ICAP configuration

ICAP (Internet Content Adaptation Protocol) is a lightweight protocol much like HTTP that makes it possible to offload some processing of HTTP requests and responses ("adaptation") to dedicated ICAP servers. ICAP is generally used by proxy servers to integrate third-party products such as anti-virus software, content scanners, and URL filters. For a detailed description of ICAP, please refer to RFC 3507.

Airlock Gateway acts as an ICAP client. The ICAP module supports request rewriting (REQMOD) as well as response rewriting (RESPMOD). It can pass HTTP requests and response messages to an ICAP server before sending them to the back-end server or the web client, respectively. ICAP services for REQMOD and RESPMOD can be configured independently, thus allowing the use of different ICAP services for HTTP requests and responses.

Airlock Gateway allows the specification of patterns on HTTP requests/responses to use ICAP selectively. Only matching requests and responses are sent to the ICAP server. All other requests and responses are delivered directly and without any impact on latency.

If necessary, Airlock Gateway may adjust HTTP requests after they have been processed by an ICAP service, e.g. the replacement of the HTTP header field "Host:" in case of failover during back-end load balancing.

ICAP servers

Configure your ICAP servers on the Network Services page using either an ICAP URL (icap://... or icaps://...) for a traditional ICAP service or a HTTP URL (http://... or https://...) for an ICAP service such as the Airlock Gateway SOAP/XML Filter which runs on a Java web application container. Using an HTTP URL will slightly modify the ICAP protocol by transferring the data in a HTTP data stream.

The port may be omitted in the URL if the default port is used:

Protocol

Default port

icap

1344

icaps

11344

http

80

https

443

Each named service in this list can be selected for ICAP handlers on mappings.

ICAP failover

Multiple ICAP Service URLs can be configured by separating the URLs with commas. If multiple URLs are configured, requests will be randomly distributed to the different URLs (loadbalancing). In case a connection to a URL results in a timeout, another URL is used (failover). Unreachable URLs are marked internally and are not used for a configurable holdoff time. The holdoff time is set to 10 minutes by default and can be changed using expert settings.

Fail open

The "fail open" mode allows the continuation of application usage even if all configured ICAP Service URLs are unreachable. The reaction of Airlock Gateway to an unavailable ICAP service is as follows:

  • Fail open: The original request/response is transmitted as if no ICAP Service was configured. Use this mode if the ICAP service is not mandatory.
  • Fail close: Request/response processing is stopped and an error occurs. Use this mode if the ICAP service is mandatory, i.e., the application must not be available in case of an unreachable ICAP service.