. 

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com
Direct contacts:
    Instant messager: xmpp:steve_at_opendium.com
    Email:            steve_at_opendium.com
    Phone:            sip:steve_at_opendium.com
Sales / enquiries contacts:
    Email:            sales_at_opendium.com
    Phone:            +44-844-9791439 / sip:sales_at_opendium.com
Support contacts:
    Email:            support_at_opendium.com
    Phone:            +44-844-4844916 / sip:support_at_opendium.com
Received on Thu Nov 29 2012 - 09:32:15 MST

This archive was generated by hypermail 2.2.0 : Fri Nov 30 2012 - 12:00:18 MST