RE: ICAP, bypassing respmod depending reqmod result

From: Moshe Beeri <Moshe.B_at_puresight.com>
Date: Tue, 2 Dec 2008 16:19:35 +0200

> Moshe Beeri wrote:
> > Hi,
> >
> > I am trying to add extension to ICAP layer in squid 3.0 STABLE 10.
> > Our service works both in respmod and reqmod, in some cases we know
> > right after reqmod that the data should passed directly to the
> client.
> > in those cases we like to be more efficient by not utilizing respmod
> at
> > all, sending the server's response directly to the client, bypassing
> > ICAP server's respmod.
> >
> > Does any one have an idea how to decided after 'reqmod reply'
> > whether http server response will be sent to ICAP server's respmod
or
> to
> > send directly to client?
> > Any suggestions how to trick the mechanism?
>
> You can add a header to the http request during reqmod processing eg
> "X-ICAP-Respmod-Needed: False" and play with a squid req_header acl
to
> allow/deny respmod processing:
>
> acl AnXIcapHeader req_header X-ICAP-Respmod-Needed False
> icap_access class_respmod deny AnXIcapHeader
>
> Regards,
> Christos
>
Thanks Christos,

Your solution, thought elegant, is not secure since the web server might
change the parameter and cause unsafe data transfer to client.
can I utilize acl to do the same by adding header to ICAP (reqmod)
response?

In 2.5 I changed the code using fde object associated with client_fd to
pass context information from reqmod to respmod, disabling ICAP by
returning a constant instead of icap_writer, but with 3.0 code
improvement this hock has gone or I am missing it, is there any why to
do it in 3.0 ?

Regards,
        Moshe.
> >
> > Thanks Allot,
> > Moshe Beeri.
> >
Received on Tue Dec 02 2008 - 14:12:42 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 02 2008 - 12:00:03 MST