forked from darold/squidclamav
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
775 lines (575 loc) · 31 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
NAME
SquidClamav - HTTP Antivirus for Squid based on ClamAv and the ICAP
protocol
DESCRIPTION
SquidClamav is an antivirus for the Squid proxy based on the ICAP
protocol and the awards-winning ClamAv anti-virus toolkit. Using it will
help you securing your home or enterprise network web traffic.
SquidClamav is the most efficient antivirus tool for HTTP traffic
available for free, it is written in C as a c-icap service and can
handle several thousands of connections at once.
SquidClamav only scan the HTTP stream sent by Squid through the ICAP
server. It doesn't make HTTP requests itself so this is a gain of
performance and ensures that the data scanned is the same as the user
has requested.
Why use c-icap server? This is the only open source icap server written
in C, it is very fast and stable.
Why writing another clamav c-icap module? Well, to be honest, outside
the survival of SquidClamav, I think that using clamd instead of
libclamav to scan files is speediest and more simple than the srv_clamav
module provided with the c-icap server.
SquidClamav is faster than any other HTTP antivirus and can handle
several thousands of simultaneous users at once, this is what we need.
The other unique feature of SquidClamav is that you can have Clamd
failover by setting up up to 4 clamd server IP addresses. When a clamd
server is not reachable in one second, SquidClamav switches to the next
IP address.
If you are using ClamAV above 0.95, SquidClamav will have support for
Google Safe Browsing database. All signatures provided by Google Safe
Browsing Database will be prefixed with the Safebrowsing tag. If ClamAV
reports:
Safebrowsing.<something> FOUND
This will be redirected by squidclamav just like if a virus was found.
USAGE
Generic Program Information
SquidClamav is compatible with all Squid v3.x versions that support the
ICAP feature allowing "on stream" scanning. squidclamav is built as a
c-icap server service and can be controlled through a configuration
file.
Installing Squid
Setting SquidClamav as Squid Icap service
I want SquidClamav to be installed as a c-icap service, to be configured
as easy as possible and to be compatible with the old configuration
file. This means that I voluntary omit some capabilities of c-icap
server to preserve a full compatibility with the old squidclamav.conf
file.
Squid v3.x installation and configuration
To have full and stable icap support with Squid you must use the 3.x
branch and configure squid with the following option:
--enable-icap-client
I don't know what other options you are using but you have to add this
one to your configure command. If you prefer to use distribution
packaging you may already have it configured like this if you can
install the c-icap package too.
If you don't know, run the following command an search for the
configuration directive: --enable-icap-client
/usr/local/squid/sbin/squid -v | grep "enable-icap-client"
If it is not enable you must reinstall Squid with this configuration
option or install the additional packages.
Once you have it enabled, to integrate c-icap and SquidClamav to your
squid cache just edit squid.conf and set the following directives.
Squid 3.4.x configuration
There are some configuration differences between 3.1.x and 3.4.x
Squid version. Here are the directives I use for Squid 3.4.x:
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache
icap://localhost:1344/squidclamav bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache
icap://localhost:1344/squidclamav bypass=on
adaptation_access service_avi_resp allow all
If you don't know where to put them in squid.conf, just search for
'icap_.*' and add those configuration lines at the end of the icap
section.
Squid 3.1.x configuration
There are some configuration differences between 3.1.x and 3.0.x
Squid version. Here are the directives I use for Squid 3.1.x:
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all
If you don't know where to put them in squid.conf, just search for
'icap_.*' and add those configuration lines at the end of the icap
section.
Here the bypass is set to 1, that means that in case of squidclamav
problems squid will simply ignore the error and continue.
Squid 3.0.x configuration
For squid 3.0.x you must replace 'bypass=1' by '1' or 'bypass=0' by
'0' and the access to the service is defined at a class level. Only
the last four configuration lines change from version 3.1.x.
