forked from darold/squidclamav
-
Notifications
You must be signed in to change notification settings - Fork 0
SquidClamAv is a dedicated ClamAV antivirus redirector for Squid. It can run antivirus checks based on filename regex, content-type regex, and more. It is easy to install and works even with heavy Squid access.
License
artyomtkachenko/squidclamav
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
NAME SquidClamav v6 - HTTP Antivirus for Squid based on ClamAv and the ICAP protocol DESCRIPTION SquidClamav v6 is an antivirus for the Squid proxy based on the ICAP protocol and the awards-winning ClamAv anti-virus toolkit. Using it will help you securing your home or enterprise network web traffic. SquidClamav is the most efficient antivirus tool for HTTP traffic available for free, it is written in C as a c-icap service and can handle several thousands of connections at once. SquidClamav v6 only scan the HTTP stream sent by Squid through the ICAP server. It doesn't make HTTP requests itself so this is a gain of performance and ensures that the data scanned is the same as the user has requested. Why use c-icap server? This is the only open source icap server written in C, it is very fast and stable. Why writing another clamav c-icap module? Well, to be honest, outside the survival of SquidClamav, I think that using clamd instead of libclamav to scan files is speediest and more simple than the srv_clamav module provided with the c-icap server. SquidClamav v6 is faster than any other HTTP antivirus and can handle several thousands of simultaneous users at once, this is what we need. The other unique feature of SquidClamav is that you can have Clamd failover by setting up up to 4 clamd server IP addresses. When a clamd server is not reachable in one second, SquidClamav switches to the next IP address. If you are using ClamAV above 0.95, SquidClamav will have support for Google Safe Browsing database. All signatures provided by Google Safe Browsing Database will be prefixed with the Safebrowsing tag. If ClamAV reports: Safebrowsing.<something> FOUND This will be redirected by squidclamav just like if a virus was found. USAGE Generic Program Information SquidClamav v6 has been completely rewritten to be used through the Squid v3.x ICAP feature allowing "on stream" scanning. It is now built as a c-icap server service but keeps all features from v5 and is fully compatible with the old SquidClamav configuration file. The squidclamav configuration file is unchanged minus some obsolete directives. This also means that SquidClamav can no more be run into an interactive console for testing your URL. All debug information will now go to the c-icap logfile. Installing Squid Setting SquidClamav as Squid Icap service I want SquidClamav to be installed as a c-icap service, to be configured as easy as possible and to be compatible with the old configuration file. This means that I voluntary omit some capabilities of c-icap server to preserve a full compatibility with the old squidclamav.conf file. Squid v3.x installation and configuration To have full and stable icap support with Squid you must use the 3.x branch and configure squid with the following option: --enable-icap-client I don't know what other options you are using but you have to add this one to your configure command. If you prefer to use distribution packaging you may already have it configured like this if you can install the c-icap package too. If you don't know, run the following command an search for the configuration directive: --enable-icap-client /usr/local/squid/sbin/squid -v | grep "enable-icap-client" If it is not enable you must reinstall Squid with this configuration option or install the additional packages. Once you have it enabled, to integrate c-icap and SquidClamav to your squid cache just edit squid.conf and set the following directives. Squid 3.4.x configuration There are some configuration differences between 3.1.x and 3.4.x Squid version. Here are the directives I use for Squid 3.4.x: icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_avi_req reqmod_precache icap://localhost:1344/squidclamav bypass=off adaptation_access service_avi_req allow all icap_service service_avi_resp respmod_precache icap://localhost:1344/squidclamav bypass=on adaptation_access service_avi_resp allow all If you don't know where to put them in squid.conf, just search for 'icap_.*' and add those configuration lines at the end of the icap section. Squid 3.1.x configuration There are some configuration differences between 3.1.x and 3.0.x Squid version. Here are the directives I use for Squid 3.1.x: icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_resp allow all If you don't know where to put them in squid.conf, just search for 'icap_.*' and add those configuration lines at the end of the icap section. Here the bypass is set to 1, that means that in case of squidclamav problems squid will simply ignore the error and continue. This is the equivalent of the bridge mode in version 5.x of suidclamav. Squid 3.0.x configuration For squid 3.0.x you must replace 'bypass=1' by '1' or 'bypass=0' by '0' and the access to the service is defined at a class level. Only the last four configuration lines change from version 3.1.x. icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_req reqmod_precache 1 icap://127.0.0.1:1344/squidclamav icap_service service_resp respmod_precache 1 icap://127.0.0.1:1344/squidclamav icap_class class_avreq service_req icap_class class_avresp service_resp icap_access class_avreq allow all icap_access class_avresp allow all If you don't know where to put them in squid.conf, just search for 'icap_.