Configuration file

Linux

Note

Configuration upgrades on RHEL/CentOS

When ICAP Server is upgraded on RHEL/CentOS, the configuration file is not automatically upgraded if modifications have been made to it.

In this case the installer (RPM) creates a file called mdicapsrv.rpmnew with the upgraded configuration entries, and this file needs to be merged manually to the actual configuration file.

The configuration file for the server is located in /etc/mdicapsrv/mdicapsrv.conf.

After modifying the server configuration file you must restart the MetaDefender ICAP Server service for the changes to take effect. You should use the distribution-standard way to restart the mdicapsrv service.

[global] section

parameter

default value

required

description

icapaddress

0.0.0.0

required

One of the IP addresses of the computer that runs the product to serve ICAP interface Note:

  • *** ->** means all interface for both IPV4 and IPv6

  • 0.0.0.0 -> means all interface of IPv4 only

  • 127.0.0.1 -> loopback IPv4 only

  • :: -> mean all interface of IPv6

  • ::1 -> loopback IPv6

icapport

1344

required

Designated port number for the ICAP interface. Always listening ICAP Server is always listening on this port on clear text ICAP even if TLS is enabled for the ICAP interface.

icaps_port

11344

optional

Designated port number for the ICAPS interface. Not always listening ICAP Server is listening on this port only if ICAPS is enabled. For details see 3.2 Configuring TLS.

restaddress

0.0.0.0

required

One of the IP addresses of the computer that runs the product to serve REST API and web user interface (0.0.0.0 means all interface)

restport

8048

required

Designated port number for the web and REST interface

tempdirectory

/var/tmp/mdicapsrv/temp

optional

Root directory for temporary files creation. A /temp subdirectory is automatically created within a customized directory. For example:

  • If /tmp is configured as tempdirectory then

  • /tmp/temp will be used for creating temporary files

skip_multipart_without_filename

false

optional

Only accepting "true" / "false" value.

When enabled the ICAP server won't send files from a multipart request for scanning when the given part does not have a filename key in it's own Content-Disposition header

enable_message_header_encoding

false

optional

Only accepting "true" / "false" value.

When enabled the ICAP server will decode Base64 encoded UTF-8 filenames in HTTP Content-Disposition headers that are misused for MIME Content-Disposition (https://tools.ietf.org/html/rfc2047). Details Certain webmail providers misuse HTTP Content-Disposition header for MIME Content-Disposition header and put Base64 encoded strings into it. In this case -after ICAP Server side processing- the file name may be broken or even empty at the downloading side. Enabling this option can counter the situation.

unique_uri_per_service

false

optional

Only accepting "true" / "false" value.

When setting it to "true", MetaDefender ICAP server will assign unique URIs to each ICAP service (REQMOD, RESPMOD). Only available starting MetaDefender ICAP Server 4.11.0

blockedmsg_response_type

html

optional

Only accepting "html" / "json" value.

When setting it to "json", ICAP server will forward entire scan result in JSON received from MetaDefender Core to ICAP client. Only available starting MetaDefender ICAP Server 4.11.0

max_connections

355

optional

Only accepting value in range of [1, 32767]

Configure to define maximum number of connections returned to OPTIONS method request. Only available starting MetaDefender ICAP Server 4.11.0

webhook_address

0.0.0.0

required with conditions

Setting IP address for MetaDefender ICAP server webhook callback URI (where MetaDefender Core sends callback response to) (Only available starting MetaDefender ICAP Server 4.11.0)

This setting is mandatory when MetaDefender ICAP server has multiple network interaces on the same machine.

Use-case 1: When MetaDefender Core is sitting in a different machine from MetaDefender ICAP Server, then set MetaDefender Core's IP address. For example:

[global]

webhook_address=192.168.1.100

Use-case 2: When MetaDefender ICAP and MetaDefender Core are installed in the same host, then set 0.0.0.0

[global]

webhook_address=0.0.0.0

enable_x_client_custom_parser

false

optional

Enable ICAP custom header, see details: Custom ICAP Request Header

max_number_x_client_custom

16

optional

Maximum number of custom headers is supported, see details: Custom ICAP Request Header

max_header_length_x_client_custom

128

optional

Maximum length (in bytes) of each custom header name (excluding X-Client-Custom- prefix)

Maximum length (in bytes) of each custom header value

See details: Custom ICAP Request Header

notify_modified_custom_header

false

optional

See details: Custom ICAP Request Header

enable_options_ttl_header

false

optional

true: enable options_ttl header respond for OPTIONS command false: the options_ ttl header will not return this configuration is supported to integrate with Oracle ZFS

set_options_ttl_header_value

3600

optional

[1, MAX int] (in second)

system_info_logging

false

optional

Only accepting "true" / "false" value.