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache 1 icap://127.0.0.1:1344/squidclamav
icap_service service_resp respmod_precache 1 icap://127.0.0.1:1344/squidclamav
icap_class class_avreq service_req
icap_class class_avresp service_resp
icap_access class_avreq allow all
icap_access class_avresp allow all
If you don't know where to put them in squid.conf, just search for
'icap_.*' and add those configuration lines at the end of the icap
section.
Here the bypass is set to 1, that means that in case of squidclamav
problems squid will simply ignore the error and continue.
What do that configuration directives do? They enable Squid's ICAP
client and tell Squid to send the logged username and client's IP
address to the ICAP server. They also enable preview for faster
SquidClamav work. The last four lines define how to call the ICAP
server. Here we call the squidclamav service on localhost and port 1344
(host and port can be changed). The bypass parameter set to 1 means that
Squid will continue without bothering about ICAP server or SquidClamav
failure. This is just like the old bridge mode in previous releases of
SquidClamAV. I don't want users to be bored by a continuously error
message if SquidClamav or c-icap produce errors or if there's an error
in the configuration file. Users don't have to know about that, they
want to surf and don't care about your problems :-) If you don't think
like me, just set the bypass argument to 0 and Squid will return an
error message in case of a failure.
Chained Url Checker
You can chained SquidClamav call to an Url checked like squidguard by
setting the 'url_rewrite_program' squid.conf directive:
url_rewrite_program /usr/bin/squidGuard
url_rewrite_children 15
url_rewrite_access allow all
Call of squidguard from SquidClamav is no longer supported.
C-icap server installation/configuration
If you don't have package solutions or encounter problems when
installing SquidClamav I recommend you to install the c-icap server from
source as following. You can download it from SourceForge at
http://c-icap.sourceforge.net/. Choose version c-icap-0.3.2 or later
versions, then run:
./configure --prefix=/usr/local/c-icap --enable-large-files
make
make install
Then, edit the file /usr/local/c-icap/etc/c-icap.conf. It contains a set
of documented values that configure the c-icap server. To enable the
support of SquidClamav just add the following line to the end of the
file:
Service squidclamav squidclamav.so
Don't care about the srv_clamav.* configuration directives, this will
not break anything. SquidClamav doesn't use them but reads its own
directives from the file /etc/squidclamav.conf.
You can disable the c-icap embedded modules by commenting out these
lines:
#Service url_check_module srv_url_check.so
#Service antivirus_module srv_clamav.so
This will preserve some resources.
Following your installation you may need to create the /var/run/c-icap/
where c-icap server is writing pid and socket file.
You may also want to change the user/group owning c-icap's processes. By
default the owner is the user/group who runs the program. I recommend
you to change them to the same user/group running your Squid cache. For
example:
User proxy
Group proxy
Of course you will need to change the owner of directory
/var/run/c-icap/ and the directory of your server log. See the ServerLog
directive to get the path. For me, I use the following commands to set
the good rights on my installation:
mkdir /var/run/c-icap/
chown -R proxy:proxy /var/run/c-icap/
chown -R proxy:proxy /usr/local/c-icap/
After that you can run the c-icap server as explained below.
SquidClamav installation/configuration
Installing SquidClamav requires that you already have installed the
c-icap as explained above. You must provide the installation path of
c-icap to the configure command as following:
./configure
make
make install
This will install the squidclamav.so library into the c-icap
modules/services repository.
Note that if the c-icap installation does not save the c-icap-config
program in a directory that can be found in your default path you will
need to give the path to this program to squidclamav at configure time:
./configure --with-c-icap=/usr/local/c-icap/
make && make install
Running c-icap server
Finally, you can run the c-icap server as root user:
/usr/local/c-icap/bin/c-icap
or any other path to the binary. If you want to display debugging
information on the terminal, the previous command should be executed
with the following arguments:
/usr/local/c-icap/bin/c-icap -N -D -d 10
The first argument -N prevents the c-icap server from forking into the
background, the second argument -D enables the printing of messages to
standard output, and the third argument -d 10 enables the printing of
full debugging information.
