[squid-dev] [RFC] Secure ICAP

Alex Rousskov rousskov at measurement-factory.com
Tue Feb 3 20:52:14 UTC 2015


Hello,

    We would like to add support for "Secure ICAP" -- ICAP services that
require SSL/TLS encryption for transport connections. Some other popular
proxies support that feature already, I have seen a trickle of admin
requests for it, and the feature often becomes essential when filtering
bumped traffic using external ICAP services (to preserve the overall
security of the entire message delivery chain).

Today, it is possible to emulate Secure ICAP using connection wrappers
like stunnel. Needless to say, that workaround is not a production-
quality solution.


I think Secure ICAP can use configuration knobs and server validation
logic already implemented for secure HTTP peers (the cache_peer
directive with an ssl option).

To mark an ICAP service as secure in squid.conf, we can use an "icaps"
service URI scheme. The industry is using "secure ICAP" term for this
feature,  but "icaps" seems more appropriate/standard for a scheme name
compared to "sicap".


We will not support dynamic "upgrades" from plain to secure ICAP
connections because:

* there are no ICAP servers that support that (AFAIK);
* there are no ICAP clients that support that (AFAIK);
* such support does not seem to be needed in practice given a rather
tight/long-term bonding between a proxy and an ICAP service (unlike a
relationship between an HTTP client and an origin server);
* such support can be added later, if needed, without redoing much of
the proposed work.

I also do not anticipate changes to the existing ICAP service
_selection_ configuration and related features, implementation of the
ICAP protocol itself, and eCAP.


If there are any objections to adding Secure ICAP support or high-level
suggestions regarding implementation, please let me know!


Thank you,

Alex.


More information about the squid-dev mailing list