When setting it to "true", MetaDefender ICAP server will collect system resource information on server where MetaDefender ICAP Server resides to log files

Only available starting MetaDefender ICAP Server 5.1.1

system_info_logging_interval

15

optional

Set logging interval in second

[1, MAX int] (in second)

Only available starting MetaDefender ICAP Server 5.1.1

enable_no_content_scan_logging

true

optional

Only accepting "true" / "false" value (default is "true")

if set to false, the ICAP requests with "No Content to Scan" verdict will not be logged to database

Only available from ICAP v5.6.0

enable_preview_header

true

optional

Only accepting "true" / "false" value (default is "true")

if set to false, the header "preview" and "Transfer-Preview" will be removed out of response of OPTIONS (for Software AG integration)

Only available from ICAP v5.6.0

[logger] section

key

default value

required

description

logfile

/var/log/mdicapsrv/mdicapsrv.log

optional

Full path of a logfile to write log messages to

loglevel

info

optional

Level of logging. Supported values are: debug, info, warning, error

syslog


optional

Switch on logging to a local ('local') or remote ('protocol://hostname:port') syslog server. (Multiple server can be specified separated with comma)

For TCP secure syslog server (support since ICAP v5.8.0) use this format: TCPS://hostname.port

syslog_level


optional

Level of logging. Supported values are: debug, info, warning, error

override


optional

Override specific log ids to display them on another level e.g.: "1723:error,663:info". Note: when displaying these log ids their original level will remain the same.

capture_traffic


optional

Capture raw TCP traffic in case of bad requests. See 3.5.4 Logging traffic of bad requests.

cef

false

optional

If true, the log format is Common Event Format

local_timezone

false

optional

If true, the times sent in syslog messages will be in the server's local timezone. This does not effect entries in the log file/Windows event log. When syslog is used with cef and local_timezone enabled the timezone name can vary based on the underlying system and it's settings. Examples

  • Syslog

    • UTC: 2018-09-19T13:07:36Z

    • Local: 2018-09-19T15:07:36+02:00

  • Syslog with CEF

    • UTC: Sep 19 13:12:47 UTC

    • Local 1: Sep 19 15:12:47 CEST

    • Local 2: Sep 19 15:12:47 Central Europe Daylight Time

nginx_logfile

/var/log/mdicapsrv/nginx-mdicapsrv.log

optional

File name and path to store the NGINX logs. If this value is changed, the /etc/logrotate.d/mdicapsrv should be changed accordingly.

Note

You should set both of syslog and syslog_level or none of them and you should set both of logfile and loglevel or none of them.

[internal] section

key

default value

required

description

db_connection

10

optional

Define maximum number of concurrent connections allows MetaDefender Core to open to work with PostgreSQL database server. Only available starting MetaDefender Core 5.2.0

Windows

The configuration for the server is located in Windows Registry.

After modifying the server configuration file you must restart the MetaDefender ICAP Server service in order for the changes to take effect.

Default logging target is Windows event log with default level of info (see below).