Reloading configuration without restarting the c-icap server
To force SquidClamav to reread its configuration file after changes you
can send the following command to the c-icap server
echo -n "squidclamav:cfgreload" > /var/run/c-icap/c-icap.ctl
It will reread all its configuration directives and restart pipes to
squidGuard. So if you make changes to squidGuard you must execute this
command to activate them in SquidClamav.
Or to be sure that everything is really initialized or that you have
made change to the c-icap configuration file you can run the following
command:
echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl
The service will reread the config file without the need for stopping
and restarting the c-icap server. The service will just be
reinitialized.
CONFIGURATION
By default, the configuration file must be /etc/squidclamav.conf, you
may not use an other path unless you change it in the source code (see
src/squidclamav.h).
SquidClamav installation will create a default file with the maximum
security level. If you have low resources on your server there's some
predefined pattern optimized for speed. Feel free to modify it to match
your desired security level.
The format of the configuration file consists in always lower case
configuration directive names followed by a value. The name and the
value must be separated by a single space character. Comments are lines
starting with a '#' character.
Global configuration
Log file and debug
Logging and debug are handled by the c-icap server. You can control them
using the following c-icap.conf directives:
ServerLog /usr/local/c-icap/var/log/server.log
DebugLevel 0
Debug information is disable by default, do not enable it on production
systems as it costs a lot of performances. The debug level can be set
from 1 up to 3 for SquidClamav but can be up to 10 for c-icap. By
setting
DebugLevel 3
you will trace everything done by SquidClamav, this is useful for
debugging purpose.
Clamd daemon
SquidClamav needs to know where to contact clamd, the ClamAV daemon, for
on stream virus scanning.
clamd_local /tmp/clamd
#clamd_ip 192.168.1.5
#clamd_port 3310
By default SquidClamav will contact clamd locally on the /tmp/clamd unix
socket (clamd_local). If your clamd daemon uses INET socket or stays in
a remote server, you have to set the IP address and the port with
clamd_ip and clamd_port.
If you use INET socket the 'clamd_local' directive must be commented, or
SquidClamav will always use the clamd_local directive.
Clamd failover
If you have multiple ClamAv servers, SquidClamav is able to do failover
between them. You just have to set 'clamd_ip' to a list of IP addresses
separated by a comma. Do not insert space characters in this list or it
will break all. For example:
clamd_ip 192.168.1.5,192.168.1.13,192.168.1.9
clamd_port 3310
timeout 1
You can set up to 5 clamd servers. The clamd port must be the same for
all these servers as 'clamd_port' only accepts one single value.
SquidClamav will always connect to the first IP address available. If
this fails it will try the next defined IP address after 1 second. When
a connect can be established SquidClamav will reuse this last "working"
IP address first to not slow down process the next time.
If you think 1 second is a low value, you can change the connect timeout
by editing file squidclamav.conf and set the 'timeout' directive to a
higher value. For example :
timeout 2
Value must be set in seconds. Do not set it too high (< 5) or you can
slow down everything.
Redirection
URL redirect
When a virus is detected SquidClamav needs to redirect the client to a
warning page. The SquidClamav distribution contains a set of Perl CGI
scripts with different languages that you can use. To specify this
redirection you have to have to specify a redirect URL to the 'redirect'
directive as follow:
redirect http://proxy.samse.fr/cgi-bin/clwarn.cgi
Take a look in the cgi-bin directory to see all translations of this cgi
script.
Squidclamav will pass the following parameters to this CGI:
url=ORIGNAL_HTTP_REQUEST
virus=NAME_OF_THE_VIRUS
source=DOWNLOADER_IP_ADDRESS
user=DOWNLOADER_IDENT
If this directive is disabled squidclamav will use c-icap error
templates to report issues. See below.
