Configuration file

Linux config file location
- [global] section
- [logger] section
Windows config file location
- HKEY_LOCAL_MACHINE\SOFTWARE\OPSWAT\ICAP Server\global
- HKEY_LOCAL_MACHINE\SOFTWARE\OPSWAT\ICAP Server\logger

Linux

Configuration upgrades on RHEL/CentOS

When ICAP Server is upgraded on RHEL/CentOS, the configuration file is not automatically upgraded if modifications have been made to it.

In this case the installer (RPM) creates a file called mdicapsrv.rpmnew with the upgraded configuration entries, and this file needs to be merged manually to the actual configuration file.

The configuration file for the server is located in /etc/mdicapsrv/mdicapsrv.conf.

After modifying the server configuration file you must restart the MetaDefender ICAP Server service for the changes to take effect. You should use the distribution-standard way to restart the mdicapsrv service.

[global] section

parameter	default value	required	description
icapaddress	0.0.0.0	required	One of the IP addresses of the computer that runs the product to serve ICAP interface Note: * -> means all interface for both IPV4 and IPv6 0.0.0.0 -> means all interface of IPv4 only 127.0.0.1 -> loopback IPv4 only :: -> mean all interface of IPv6 ::1 -> loopback IPv6
icapport	1344	required	Designated port number for the ICAP interface. Always listening ICAP Server is always listening on this port on clear text ICAP even if TLS is enabled for the ICAP interface.
icaps_port	11344	optional	Designated port number for the ICAPS interface. Not always listening ICAP Server is listening on this port only if ICAPS is enabled. For details see 3.2 Configuring TLS.
restaddress	0.0.0.0	required	One of the IP addresses of the computer that runs the product to serve REST API and web user interface (0.0.0.0 means all interface)
restport	8048	required	Designated port number for the web and REST interface
tempdirectory	/var/tmp/mdicapsrv/temp	optional	Root directory for temporary files creation. A /temp subdirectory is automatically created within a customized directory. For example: If /tmp is configured as tempdirectory then /tmp/temp will be used for creating temporary files
skip_multipart_without_filename	false	optional	Only accepting "true" / "false" value. When enabled the ICAP server won't send files from a multipart request for scanning when the given part does not have a filename key in it's own Content-Disposition header
enable_message_header_encoding	false	optional	Only accepting "true" / "false" value. When enabled the ICAP server will decode Base64 encoded UTF-8 filenames in HTTP Content-Disposition headers that are misused for MIME Content-Disposition (https://tools.ietf.org/html/rfc2047). Details Certain webmail providers misuse HTTP Content-Disposition header for MIME Content-Disposition header and put Base64 encoded strings into it. In this case -after ICAP Server side processing- the file name may be broken or even empty at the downloading side. Enabling this option can counter the situation.
unique_uri_per_service	false	optional	Only accepting "true" / "false" value. When setting it to "true", MetaDefender ICAP server will assign unique URIs to each ICAP service (REQMOD, RESPMOD). Only available starting MetaDefender ICAP Server 4.11.0
blockedmsg_response_type	html	optional	Only accepting "html" / "json" value. When setting it to "json", ICAP server will forward entire scan result in JSON received from MetaDefender Core to ICAP client. Only available starting MetaDefender ICAP Server 4.11.0
max_connections	355	optional	Only accepting value in range of [1, 32767] Configure to define maximum number of connections returned to OPTIONS method request. Only available starting MetaDefender ICAP Server 4.11.0
webhook_address	0.0.0.0	required with conditions	Setting IP address for MetaDefender ICAP server webhook callback URI (where MetaDefender Core sends callback response to) (Only available starting MetaDefender ICAP Server 4.11.0) This setting is mandatory when MetaDefender ICAP server has multiple network interaces on the same machine. Use-case 1: When MetaDefender Core is sitting in a different machine from MetaDefender ICAP Server, then set MetaDefender Core's IP address. For example: [global] webhook_address=192.168.1.100 Use-case 2: When MetaDefender ICAP and MetaDefender Core are installed in the same host, then set 0.0.0.0 [global] webhook_address=0.0.0.0
enable_x_client_custom_parser	false	optional	Enable ICAP custom header, see details: Custom ICAP Request Header
max_number_x_client_custom	16	optional	Maximum number of custom headers is supported, see details: Custom ICAP Request Header
max_header_length_x_client_custom	128	optional	Maximum length (in bytes) of each custom header name (excluding `X-Client-Custom-` prefix) Maximum length (in bytes) of each custom header value See details: Custom ICAP Request Header
notify_modified_custom_header	false	optional	See details: Custom ICAP Request Header
enable_options_ttl_header	false	optional	true: enable options_ttl header respond for OPTIONS command false: the options_ ttl header will not return this configuration is supported to integrate with Oracle ZFS
set_options_ttl_header_value	3600	optional	[1, MAX int] (in second)
`system_info_logging`	false	optional	Only accepting "true" / "false" value. When setting it to "true", MetaDefender ICAP server will collect system resource information on server where MetaDefender ICAP Server resides to log files Only available starting MetaDefender ICAP Server 5.1.1
system_info_logging_interval	15	optional	Set logging interval in second [1, MAX int] (in second) Only available starting MetaDefender ICAP Server 5.1.1
enable_no_content_scan_logging	true	optional	Only accepting "true" / "false" value (default is "true") if set to false, the ICAP requests with "No Content to Scan" verdict will not be logged to database Only available from ICAP v5.6.0
enable_preview_header	true	optional	Only accepting "true" / "false" value (default is "true") if set to false, the header "preview" and "Transfer-Preview" will be removed out of response of OPTIONS (for Software AG integration) Only available from ICAP v5.6.0

