ICAP Client Handler

Purpose

The ICAP Client Handler provides the possibility to integrate with an ICAP server. When this handler is active, vWAF acts as an ICAP client and passes requests (but no responses) to a specified ICAP server. The ICAP server then returns them back to vWAF.

For more information regarding adding and editing Handlers, see Editing Handlers.

Severity

Events triggered by this handler are given the severity: medium. (For details on severity levels, see Severity of Events Triggered by Handlers).

Recommendations for use

Use the ICAP Client Handler if you want to integrate with third party products, based on the ICAP protocol. In particular, you can use the ICAP Client Handler as a virus scanner interface for scanning uploads to your web application.

Attributes

Attribute	Meaning
icap server location	Location of the ICAP server (without specification of the service).
icap server port	Port number of the ICAP server.
icap server resource	Service (URI) to handle the ICAP request.
handle broken multipart	ICAP was primarily designed for protecting browsers-not for protecting web servers and web applications. When uploading content, you can send multipart/mime. Almost all ICAP servers fail to interpret this correctly. If you enable the option handle broken multipart , vWAF uses a workaround that makes this work correctly. The downside of this workaround is that it makes the handler a bit slower. For most ICAP services this workaround is necessary, so we recommend turning it on.
error code	HTTP error code that vWAF returns in the following cases: The ICAP server returns anything but "OK", which means that the ICAP server wants to modify or to reject the request. This is usually the case if a virus or other malicious code have been found. The content type header of the request begins with multipart (such as multipart/mime) and handle broken multipart has been enabled. In addition, for some reason vWAF can't parse the request and in Global Configuration the option allow traffic if we can't parse the request hasn't been enabled. The ICAP server doesn't respond within one second or can't be reached at all. For an overview of possible error codes, see HTTP Error Codes.
usertext	Optional: Here you can specify some text that vWAF adds to the log file entries created by this handler. You can use this, for example, to document why you've added the handler to your configuration, and how the handler is intended to behave.
enable log	Disable this option if you do not want vWAF to create a log file entry when the handler is executed. This can be useful to keep log files smaller in case the handler creates a large number of entries but you don't need these entries. When in detection mode, disabling logging de facto makes the handler ineffective. Disabling logging also prevents the actions of the handler from being taken into account for the Top-10 lists in Attack Analysis, and from being listed in Reports. To decrease the size of the log files, also consider to enable reduced logging, which excludes all non-handler-related information from the log files (see Editing Applications).

For details regarding entries added to the log file by this handler, see the relevant section in Entries in Application-Specific Log Files.