On 10/17/2016 11:51 AM, James Lay wrote:

> Here's what I'm wanting to accomplish and it's been proving a challenge:
>  Detect keywords (think DLP maybe) in http/https flows.  I've got ecap
> and icap compiled in and working.  My challenges:
> a)with icap, it appears that the filter content adapters only work with
> responses, not requests....I need both.

It depends on the ICAP service. Some work with requests, some with
responses, some with both kinds of messages.

> b)with icap, if I use the "echo" adapter I can see everything on the lo
> interface, but decoding it has proven fruitless for me

If you are trying to manually decode ICAP traffic on a loopback
interface, please clarify what you are trying to accomplish with that.

> c)with ecap, I configured per
> http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/eCAP, 
> but I'm confused on the ecap_service line..examples show
> "ecap://www.vigos.com/ecap_gzip", but what do I put in?  

Just like with ICAP, you configure an eCAP adapter/service that you want
to use. I do not know whether it exists or needs to be written. For
example, if you want to find viruses, you can use an eCAP ClamAV adapter.

> I thought I
> didn't need a service for ecap..do I point this to localhost or something?

With eCAP, you do not need a server. With both ICAP and eCAP you need a
service or "adapter" that does whatever you want to do. ICAP and eCAP
are just protocols/API -- they cannot do anything useful on their own.

The eCAP service URI is just an identifier. It does not "point" to any
specific location. It is only used to distinguish one loaded eCAP
service from another loaded eCAP service.

Overall, you need some software that will "detect keywords". That
detection is not going to happen magically on its own. ICAP and eCAP are
just two ways to get the HTTP messages to that software. Some call that
_kind_ of software "ICAP service", "ICAP server plugin", "eCAP service",
"eCAP adapter", etc. You need to find or write a specific
service/plugin/adapter/etc. that does keyword detection.


squid-users mailing list

Reply via email to