Using c-icap template instead of redirect scripts
If the redirect directive is not set, SquidClamav will attempt to load a
template up from disk and send this back to the user. By default this
template is found at the following path:
/usr/share/c_icap/templates/squidclamav/en/MALWARE_FOUND
Available format tokens are all of those available to the LogFormat
directive of c-icap, plus an additional token:
%mn - formatted name of the malware, as given by ClamAV.
Notice redirection into log file
To log every redirection enable the 'logredir' configuration directive:
logredir 1
By default it is disabled as you can also log this information with the
cgi-script or send an email.
Maximun file size scanned
The maxsize directive allows to disable virus scan completely for files
bigger than the value in bytes. Default is 0, no size limit as you may
want to control download size into squid.conf or clamd.
maxsize 2M
If you want to abort virus scan after a certain amount of data you must
take a look at the clamd configuration directive 'StreamMaxLength' that
will close a stream when the given size is reached.
DNS lookup of client IP address
Directive dnslookup allow you to enable / disable DNS lookup of all
client IP address. Default is enabled:
dnslookup 1
to preserve backward compatibility. You should deactivate this feature
if you don't use trustclient with hostname in the regexp or if you don't
have a DNS on your network. Disabling it will also speed up squidclamav.
Multipart content
Clamd supports decoding email style multipart content and scan each
part. Unless clamd receives a Content-Type header it can't know how to
break up the multipart content and so it tries to scan the entire body
as one file, even if parts are base64 encoded. Enabling the 'multipart'
directive:
multipart 0
will force detection of multipart content and sends a To: and
Content-Type header to clamd before the rest of the body. Disabled by
default for backward compatibility.
Safebrowsing
ClamAV 0.95 introduced support for Google Safe Browsing database. The
database is packed inside a CVD file and distributed through our mirror
network as safebrowsing.cvd. This feature is disabled by default on all
clamav installations.
In order to enable this feature, you must first add "SafeBrowsing Yes"
to freshclam.conf. There is no option in clamd.conf. If the engine finds
Google Safe Browsing files in the database directory, ClamAV will enable
safe browsing. To turn it off you need to update freshclam.conf and
remove the safebrowsing files from the database directory before
restarting clamd.
Then to enable this feature into SquidClamav you have to enable the
following configuration directive.
safebrowsing
Enable / Disable Clamav Safe Browsing feature. You mus have enabled
the corresponding behavior in clamd by enabling SafeBrowsing into
freshclam.conf Enabling it will first make a safe browsing request
to clamd and then the virus scan request.
Control virus scan
There is two scan mode to fully control squidclamav behavior. The first
and historical mode is "ScanAllExcept" that scans everything by default.
This mode can be controlled by directives: abort, abortcontent,
whitelist, trustuser and trustclient.
scan_mode ScanAllExcept
The second mode since squidclamav version 7 is "ScanNothingExcept" that
will scan nothing but the content controlled by the scan, scancontent,
blacklist, untrustuser and untrusted client.
scan_mode ScanNothingExcept
Any other value for the scan_mode directive will force the
"ScanAllExcept" mode. This guarantee the backward compatibility with
older squidclamav version.
abort
The 'abort' directive will let you disable virus scanning at URL
level (not chained program). When the URL matches the regex pattern,
SquidClamav falls back to Squid immediately after the call to the
chained program, if one is defined there.
For example:
abort \.squid-cache\.org
abort .*\.(png|gif|jpg)$
The first regexp will exclude any file hosted on domain
squid-cache.org from virus scanning, the last one will exclude all
PNG, GIF and JPEG image from scanning.
Only used in "ScanAllExcept" mode.
abortcontent
The 'abortcontent' directive allows you to exclude any file from
virus scanning, whose Content-Type matches the regex pattern. This
directive costs more time because SquidClamav needs to download the
HTTP header for a file with a HEAD request. Note that some sites do
not answer to HEAD requests so the content type will not be able to
be retrieved so they will be scanned.