HKEY_LOCAL_MACHINE\SOFTWARE\OPSWAT\ICAP Server\global

parameter

default value

type

required

description

icapaddress

0.0.0.0

string value

required

One of the IP addresses of the computer that runs the product to serve ICAP interface (0.0.0.0 means all interface)

Note:

  • *** ->** means all interface for both IPV4 and IPv6

  • 0.0.0.0 -> means all interface of IPv4 only

  • 127.0.0.1 -> loopback IPv4 only

  • :: -> mean all interface of IPv6

  • ::1 -> loopback IPv6

icapport

1344

string value

required

Designated port number for the ICAP interface Always listening ICAP Server is always listening on this port on clear text ICAP even if TLS is enabled for the ICAP interface.

icaps_port

11344

string value

optional

Designated port number for the ICAPS interface. Not always listening ICAP Server is listening on this port only if ICAPS is enabled. For details see 3.2 Configuring TLS.

restaddress

0.0.0.0

string value

required

One of the IP addresses of the computer that runs the product to serve REST API and web user interface (0.0.0.0 means all interface)

restport

8048

string value

required

Designated port number for the web and REST interface

tempdirectory

C:\Program Files\OPSWAT\Metadefender ICAP Server\data\temp

string value

optional

Root directory for temporary files creation. A \temp subdirectory is automatically created within a customized directory. For example:

  • If C:\Temp is configured as tempdirectory then

  • C:\Temp\temp will be used for creating temporary files

skip_multipart_without_filename

false

string value

optional

Only accepting "true" / "false" value.

When enabled the MetaDefender ICAP server won't send files from a multipart request for scanning when the given part does not have a filename key in it's own Content-Disposition header

enable_message_header_encoding

false

string value

optional

Only accepting "true" / "false" value.

When enabled the MetaDefender ICAP server will decode Base64 encoded UTF-8 filenames in HTTP Content-Disposition headers that are misused for MIME Content-Disposition (https://tools.ietf.org/html/rfc2047). Details Certain webmail providers misuse HTTP Content-Disposition header for MIME Content-Disposition header and put Base64 encoded strings into it. In this case -after ICAP Server side processing- the file name may be broken or even empty at the downloading side. Enabling this option can counter the situation.

unique_uri_per_service

false

string value

optional

Only accepting "true" / "false" value.

When setting it to "true", MetaDefender ICAP server will assign unique URIs to each ICAP service (REQMOD, RESPMOD). Only available starting MetaDefender ICAP Server 4.11.0

blockedmsg_response_type

html

string value

optional

Only accepting "html" / "json" value.

When setting it to "json", ICAP server will forward entire scan result in JSON received from MetaDefender Core to ICAP client. Only available starting MetaDefender ICAP Server 4.11.0

max_connections

355

string value

optional

Only accepting value in range of [1, 32767]

Configure to define maximum number of connections returned to OPTIONS method request. Only available starting MetaDefender ICAP Server 4.11.0

webhook_address

0.0.0.0

string value

required with conditions

Setting IP address for MetaDefender ICAP server webhook callback URI (where MetaDefender Core sends callback response to) (Only available starting MetaDefender ICAP Server 4.11.0)

This setting is mandatory when MetaDefender ICAP server has multiple network interaces on the same machine.

Use-case 1: When MetaDefender Core is sitting in a different machine from MetaDefender ICAP Server, then set MetaDefender Core's IP address. For example:

[global]

webhook_address=192.168.1.100

Use-case 2: When MetaDefender ICAP and MetaDefender Core are installed in the same host, then set 127.0.0.1

[global]

webhook_address=127.0.0.1

enable_x_client_custom_parser

false

string value

optional

Enable ICAP custom header, see details: Custom ICAP Request Header

max_number_x_client_custom

16

string value

optional

Maximum number of custom headers is supported, see details: Custom ICAP Request Header

max_header_length_x_client_custom

128

string value

optional

Maximum length (in bytes) of each custom header name (excluding X-Client-Custom- prefix)

Maximum length (in bytes) of each custom header value

See details: Custom ICAP Request Header

notify_modified_custom_header

false

string value

optional

See details: Custom ICAP Request Header

maxstdio

  • 512 for MD ICAP Server 5.1.1 and older

  • 4096 since MD ICAP Server v5.2.0

string value

optional

Define maximum number of files can be opened simultaneously on Windows. The acceptable range is :

  • [512, 2048] for MD ICAP Server 5.1.1 and older.