*' and add those configuration lines at the end of the icap section. Here the bypass is set to 1, that means that in case of squidclamav problems squid will simply ignore the error and continue. This is the equivalent of the bridge mode in version 5.x of suidclamav. What do that configuration directives do? They enable Squid's ICAP client and tell Squid to send the logged username and client's IP address to the ICAP server. They also enable preview for faster SquidClamav work. The last four lines define how to call the ICAP server. Here we call the squidclamav service on localhost and port 1344 (host and port can be changed). The bypass parameter set to 1 means that Squid will continue without bothering about ICAP server or SquidClamav failure. This is just like the old bridge mode in previous releases of SquidClamAV. I don't want users to be bored by a continuously error message if SquidClamav or c-icap produce errors or if there's an error in the configuration file. Users don't have to know about that, they want to surf and don't care about your problems :-) If you don't think like me, just set the bypass argument to 0 and Squid will return an error message in case of a failure. C-icap server installation/configuration If you don't have package solutions or encounter problems when installing SquidClamav I recommand you to install the c-icap server from source as following. You can download it from SourceForge at http://c-icap.sourceforge.net/. Choose version c-icap-0.3.2 or later versions, then run: ./configure --prefix=/usr/local/c-icap --enable-large-files make make install Then, edit the file /usr/local/c-icap/etc/c-icap.conf. It contains a set of documented values that configure the c-icap server. To enable the support of SquidClamav just add the following line to the end of the file: Service squidclamav squidclamav.so Don't care about the srv_clamav.* configuration directives, this will not break anything. SquidClamav doesn't use them but reads its own directives from the file /etc/squidclamav.conf. You can disable the c-icap embedded modules by commenting out these lines: #Service url_check_module srv_url_check.so #Service antivirus_module srv_clamav.so This will preserve some resources. Following your installation you may need to create the /var/run/c-icap/ where c-icap server is writing pid and socket file. You may also want to change the user/group owning c-icap's processes. By default the owner is the user/group who runs the program. I recommand you to change them to the same user/group running your Squid cache. For example: User proxy Group proxy Of course you will need to change the owner of directory /var/run/c-icap/ and the directory of your server log. See the ServerLog directive to get the path. For me, I use the following commands to set the good rights on my installation: mkdir /var/run/c-icap/ chown -R proxy:proxy /var/run/c-icap/ chown -R proxy:proxy /usr/local/c-icap/ After that you can run the c-icap server as explained below. SquidClamav installation/configuration Installing SquidClamav requires that you already have installed the c-icap as explained above. You must provide the installation path of c-icap to the configure command as following: ./configure make make install This will install the squidclamav.so library into the c-icap modules/services repository. Note that if the c-icap installation does not save the c-icap-config program in a directory that can be found in your default path you will need to give the path to this program to squidclamav at configure time: ./configure --with-c-icap=/usr/local/c-icap/ make && make install Running c-icap server Finally, you can run the c-icap server as root user: /usr/local/c-icap/bin/c-icap or any other path to the binary. If you want to display debugging information on the terminal, the previous command should be executed with the following arguments: /usr/local/c-icap/bin/c-icap -N -D -d 10 The first argument -N prevents the c-icap server from forking into the background, the second argument -D enables the printing of messages to standard output, and the third argument -d 10 enables the printing of full debugging information. Reloading configuration without restarting the c-icap server To force SquidClamav to reread its configuration file after changes you can send the following command to the c-icap server echo -n "squidclamav:cfgreload" > /var/run/c-icap/c-icap.ctl It will reread all its configuration directives and restart pipes to squidGuard. So if you make changes to squidGuard you must execute this command to activate them in SquidClamav. Or to be sure that everything is really initialized or that you have made change to the c-icap configuration file you can run the following command: echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl The service will reread the config file without the need for stopping and restarting the c-icap server. The service will just be reinitialized. CONFIGURATION By default, the configuration file must be /etc/squidclamav.conf, you may not use an other path unless you change it in the source code (see src/squidclamav.h). SquidClamav installation will create a default file with the maximum security level. If you have low resources on your server there's some predefined pattern optimized for speed. Feel free to modify it to match your desired security level. The format of the configuration file consists in always lower case configuration directive names followed by a value. The name and the value must be separated by a single space character. Comments are lines starting with a '#' character. Global configuration Log file and debug In version 6.x the directives 'logfile', 'debug' and 'stat' are obsolete as logging and debug are now handled by the c-icap server. You can control them using the