Hi all squiders, I found the right way to implement the content filter extention to squid. I will continue the implementation and will send it to our QA Team, I hope the whole squid community will use this extention to squids ICAP capabilities.
Best regards, Moshe Beeri. Software Engineer, Server Team. [EMAIL PROTECTED] Petach-Tiqva Bazel 16, Israel. Tel: +972 (3) 928-0400 ext. 429 Fax: +972 (3) 921-7594 > > Hi Christos, > > Thank you for your help, but you suggestion is not secure nor > best perform, Please read my other remarks below. > > Now that I read the question again I see it is not clear > enough, I will ask again. > I would like squid ICAP client to do the logic for couple of > reasons, 1. Security - Origin sever might change the replied > http header and add the "X-MY-SCANNER: Allow" it self, > and bypass the content filter, In that case I > would not be able to prevent kids from viewing un honest > pages :-( 2. Performance - Redundant call since I already > know that request is allowed. > > There for I would like to keep in squids session data the > classification and upon to the classification prior to > response-mod call. > > For now I have figured out that the best place to set the > data between the req-mod and resp-mod if in the fde > structure, but since squid saves that object in fd_table > (hash?) keyed by ICAP FD there is no continuity with the HTTP FD. > I realized that I need to look for the mechanism that changes > the next handler (hdl) that switch FD to read from, is the > KEY to set up the fde related to the HTTP response, with the > classification information. > In squid ICAP client implementation there is no connection > between the FD sets, ICAP's and HTTP's. > > > Again 10X for reading and good will, > I hope there is a short cut out there, > If someone has an implementation suggestion or realizes I am > missing something please write me. > > > > > > > Hi Beeri, > > Maybe you do not need to modify the squid-ICAP code to > support your > > model. > > I think that the correct implementation of your problem using > > squid-ICAP > > is: > > > > 1) An http request come into the squid. Squid sends the > reqmod request > > to the ICAP server and server classifies the request: > > a) In the case of the BLOCK ICAP server creates a http response > > saying > > to the web client that the request blocked > > b) In the case of UNKNOWN ICAP server does nothing > > c) In the case of ALLOW ICAP server adds a proprietary > http header > > to the http request for example "X-MY-SCANNER: Allow" > > > > 2) When squid has the http response then sends a respmod request to > > the > > ICAP server. The respmod request contains the http response > > headers AND the http request headers. > > a) When ICAP server founds the "X-MY-SCANNER: Allow" header > > in http request headers it responds with an > allow204 response > > to > > squid > > b)The "X-MY-SCANNER: Allow" is not in the http request headers > > so the ICAP server takes the http body from squid > and check it > > or > > modify it or what else. > > > > > > An other solutions is to use only the respmod request > because here you > > have both the http request headers and the http response. > > > > > The Question: > > > > > > I would like to pass the information that, no call to > response mode > > > (call the ICAP Server for the response) is needed. > > > ................... > > > > I am not sure that I fully understand your question, but I > think that > > this functionality can not included in a general ICAP > client of squid. > > But maybe I am loosing something here..... > > > > Regards, > > Christos > > > > > Background information: > > > > > > I am implementing an extension to squid ICAP client based > upon ICAP > > > Patch and squid 2.5 STABLE 10. > > > The squid ICAP client does not support Content Filtering > > the way we at > > > PureSight.com using it. > > > The ICAP protocol is defined to support also Content > Filtering and > > > defines a return value at the request mod stage. > > > I receive the value that can be one of the following: > > > ALLOW, > > > BLOCK, > > > UNKNOWN > > > > > > > > > .............................. > > > > > > > > > > > > >