Example:
abortcontent ^image\/.*$
abortcontent ^video\/x-flv$
The first directive will complete the "abort .*\.(png|gif|jpg)$"
previous directive to match dynamic image or with parameters at end.
The second will allow your users to view streamed video instantly.
Only used in "ScanAllExcept" mode.
whitelist
The 'whitelist' configuration directive allows you to disable
chained program and virus scan at URL level. When the given pattern
matches the URL, SquidClamav falls back to Squid instantly.
For example:
whitelist \.clamav\.net
will deliver any files from hosts on clamav.net domain directly.
You can also use a file containing all regex that might be
whitelisted and provide the file name to the whitelist directive.
Suppose that you have a file named
/usr/local/c-icap/etc/sc_whitelist with the following content:
\.clamav\.net
\.darold\.net
then you just have to set whitelist in squidclamav.conf as follow:
whitelist /usr/local/c-icap/etc/sc_whitelist
the file must contain only one regex per line and no extra
character.
Only used in "ScanAllExcept" mode.
trustuser
The 'trustuser' directive allows you to disable chained program and
virus scan when an ident matches the search pattern. On regex found
SquidClamav falls back to Squid instantly. Of course you must have
Squid authentication helper enabled.
For example:
trustuser administrator
will let user logged as administrator to not be bored by chained
program and virus scan.
Only used in "ScanAllExcept" mode.
trustclient
The 'trustclient' directive allows you to disable chained program
and virus scan if the client source IP address or DNS name match the
search pattern. The source IP address can be a single IP address or
an address range following the given regex pattern.
For example:
trustclient ^192\.168\.1\.1$
trustclient ^192\.168\.1\..*$
trustclient ^mypc\.domain\.dom$
The first and the last entry will disable chained program and virus
scan for a single computer and the second will do for en entire
class C network.
Only used in "ScanAllExcept" mode.
scan
The 'scan' directive will let you enable virus scanning at URL
level.
For example:
scan .*\.(doc|docx|pdf|xls)$
The regexp will force virus scanning for extensions .doc, .docx,
.pdf and .xls.
Only used in "ScanNothingExcept" mode.
scancontent
The 'scancontent' directive allows you to force virus scanning for
some files whose Content-Type matches the regex pattern. This
directive costs more time because SquidClamav needs to download the
HTTP header for a file with a HEAD request. Note that some sites do
not answer to HEAD requests so the content type will not be able to
be retrieved so they will be scanned.
Example:
scancontent ^application\/.*$
Only used in "ScanNothingExcept" mode.
blacklist
The 'blacklist' configuration directive allows you to force virus
scan at URL level.
For example:
whitelist \.badsite\.com
will force scanning any files from hosts on badsite.com domain.
You can also use a file containing all regex that might be
blacklisted and provide the file name to the blacklist directive.
Suppose that you have a file named
/usr/local/c-icap/etc/sc_blacklist with the following content:
\.badsite\.com
\.getyourvirus\.org
then you just have to set blacklist in squidclamav.conf as follow:
blacklist /usr/local/c-icap/etc/sc_blacklist
the file must contain only one regex per line and no extra
character.
Only used in "ScanNothingExcept" mode.
untrustuser
The 'untrustuser' directive allows you to force virus scan when an
ident matches the search pattern. Of course you must have Squid
authentication helper enabled.
For example:
untrustuser fakeuser
Only used in "ScanNothingExcept" mode.
untrustclient
The 'untrustclient' directive allows you to force virus scan if the
client source IP address or DNS name match the search pattern. The
source IP can be a single IP address or an address range following
the given regex pattern.
For example:
untrustclient ^192\.168\.1\.1$
untrustclient ^192\.168\.1\..*$
untrustclient ^mypc\.domain\.dom$
The first and the last entry will force virus scan for a single
computer and the second will do for en entire class C network.
Only used in "ScanNothingExcept" mode.