following c-icap.conf directives: ServerLog /usr/local/c-icap/var/log/server.log DebugLevel 0 Debug information is disable by default, do not enable it on production systems as it costs a lot of performance. The debug level can be set from 1 up to 3 for SquidClamav but can be up to 10 for c-icap. Clamd daemon SquidClamav needs to know where to contact clamd, the ClamAV daemon, for on stream virus scanning. clamd_local /tmp/clamd #clamd_ip 192.168.1.5 #clamd_port 3310 By default SquidClamav will contact clamd locally on the /tmp/clamd unix socket (clamd_local). If your clamd daemon uses INET socket or stays in a remote server, you have to set the IP address and the port with clamd_ip and clamd_port. If you use INET socket the 'clamd_local' directive must be commented, or SquidClamav will always use the clamd_local directive. Clamd failover If you have multiple ClamAv servers, SquidClamav is able to do failover between them. You just have to set 'clamd_ip' to a list of IP adresses separated by a comma. Do not insert space characters in this list or it will break all. For example: clamd_ip 192.168.1.5,192.168.1.13,192.168.1.9 clamd_port 3310 timeout 1 You can set up to 5 clamd servers. The clamd port must be the same for all these servers as 'clamd_port' only accepts one single value. SquidClamav will always connect to the first IP address available. If this fails it will try the next defined IP address after 1 second. When a connect can be established SquidClamav will reuse this last "working" IP address first to not slow down process the next time. If you think 1 second is a low value, you can change the connect timeout by editing file squidclamav.conf and set the 'timeout' directive to a higher value. For example : timeout 2 Value must be set in seconds. Do not set it too high (< 5) or you can slow down everything. Redirection URL redirect When a virus is detected SquidClamav needs to redirect the client to a warning page. The SquidClamav distribution contains a set of Perl CGI scripts with different languages that you can use. To specify this redirection you have to have to specify a redirect URL to the 'redirect' directive as follow: redirect http://proxy.samse.fr/cgi-bin/clwarn.cgi Take a look in the cgi-bin directory to see all translations of this cgi script. Squidclamav will pass the following parameters to this CGI: url=ORIGNAL_HTTP_REQUEST virus=NAME_OF_THE_VIRUS source=DOWNLOADER_IP_ADDRESS user=DOWNLOADER_IDENT If this directive is disabled squidclamav will use c-icap error templates to report issues. See below. Using c-icap template instead of redirect scripts If the redirect directive is not set, SquidClamav will attempt to load a template up from disk and send this back to the user. By default this template is found at the following path: /usr/share/c_icap/templates/squidclamav/en/MALWARE_FOUND Available format tokens are all of those available to the LogFormat directive of c-icap, plus an additional token: %mn - formatted name of the malware, as given by ClamAV. Notice redirection into log file To log every redirection enable the 'logredir' configuration directive: logredir 1 By default it is disabled as you can also log this information with the cgi-script or send an email. Chained Url Checker The squidguard directive is preserved for backward compatibility but you must remove it from your configuration file as it could result in many squidclamav crashes. Please use the 'url_rewrite_program' squid.conf directive instead to call squidGuard. url_rewrite_program /usr/bin/squidGuard url_rewrite_children 15 url_rewrite_access allow all If you still want to use it, SquidClamav allows you to chain the SquidGuard program to check the URL requested against blocklists using the 'squidguard' directive. You just have to give the path to the program. squidguard /usr/local/squidGuard/bin/squidGuard The chained program is called before the virus scan and any other SquidClamav operations. The call to this program can be disabled with the 'whitelist', 'trustuser' and 'trustclient' directives. See SquidClamav Patterns for more information. To log every chained program redirection enable the 'logredir' configuration directive as following: logredir 1 By default it is disabled as you can also log this information with squidguard. Maxsize This directive allows to disable virus scan completely for files bigger than the value in bytes. Default is 0, no size limit as you may want to control download size into squid.conf or clamd. maxsize 2000000 If you want to abort virus scan after a certain amount of data you must take a look at the clamd configuration directive 'StreamMaxLength' that will close a stream when the given size is reached. Controlling SquidClamav behaviour As in SquidClamav v5.x, v6.0 will scan all downloaded files by default. You have five directives to control the way things must work. All these directives used extended regex pattern matching and are case insensitive. Control both chained program and virus scan There are 3 configuration directives that allow you to disable virus scan and call to chained redirector like SquidGuard. Those pattern matchings are searched as soon as a Squid entry is received. whitelist The 'whitelist' configuration directive allows you to disable chained program and virus scan at URL level. When the given pattern matches the URL, SquidClamav falls back to Squid instantly. For example: whitelist \.clamav\.net will deliver any files from hosts on clamav.net domain directly. trustuser The 'trustuser' directive allows you to disable chained program and virus scan when an ident matches the search pattern. On regex found SquidClamav falls back to Squid instantly. Of course you must have Squid authentication helper enabled. For example: trustuser administrator will let user logged as administrator to not be bored by chained program and virus scan. trustclient The 'trustclient' directive allows you to disable chained program and virus scan if the client source IP address or DNS name match the search pattern. The source IP address can be a single IP address or an address range following the given regex pattern. For example: trustclient ^192\.168\.1\.1$ trustclient ^192\.168\.1\..