[logger] section

key	default value	required	description
logfile	/var/log/mdicapsrv/mdicapsrv.log	optional	Full path of a logfile to write log messages to
loglevel	info	optional	Level of logging. Supported values are: debug, info, warning, error
syslog		optional	Switch on logging to a local ('local') or remote ('protocol://hostname:port') syslog server. (Multiple server can be specified separated with comma) For TCP secure syslog server (support since ICAP v5.8.0) use this format: `TCPS://hostname.port`
syslog_level		optional	Level of logging. Supported values are: debug, info, warning, error
override		optional	Override specific log ids to display them on another level e.g.: "1723:error,663:info". Note: when displaying these log ids their original level will remain the same.
capture_traffic		optional	Capture raw TCP traffic in case of bad requests. See 3.5.4 Logging traffic of bad requests.
cef	false	optional	If true, the log format is Common Event Format
local_timezone	false	optional	If true, the times sent in syslog messages will be in the server's local timezone. This does not effect entries in the log file/Windows event log. When syslog is used with cef and local_timezone enabled the timezone name can vary based on the underlying system and it's settings. Examples Syslog UTC: 2018-09-19T13:07:36Z Local: 2018-09-19T15:07:36+02:00 Syslog with CEF UTC: Sep 19 13:12:47 UTC Local 1: Sep 19 15:12:47 CEST Local 2: Sep 19 15:12:47 Central Europe Daylight Time
nginx_logfile	/var/log/mdicapsrv/nginx-mdicapsrv.log	optional	File name and path to store the NGINX logs. If this value is changed, the /etc/logrotate.d/mdicapsrv should be changed accordingly.

You should set both of syslog and syslog_level or none of them and you should set both of logfile and loglevel or none of them.

[internal] section

key	default value	required	description
db_connection	10	optional	Define maximum number of concurrent connections allows MetaDefender Core to open to work with PostgreSQL database server. Only available starting MetaDefender Core 5.2.0

Windows

The configuration for the server is located in Windows Registry.

After modifying the server configuration file you must restart the MetaDefender ICAP Server service in order for the changes to take effect.

Default logging target is Windows event log with default level of info (see below).

