ICAPeg Server.
Open Source multi-vendor ICAP server
Scan files requested via a proxy server using ICAPeg ICAP server, ICAPeg is an ICAP server connecting web proxies with API-based scanning services and more soon. ICAPeg currently supports VirusTotal, Cloudmersive & Clamav for scanning the files following the ICAP protocol. If you don't know about the ICAP protocol, here is a bit about it:
ICAP stands for Internet Content Adaptation Protocol. If a content (for example: file) you've requested over the internet to download or whatever, needs adaptation(some kind of modification or analysis), the proxy server sends the content to the ICAP server for adaptation and after performing the required tasks on the content, the ICAP server sends it back to the proxy server so that it may return the adapted content to the destination. This can occur both during request and response.
To know more about the ICAP protocol, check this out.
Before starting to play with ICAPeg, make sure you have the following things in your machine:
Golang(latest enough to be able to use go mod)
You should install at least go version 1.16.
You can get how to install Golang from here.
A proxy server
You should configure a Proxy server with ICAPeg, you can get an example from here.
- Clone the ICAPeg repository
$ git clone https://github.com/egirna/icapeg.git
Run the project with the default configuration in config.toml file
Run the following command in the directory where you've installed ICAPeg
$ cd ~/ICAPeg
- Build ICAPeg binary
$ go build .
- Finally execute the file like you would for any other executable according to your OS, for Unix-based users though
$ ./icapeg
You should see something like, ICAP server is running on localhost:1344 ...
. This tells you the ICAP server is up and running.
You can change the default configuration file whatever you want to customize the application.
This feature is supported for strings, int, bool, time.duration and string slices only (every type used in this project).
Let's have an example to explain how to map, assume that there is an environment variable in your machine called PORT and you want to assign PORT value to app.port. You should change the value of (port= 1344) to (port= "$_PORT").
Note: before you use this feature please make sure that the env variable that you want to use is globally in your machine and not just exported in a local session.
This section includes the configuration variables that are responsible for the application overall like the port number and current services integrated with ICAPeg.
[app] port = 1344 services= ["echo", "virustotal", "clamav", "cloudmersive"] debugging_headers=true
The port number that ICAPeg runs on. The default port number for any ICAP server is 1344, possible values:
- Any port number that isn't used in your machine.
The array that contains integrated services names with ICAPeg, possible values:
- Integrated services names with ICAPeg (ex: ["echo"]).
A boolean variable which indicates if debugging headers should be displayed with ICAP headers or not. Debugging headers tell the client shadow service is enabled for example. they start with X-ICAPeg-{{HEADER_NAME}}. possible values:
true: Debugging headers should be displayed with ICAP headers.
false: Debugging headers should not be displayed with ICAP headers.
Any port number that isn't used in your machine.
[echo] section
Note: Variables explained in echo service are mandatory with any service integrated with ICAPeg.
[echo] vendor = "echo" service_caption= "echo service" #Service service_tag = "ECHO ICAP" #ISTAG req_mode=true resp_mode=true shadow_service=false preview_enabled = true# options send preview header or not preview_bytes = "1024" #byte process_extensions = ["pdf", "zip", "com"] # * = everything except the ones in bypass, unknown = system couldn't find out the type of the file reject_extensions = ["docx"] bypass_extensions = ["*"] #max file size value from 1 to 9223372036854775807, and value of zero means unlimited max_filesize = 0 #bytes return_original_if_max_file_size_exceeded=false
The name of the vendor's service, possible values:
- The vendor of that service (ex: "echo")
Service caption header value.
Service caption header value.
A boolean variable that indicates whether request mode is enabled or not, possible values:
- true: Request mode is enabled.
- false: Request mode is disabled.
Get more details about request mode from here.
A boolean variable that indicates whether response mode is enabled or not, possible values:
- true: Response mode is enabled.
- false: Response mode is disabled.
Get more details about response mode from here.
A boolean variable that indicates whether shadow service mode is enabled or not, possible values:
- true: Shadow service mode is enabled.
- false: Shadow service mode is disabled.
Note: Shadow service mode is used for debugging purposes. it means that when user/client sent a request to ICAPeg, ICAPeg will send an ICAP response with 204 (No modifications) ICAP status code in case ICAP request has (Allow: 204) header or with 200 (OK) ICAP status code with the original HTTP message in case ICAP request hasn't (Allow: 204) header.
A boolean variable that indicates whether message preview is enabled or not, possible values:
- true: Message Preview is enabled.
- false: Message Preview is disabled.
Get more details about Message Preview from here.
It indicates how many bytes of preview are needed for a particular ICAP application on a per-resource basis, possible values:
- Any string numeric value
It indicates the file types that should be processed and scanned from the service, and possible values:
- Any string file types.
It indicates the file types that should be rejected by the service, and possible values:
- Any string file types.
It indicates the file types that should be bypassed by the service and that means the files with these types will not be processed and will not be rejected. They will just be returned to the client as they were sent to ICAPeg from him, and possible values:
- Any string file types.
Notes about extensions arrays:
Asterisk sign (*****) means every file type except the ones in other arrays. example:
process_extensions = ["pdf", "zip", "com"] reject_extensions = ["docx"] bypass_extensions = ["*"]
this example means that any file type will be bypassed except docx type which in reject_extensions, pdf, zip, com types which in process_extensions.
Only one array from (process_extensions, reject_extensions, bypass_extensions) arrays should has Asterisk sign (*****).
process_extensions = ["pdf", "zip", "com"] reject_extensions = ["docx", "pdf", "*"] bypass_extensions = ["*"]
this configuration is not valid and ICAPeg will not run. another example:
process_extensions = ["pdf", "zip", "com"] reject_extensions = ["docx"] bypass_extensions = ["*"]
this configuration is valid and ICAPeg will run normally.
Two arrays can't have the same file type. example:
process_extensions = ["pdf", "zip", "com"] reject_extensions = ["docx", "pdf"] bypass_extensions = ["*"]
this configuration is not valid and ICAPeg will not run. another example:
process_extensions = ["pdf", "zip", "com"] reject_extensions = ["docx"] bypass_extensions = ["*"]
this configuration is valid and ICAPeg will run normally.
- You may not use these variables in your service and you may use them, It depends on your service and It's up to you.
- We will pretend that this service is for file processing and it sends that file to an external API to process it then it gets it back again, So all optional variables depend on that scenario in this service. (It's just a fake scenario service that can do anything not just for processing files).
It's the maximum HTTP message file size that the service can process, possible values:
- Any valid integer value.
A boolean variable that indicates to wether service should return the original file if the file size exceeds the maximum file size or not, possible values:
- true: Returning the original file.
- false: Returning 400 Bad request.
Get more details about request mode from here.
How to add a new service for a new vendor.
After reading the above markdown, read the next section because it may help you while implementing your new service.
This is a developer guide which includes a lot of functions to help the developer while implementing his new service.
You will have to restart the ICAP server each time you change anything in the config file.
You will have to restart squid whenever you restart the ICAP.
You need to configure your network(or your browser)'s proxy settings to go through squid.
This project is still a WIP. So you can contribute as well. See the contributions guide here.
ICAPeg is licensed under the Apache License 2.0.