*$ trustclient ^mypc\.domain\.dom$ The first and the last entry will disable chained program and virus scan for a single computer and the second will do for en entire class C network. dnslookup Enable / disable DNS lookup of client IP address. Default is enabled '1' to preserve backward compatibility but you must deactivate this feature if you don't use trustclient with hostname in the regexp or if you don't have a DNS on your network. Disabling it will also speed up squidclamav. Safebrowsing ClamAV 0.95 introduced support for Google Safe Browsing database. The database is packed inside a CVD file and distributed through our mirror network as safebrowsing.cvd. This feature is disabled by default on all clamav installations. In order to enable this feature, you must first add “SafeBrowsing Yes” to freshclam.conf. There is no option in clamd.conf. If the engine finds Google Safe Browsing files in the database directory, ClamAV will enable safe browsing. To turn it off you need to update freshclam.conf and remove the safebrowsing files from the database directory before restarting clamd. Then to enable this feature into SquidClamav you have to enable the following configuration directive. safebrowsing Enable / Disable Clamav Safe Browsing feature. You mus have enabled the corresponding behavior in clamd by enabling SafeBrowsing into freshclam.conf Enabling it will first make a safe browsing request to clamd and then the virus scan request. Control virus scan There are 3 configuration directives that allow you to disable virus scan for downloaded files. abort The 'abort' directive will let you disable virus scanning at URL level (not chained program). When the URL matches the regex pattern, SquidClamav falls back to Squid immediately after the call to the chained program, if one is defined there. For example: abort \.squid-cache\.org abort .*\.(png|gif|jpg)$ The first regexp will exclude any file hosted on domain squid-cache.org from virus scanning, the last one will exclude all PNG, GIF and JPEG image from scanning. abortcontent The 'abortcontent' directive allows you to exclude any file from virus scanning, whose Content-Type matches the regex pattern. This directive costs more time because SquidClamav needs to download the HTTP header for a file with a HEAD request. Note that some sites do not answer to HEAD requests so the content type will not be able to be retrieved so they will be scanned. Example: abortcontent ^image\/.*$ abortcontent ^video\/x-flv$ The first directive will complete the "abort .*\.(png|gif|jpg)$" previous directive to match dynamic image or with parameters at end. The second will allow your users to view streamed video instantly. maxsize As said above, the 'maxsize' directive allows you not to scan a file when the content-length of the file is bigger than the defined value. By default there's no size limit. Testing SquidClamav As SquidClamav v6.0 is now a c-icap service, it can no more be run at console in interactive mode. To check what is going wrong, you must edit c-icap.conf file, set DebugLevel to 3 and enable ServerLog. Then check for lines with squidclamav string in the log file which is defined with ServerLog in squidclamav's config. Performance With SquidClamav v6.x the way to tune your service is to tune c-icap server and clamd daemon. On heavy http access, putting the clamd daemon on a dedicated server with multiple CPU will really help. If you experience Squid "ICAP protocol error" (with bypass enabled) please consider increasing the following c-icp parameters: StartServers, MaxServers, MinSpareThreads, MaxSpareThreads, ThreadsPerChild. Increasing MaxThreads parameter in clamd.conf may also help. BUGS Please report any bugs, patches, discussion, etc. to <gilles AT darold DOT net>. FEATURE REQUESTS If you need new features let me know at <gilles AT darold DOT net>. This helps a lot to develop a better/useful tool. HOW TO CONTRIBUTE ? Any contribution to build a better tool is welcome, you just have to send me your ideas, features requests or patches and they will be applied. AUTHOR Gilles Darold <gilles AT darold DOT net> ACKNOWLEDGEMENT Thanks to Squid-cache.org, Clamav.net and c-icap.sf.net for their great software. Special thanks to Christos Tsantilas for his implementation of the c-icap server. Lots of SquidClamav v6 source code has been learned or simply cut and pasted from the source code of his clamav service. I must also thank all the great contributors: - Leonardo Humberto Liporati from www.ig.com.br - Dale Laushman from The Uptime Group - Rainer schoepf from Proteosys.com - Yann Ormanns and all others who help me to build a useful and reliable product. LICENSE Copyright (c) 2005-2016 Gilles Darold - All rights reserved. Some code is Copyright (C) 2004-2008 Christos Tsantilas This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see < http://www.gnu.org/licenses/ >.
About
SquidClamAv is a dedicated ClamAV antivirus redirector for Squid. It can run antivirus checks based on filename regex, content-type regex, and more. It is easy to install and works even with heavy Squid access.
Resources
License
Stars
Watchers
Forks
Packages 0
No packages published
Languages
- Shell 51.1%
- Roff 38.8%
- C 4.6%
- Makefile 4.6%
- Perl 0.9%