HKEY_LOCAL_MACHINE\SOFTWARE\OPSWAT\ICAP Server\global

parameter	default value	type	required	description
icapaddress	0.0.0.0	string value	required	One of the IP addresses of the computer that runs the product to serve ICAP interface (0.0.0.0 means all interface) Note: * -> means all interface for both IPV4 and IPv6 0.0.0.0 -> means all interface of IPv4 only 127.0.0.1 -> loopback IPv4 only :: -> mean all interface of IPv6 ::1 -> loopback IPv6
icapport	1344	string value	required	Designated port number for the ICAP interface Always listening ICAP Server is always listening on this port on clear text ICAP even if TLS is enabled for the ICAP interface.
icaps_port	11344	string value	optional	Designated port number for the ICAPS interface. Not always listening ICAP Server is listening on this port only if ICAPS is enabled. For details see 3.2 Configuring TLS.
restaddress	0.0.0.0	string value	required	One of the IP addresses of the computer that runs the product to serve REST API and web user interface (0.0.0.0 means all interface)
restport	8048	string value	required	Designated port number for the web and REST interface
tempdirectory	C:\Program Files\OPSWAT\Metadefender ICAP Server\data\temp	string value	optional	Root directory for temporary files creation. A \temp subdirectory is automatically created within a customized directory. For example: If C:\Temp is configured as tempdirectory then C:\Temp\temp will be used for creating temporary files
skip_multipart_without_filename	false	string value	optional	Only accepting "true" / "false" value. When enabled the MetaDefender ICAP server won't send files from a multipart request for scanning when the given part does not have a filename key in it's own Content-Disposition header
enable_message_header_encoding	false	string value	optional	Only accepting "true" / "false" value. When enabled the MetaDefender ICAP server will decode Base64 encoded UTF-8 filenames in HTTP Content-Disposition headers that are misused for MIME Content-Disposition (https://tools.ietf.org/html/rfc2047). Details Certain webmail providers misuse HTTP Content-Disposition header for MIME Content-Disposition header and put Base64 encoded strings into it. In this case -after ICAP Server side processing- the file name may be broken or even empty at the downloading side. Enabling this option can counter the situation.
unique_uri_per_service	false	string value	optional	Only accepting "true" / "false" value. When setting it to "true", MetaDefender ICAP server will assign unique URIs to each ICAP service (REQMOD, RESPMOD). Only available starting MetaDefender ICAP Server 4.11.0
blockedmsg_response_type	html	string value	optional	Only accepting "html" / "json" value. When setting it to "json", ICAP server will forward entire scan result in JSON received from MetaDefender Core to ICAP client. Only available starting MetaDefender ICAP Server 4.11.0
max_connections	355	string value	optional	Only accepting value in range of [1, 32767] Configure to define maximum number of connections returned to OPTIONS method request. Only available starting MetaDefender ICAP Server 4.11.0
webhook_address	0.0.0.0	string value	required with conditions	Setting IP address for MetaDefender ICAP server webhook callback URI (where MetaDefender Core sends callback response to) (Only available starting MetaDefender ICAP Server 4.11.0) This setting is mandatory when MetaDefender ICAP server has multiple network interaces on the same machine. Use-case 1: When MetaDefender Core is sitting in a different machine from MetaDefender ICAP Server, then set MetaDefender Core's IP address. For example: [global] webhook_address=192.168.1.100 Use-case 2: When MetaDefender ICAP and MetaDefender Core are installed in the same host, then set 127.0.0.1 [global] webhook_address=127.0.0.1
enable_x_client_custom_parser	false	string value	optional	Enable ICAP custom header, see details: Custom ICAP Request Header
max_number_x_client_custom	16	string value	optional	Maximum number of custom headers is supported, see details: Custom ICAP Request Header
max_header_length_x_client_custom	128	string value	optional	Maximum length (in bytes) of each custom header name (excluding `X-Client-Custom-` prefix) Maximum length (in bytes) of each custom header value See details: Custom ICAP Request Header
notify_modified_custom_header	false	string value	optional	See details: Custom ICAP Request Header
maxstdio	512 for MD ICAP Server 5.1.1 and older 4096 since MD ICAP Server v5.2.0	string value	optional	Define maximum number of files can be opened simultaneously on Windows. The acceptable range is : [512, 2048] for MD ICAP Server 5.1.1 and older. [512, 8192] since MD ICAP Server 5.2.0
enable_options_ttl_header	false	string value	optional	true: enable options_ttl header respond for OPTIONS command false: the options_ttl header will not return this configuration is supported to integrate with Oracle ZFS
set_options_ttl_header_value	3600	string value	optional	[1, MAX int] (in second)
system_info_logging	false	string value	optional	When setting it to "true", MetaDefender ICAP server will collect system resource information on server where MetaDefender ICAP Server resides to log files Only available starting MetaDefender ICAP Server 5.1.1
system_info_logging_interval	15	string value	optional	Only available starting MetaDefender ICAP Server 5.1.1
enable_no_content_scan_logging	true	string value	optional	Only accepting "true" / "false" value (default is "true") if set to false, the ICAP requests with "No Content to Scan" verdict will not be logged to database Only available from ICAP v5.6.0
enable_preview_header	true	string value	optional	Only accepting "true" / "false" value (default is "true") if set to false, the header "preview" and "Transfer-Preview" will be removed out of response of OPTIONS (for Software AG integration) Only available from ICAP v5.6.0
curlsslopt_revoke_best_effort	false	string value	optional	Support since ICAP v5.8.0 (Windows only) true: Ignore revocation server checking incase can not communicate to revocation server false: return false when can not communicate to revocation server

