Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature request to have policy set such as acl/intercept to define what traffic goes via ICAP #355

Open
GlenDC opened this issue Oct 21, 2024 · 3 comments
Open

feature request to have policy set such as acl/intercept to define what traffic goes via ICAP #355

GlenDC opened this issue Oct 21, 2024 · 3 comments

Comments

@GlenDC
Copy link
Contributor

GlenDC commented Oct 21, 2024

It's a feature request I'm willing to contribute code for in case code is needed.

Currently it seems that as soon as ICAP is enabled, all applicable traffic goes over it.
I would like however to have the option, akin to what we can do for intercept policies
and ACL rules, to be able to define filters on what traffic actually goes over ICAP.

  • First of all, am I correct to think that this is currently is not possible?
  • And if so, from your PoV how would you see support for this? What solution do you have in mind?

Could be a new option in the icap_reqmod_service / icap_respmod_service configs? or how do you see that?
@zh-jq
Copy link
Collaborator

zh-jq commented Oct 21, 2024

It's a feature request I'm willing to contribute code for in case code is needed.

Currently it seems that as soon as ICAP is enabled, all applicable traffic goes over it. I would like however to have the option, akin to what we can do for intercept policies and ACL rules, to be able to define filters on what traffic actually goes over ICAP.

  • First of all, am I correct to think that this is currently is not possible?

Yes, you are right.

  • And if so, from your PoV how would you see support for this? What solution do you have in mind?

Could be a new option in the icap_reqmod_service / icap_respmod_service configs? or how do you see that?

Yes. It's also my preferred way.

@GlenDC
Copy link
Contributor Author

GlenDC commented Oct 21, 2024

Do you like it like this (A):

icap_reqmod_service:
    forward_policy:
        default: bypass
        child:
            forward:
            - example.com
            - example.org
    url: icap://icap.example.com:1344/inspect
icap_respmod_service: 
    forward_policy:
        default: bypass
        child:
        forward:
            - example.com
            - example.org
    url: icap://icap.example.com:1344/inspect

Or like this (B):

icap_forward_policy:
    default: bypass
    child:
        forward:
        - example.com
        - example.org
icap_reqmod_service:
    url: icap://icap.example.com:1344/inspect
icap_respmod_service: 
    url: icap://icap.example.com:1344/inspect

We could do the same approach as with the InspectPolicy making use of the same types where possible,
but for the ForwardPolicy enum:

enum ForwardPolicy {
    Bypass,
    Forward,
}

That is what I currently had in mind, WDYT? I'm also fine if something completely different, would be happy to hear your feedback and pointers either way.

@zh-jq-b
Copy link
Member

zh-jq-b commented Oct 22, 2024

@GlenDC I would prefer B. The policy however can be set to

enum ForwardPolicy {
    Bypass,
    Request,
    Response,
    Forward,
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@GlenDC @zh-jq @zh-jq-b