  • [512, 8192] since MD ICAP Server 5.2.0

enable_options_ttl_header

false

string value

optional

true: enable options_ttl header respond for OPTIONS command false: the options_ttl header will not return

this configuration is supported to integrate with Oracle ZFS

set_options_ttl_header_value

3600

string value

optional

[1, MAX int] (in second)

system_info_logging

false

string value

optional

When setting it to "true", MetaDefender ICAP server will collect system resource information on server where MetaDefender ICAP Server resides to log files

Only available starting MetaDefender ICAP Server 5.1.1

system_info_logging_interval

15

string value

optional

Only available starting MetaDefender ICAP Server 5.1.1

enable_no_content_scan_logging

true

string value

optional

Only accepting "true" / "false" value (default is "true")

if set to false, the ICAP requests with "No Content to Scan" verdict will not be logged to database

Only available from ICAP v5.6.0

enable_preview_header

true

string value

optional

Only accepting "true" / "false" value (default is "true")

if set to false, the header "preview" and "Transfer-Preview" will be removed out of response of OPTIONS (for Software AG integration)

Only available from ICAP v5.6.0

curlsslopt_revoke_best_effort

false

string value

optional

Support since ICAP v5.8.0 (Windows only)

  • true: Ignore revocation server checking incase can not communicate to revocation server

  • false: return false when can not communicate to revocation server

HKEY_LOCAL_MACHINE\SOFTWARE\OPSWAT\ICAP Server\logger

parameter

default value

type

required

description

logfile


string value

optional

Location of a logfile to write log messages to

loglevel


string value

optional

Level of logging. Supported values are: debug, info, warning, error

log_rotation

false

string value

optional

Supported values:

  • 0 or false: ICAP logs are not rotated

  • 1 or true:

    • Rotation process will be performed every day, regardless of file size.

    • Limit rotated log to be stored is 30 files, the oldest log will be deleted if file number reaches the limit.

    • Rotated log name format: <logname>-<yyyyMMdd>.gz (e.g.: icap.log-20200330.gz), all saved in same location with what you set in logfile.

    • All generated log packages included in MetaDefender ICAP Server support package.

wineventlog_level

info

string value

optional

Level of logging. Supported values are: debug, info, warning, error

syslog


string value

optional

Value can only by in form of 'protocol://<hostname>:<port>'. (Multiple server can be specified separated with comma)

For TCP secure syslog server (support since ICAP v5.8.0) use this format: TCPS://hostname.port

syslog_level


string value

optional

Level of logging. Supported values are: debug, info, warning, error

override


string value

optional

Override specific log ids to display them on another level e.g.: "1723:error,663:info" . Note: when displaying these log ids their original level will remain the same.

capture_traffic


DWORD

optional

Capture raw TCP traffic in case of bad requests. See 3.5.4 Logging traffic of bad requests.

cef

false

string value

optional

If true, the log format is Common Event Format

local_timezone

false

string value

optional

If true, the times sent in syslog messages will be in the server's local timezone. This does not effect entries in the log file/Windows event log. When syslog is used with cef and local_timezone enabled the timezone name can vary based on the underlying system and it's settings. Examples

  • Syslog

    • UTC: 2018-09-19T13:07:36Z

    • Local: 2018-09-19T15:07:36+02:00

  • Syslog with CEF

    • UTC: Sep 19 13:12:47 UTC

    • Local 1: Sep 19 15:12:47 CEST

    • Local 2: Sep 19 15:12:47 Central Europe Daylight Time

nginx_logfile

[installdir] ginx ginx.log

string value

optional

File name and path to store the NGINX logs.

nginx_log_rotation

false

string value

optional

If true, the log file specified by the nginx_logfile entry is rotated after 24 hours from creation. The last 30 log files are stored, the oldest log file will be deleted if number of files reaches the limit. Naming convention The rotated log files are named according to the following convention: <file name from nginx_logfile entry>-<yyyyMMdd>.gz. Example nginx-mdicapsrv-20200730-<123>.gz Support package All stored log files are included in MetaDefender ICAP's support package.

Note

You should set both of syslog and syslog_level or none of them and you should set both of logfile and loglevel or none of them.

HKEY_LOCAL_MACHINE\SOFTWARE\OPSWAT\ICAP Server\internal

key

default value

type

required

description

db_connection

10

string value

optional

Define maximum number of concurrent connections allows MetaDefender Core to open to work with PostgreSQL database server. Only available starting MetaDefender Core 5.2.0


  Last updated