Libarchive support
Allow squidclamav to uncompress archives and filter according to
user-defined rules before passing them to clamav. See directives bellow
for more details.
enable_libarchive
Enable/disable use of libarchive by SquidClamav. Disabled by
default. Note that if libarchive is not available on your server
enabling this feature will have no effect. When libarchive headers
are not present the code to support libarchive in squidclamav is not
compiled.
ban_archive_entry
Block matching archive entries. For example: zip files containing
threats such as ransomeware that are not yet detected by clamav or
other antivirus software (typically 5KB zip files containing a cab
file or a vbe script). Here is the value set in the configuration
file if enabled:
ban_archive_entry ^.*\.(ade|adp|app|asd|asf|asx|bas|bat|cab|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh)$
ban_max_entries
Maximum number of entries in an archive in order to block it if
there's at least one match. Archives with more than ban_max_entries
will not be blocked even if there are matches. A value of 0 (or
commented) will ignore the number of entries in an archive.
Suggested value: 1.
ban_max_matched_entries
Maximum number of matched entries in an archive in order to block
it. Archives with more than ban_max_matched_entries matches will not
be blocked. A value of 0 (or commented) will ban an archive when
there's at least one entry match. Suggested value: 1.
banmaxsize
Maximum size of an archive that may be opened. Any file bigger that
this value will not be scanned. Suggested value: 2M.
recoverpath
Path where banned archives are stored (libarchive). Hard-coded file
format:
banned_USERNAME_CLIENTIP_UNIXTIME_RAND(99).FILEEXTENSION
USERNAME and CLIENTIP are available when enabling
icap_send_client_ip and icap_send_client_username in squid.conf.
Check clwarn.cgi example to see how you can retrieve the file name
and serve it via http.
recovervirus
Enable if virus files should also be copied to recoverpath.
Hard-coded file format:
virus_USERNAME_CLIENTIP_UNIXTIME_RAND(99).FILEEXTENSION
Otherwise only archives containing ban_archive_entry matches will be
copied.
Testing SquidClamav
As SquidClamav is a c-icap service, it can not be run at console as an
interactive program. To check what is going wrong, you must edit
c-icap.conf file, set DebugLevel to 3 and enable ServerLog. Then check
for lines with squidclamav string in the log file which is defined with
ServerLog in squidclamav's config.
Performance
With SquidClamav the way to tune your service is to tune c-icap server
and clamd daemon. On heavy http access, putting the clamd daemon on a
dedicated server with multiple CPU will really help.
If you experience Squid "ICAP protocol error" (with bypass enabled)
please consider increasing the following c-icp parameters: StartServers,
MaxServers, MinSpareThreads, MaxSpareThreads, ThreadsPerChild.
Increasing MaxThreads parameter in clamd.conf may also help.
BUGS
Please report any bugs, patches, discussion, etc. to <gilles AT darold
DOT net>.
FEATURE REQUESTS
If you need new features let me know at <gilles AT darold DOT net>. This
helps a lot to develop a better/useful tool.
HOW TO CONTRIBUTE ?
Any contribution to build a better tool is welcome, you just have to
send me your ideas, features requests or patches and they will be
applied.
AUTHOR
Gilles Darold <gilles AT darold DOT net>
ACKNOWLEDGEMENT
Thanks to Squid-cache.org, Clamav.net and c-icap.sf.net for their great
software.
Special thanks to Christos Tsantilas for his implementation of the
c-icap server. Lots of SquidClamav source code has been learned or
simply cut and pasted from the source code of his clamav service.
I must also thank all the great contributors and all others who help to
build a useful and reliable product. They are all cited in ChangeLog
file.
LICENSE
Copyright (c) 2005-2019 Gilles Darold - All rights reserved.
Some code is Copyright (C) 2004-2008 Christos Tsantilas
This program is free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation, either version 3 of the License, or any later
version.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.
You should have received a copy of the GNU General Public License along
with this program. If not, see < http://www.gnu.org/licenses/ >.