HKEY_LOCAL_MACHINE\SOFTWARE\OPSWAT\ICAP Server\logger

parameter	default value	type	required	description
logfile		string value	optional	Location of a logfile to write log messages to
loglevel		string value	optional	Level of logging. Supported values are: debug, info, warning, error
log_rotation	false	string value	optional	Supported values: 0 or false: ICAP logs are not rotated 1 or true: Rotation process will be performed every day, regardless of file size. Limit rotated log to be stored is 30 files, the oldest log will be deleted if file number reaches the limit. Rotated log name format: <logname>-<yyyyMMdd>.gz (e.g.: icap.log-20200330.gz), all saved in same location with what you set in logfile. All generated log packages included in MetaDefender ICAP Server support package.
wineventlog_level	info	string value	optional	Level of logging. Supported values are: debug, info, warning, error
syslog		string value	optional	Value can only by in form of 'protocol://<hostname>:<port>'. (Multiple server can be specified separated with comma) For TCP secure syslog server (support since ICAP v5.8.0) use this format: `TCPS://hostname.port`
syslog_level		string value	optional	Level of logging. Supported values are: debug, info, warning, error
override		string value	optional	Override specific log ids to display them on another level e.g.: "1723:error,663:info" . Note: when displaying these log ids their original level will remain the same.
capture_traffic		DWORD	optional	Capture raw TCP traffic in case of bad requests. See 3.5.4 Logging traffic of bad requests.
cef	false	string value	optional	If true, the log format is Common Event Format
local_timezone	false	string value	optional	If true, the times sent in syslog messages will be in the server's local timezone. This does not effect entries in the log file/Windows event log. When syslog is used with cef and local_timezone enabled the timezone name can vary based on the underlying system and it's settings. Examples Syslog UTC: 2018-09-19T13:07:36Z Local: 2018-09-19T15:07:36+02:00 Syslog with CEF UTC: Sep 19 13:12:47 UTC Local 1: Sep 19 15:12:47 CEST Local 2: Sep 19 15:12:47 Central Europe Daylight Time
nginx_logfile	[installdir] ginx ginx.log	string value	optional	File name and path to store the NGINX logs.
nginx_log_rotation	false	string value	optional	If true, the log file specified by the nginx_logfile entry is rotated after 24 hours from creation. The last 30 log files are stored, the oldest log file will be deleted if number of files reaches the limit. Naming convention The rotated log files are named according to the following convention: <file name from nginx_logfile entry>-<yyyyMMdd>.gz. Example nginx-mdicapsrv-20200730-<123>.gz Support package All stored log files are included in MetaDefender ICAP's support package.

You should set both of syslog and syslog_level or none of them and you should set both of logfile and loglevel or none of them.

HKEY_LOCAL_MACHINE\SOFTWARE\OPSWAT\ICAP Server\internal

key	default value	type	required	description
db_connection	10	string value	optional	Define maximum number of concurrent connections allows MetaDefender Core to open to work with PostgreSQL database server. Only available starting MetaDefender Core 5.2.0

Last updated on Mar 20, 2025

Was this page helpful?

Configuration file

Linux config file location

Windows config file location