feature request to have policy set such as acl/intercept to define what traffic goes via ICAP

bytedance / g3

Enterprise-oriented Generic Proxy Solutions

Apache License 2.0

472 stars 35 forks source link

feature request to have policy set such as acl/intercept to define what traffic goes via ICAP #355

Open GlenDC opened 1 month ago

GlenDC commented 1 month ago

It's a feature request I'm willing to contribute code for in case code is needed.

Currently it seems that as soon as ICAP is enabled, all applicable traffic goes over it. I would like however to have the option, akin to what we can do for intercept policies and ACL rules, to be able to define filters on what traffic actually goes over ICAP.

First of all, am I correct to think that this is currently is not possible?
And if so, from your PoV how would you see support for this? What solution do you have in mind?

Could be a new option in the icap_reqmod_service / icap_respmod_service configs? or how do you see that?

zh-jq commented 1 month ago

It's a feature request I'm willing to contribute code for in case code is needed.

Currently it seems that as soon as ICAP is enabled, all applicable traffic goes over it. I would like however to have the option, akin to what we can do for intercept policies and ACL rules, to be able to define filters on what traffic actually goes over ICAP.

First of all, am I correct to think that this is currently is not possible?

Yes, you are right.

And if so, from your PoV how would you see support for this? What solution do you have in mind?

Could be a new option in the icap_reqmod_service / icap_respmod_service configs? or how do you see that?

Yes. It's also my preferred way.

GlenDC commented 1 month ago

Do you like it like this (A):

icap_reqmod_service:
    forward_policy:
        default: bypass
        child:
            forward:
            - example.com
            - example.org
    url: icap://icap.example.com:1344/inspect
icap_respmod_service: 
    forward_policy:
        default: bypass
        child:
        forward:
            - example.com
            - example.org
    url: icap://icap.example.com:1344/inspect

Or like this (B):

icap_forward_policy:
    default: bypass
    child:
        forward:
        - example.com
        - example.org
icap_reqmod_service:
    url: icap://icap.example.com:1344/inspect
icap_respmod_service: 
    url: icap://icap.example.com:1344/inspect

We could do the same approach as with the InspectPolicy making use of the same types where possible, but for the ForwardPolicy enum:

enum ForwardPolicy {
    Bypass,
    Forward,
}

That is what I currently had in mind, WDYT? I'm also fine if something completely different, would be happy to hear your feedback and pointers either way.

zh-jq-b commented 1 month ago

@GlenDC I would prefer B. The policy however can be set to

enum ForwardPolicy {
    Bypass,
    Request,
    Response,
    Forward,
}